Sarbanes-Oxley (SOX) — the mere mention of it invokes painful memories of the investors involved in the Enron, Worldcom, and Tyco debacles. These scandals lost investors billions of dollars when the share prices of the affected companies fell into tailspins, resulting in a drastic loss in public confidence. The scandals also raised serious questions about corporate governance, financial disclosures, and the adequacy and enforcement of regulatory requirements. The outcome of all these events was the enactment of the Sarbanes-Oxley Act in 2002.
Now that SOX is a reality and the memory of investors continues to fade, SEC fines have actually come down over the years, even as companies continue to navigate the legal quagmire: Morgan Stanley claims to have lost emails in the 9/11 terror attack that would have settled arbitration cases out-of-court, while Nortel Networks continues to inflate its balance sheet.
|The costs are real:
“The one thing we know about the effects of Sarbanes-Oxley is that it produced much more cost, paperwork, and bureaucracy than anybody intended or anybody thought, and the thing to remember is that cost is always paid by investors. That's, by definition, bad for investors if costs are greater than benefits. But even if costs are just a lot more than they need to be, that, by definition, is bad for investors, and that's all in spite of the idea that this is supposedly protecting investors.”
- Alex Pollock, American Enterprise Institute
SOX forces an organization to reinforce its risk management and decision making capabilities, basing them on credible financial reporting. Forcing a system of checks and balances has marginally added to the bureaucracy within the organizations today. In order to negate its affect on the organizations operational efficiency, enterprise systems have been modified to reduce the probability of human error by incorporating automated checks in the systems themselves. Hence, the focus of auditing the organization, which was limited to employees and processes, must now include enterprise systems as well.
|The benefits are apparent:
“The companies last year that had many of these numerous restatements, many of the weaknesses in their controls significantly underperformed the market 15 to 20%.”
- Lynn Turner, (former) Chief Accountant of the SEC
SOX increases the financial responsibility of all publicly listed companies by mandating tight control over data used in financial reports. The quality of financial data is assured through risk-based auditing as opposed to the sampling methods previously in vogue. The given organization maps the control points where risks due to inaccurate data are very high, and greater amounts of control are exercised at those control points. AS 5 (Auditing Standard #5) already provides good support for achieving the goals set out by SOX.
Key Provisions for SOX Compliance
SOX contains 11 titles that describe specific mandates and requirements for financial reporting. The SOX Act aims at tightening controls in order to meet a wide array of objectives including the prevention of insider trading, higher transparency in financial disclosures, and the removal of conflicting interests in auditing and lending.
SOX Section 302: Internal Control Certifications
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosures. The officers responsible for the proper enforcement of the internal controls should classify themselves accordingly. They must also certify the efficacy of internal controls with regard to the transparency and availability of the accurate data. Simply translated, this holds an individual (an actual person) responsible, rather than a company (a legal person).
SOX Section 404: Assessment of Internal Control
Section 404 requires the management and the auditor to submit an assessment report of the internal controls and certify the adequacy of the company's internal control over financial reporting. Sec 404 requires a significant compliance effort and a review of the financial accounting in its entirety. The entire system needs to be checked for any potential misrepresentations and frauds, and each control point needs to be validated in relation to the same. Simply put, this ties the responsibility of meeting the regulatory compliance with an actual, individual person.
Lessons Learned, the Hard Way
Costs will go down: as a result of the learning curve, organizations will benefit from implementing mature practices like COSO in financial reporting. Enterprise systems will benefit from process maturity practices like CMMI — the key thing being change management in their enterprise systems. Apart from the initial sunk costs in SOX compliance, prudent management will not have to take any further significant hits on its bottom line.
External audits will become a breeze: as a direct result of tighter internal control and increases in the efficiency of internal audits, the time and resource productivity in these areas will go up.
The quality of management decisions will improve: executive management will have access to a better quality data for basing their decisions upon.
Overall risk management will improve: the overall risk management for an organization will improve. Executive management can make everyday decisions with a far greater confidence level than previously possible.
Compliance: The Continuing Challenges for Organizations
The burden of regulatory compliance is only increasing, with new regulations being enforced frequently. On average, a publicly listed company in the U.S. will have to manage somewhere between six and10 federal and state regulatory compliance programs. Executive management is thus left pondering ways to ensure due diligence even as systems are being constantly changed to comply with the regulatory changes. The answer lies in continuous testing and integration of every change that the regulatory authorities dictate to the enterprise systems.
Continuous testing and integration of enterprise systems brings its own challenges to the mix, namely, complexity, increased costs, and expanding timelines. With numerous frequent changes to the enterprise systems, documentation of systems is often ignored leading to a gap between the controls forced upon the enterprise systems and their efficacy.
The Importance of Testing
Testing (software quality assurance) is akin to auditing and provides a similar value to the organization — confidence in their enterprise systems. Third-party testing offers an added advantage akin to that of external auditing and due diligence. Ask yourselves this: since the last change to my ERP, are the controls still working 100%? If the answer is “yes,” then where is the document that supports the assertion? Is that document from a credible source? Is that source free from conflict-of-interest issues? The approaches suggested in following the section help make this a reality.
Strategy for Approaching Enterprise Applications
Separate the development and testing resources (infrastructure, people, and processes): this is easily achieved by separating the vendors for software development and software quality assurance processes. Third-party testing offers a necessary system of checks and balances on the software used on enterprise systems.
Documentation: as with any quality process, documentation is essential. What’s even more important is to verify and validate the documentation in existence periodically. Use the checks and balances to your advantage: make the testing teams rely heavily on documentation and very minimally on hand holding from development. This will protect the organization from inefficient practices being followed by their software services vendor.
Disclosure: disclose the inefficiencies in any enterprise system and the plan to overcome them on a periodic basis. Timely disclosure can help protect the organization and its business partners.
Take advantage of outsourcing to crunch time-to-market: it’s possible to have development and testing in different time zones. The positive side effect of the above is the ability to have a round-the-clock develop-test feedback cycle. If a large system integration project would have normally taken 15 months, it may be possible in eight months. It’s complicated, sure, but certainly possible.
Set the standards high: make it a requirement for the enterprise service vendors (development, testing, and maintenance) to follow process maturity practices and to provide you with higher visibility into their processes.
Use automated test suites: automating the routine test cases can further help crunch the time-to-market by reducing the time spent in verification. It becomes cheaper in terms of time and effort to judge the state of a system under development or maintenance.
SOX compliance has proven to be a major challenge for companies in view of the significant effort and costs involved. Section 404, which requires management to certify the internal controls in place, requires a significant effort on an ongoing basis. However, the availability of an established independent testing process can greatly reduce the effort and costs involved in achieving SOX compliance, while at the same time enabling an organization to meet any future regulatory changes in a fast and confident manner.
About the Author
Neekhil Kumar Singh is an associate business analyst for AppLabs, the world’s largest independent testing, quality management, and certification solutions company. His interests include following technological changes in the financial services landscape.