I have been spending a lot of time with the Sarbanes-Oxley Act (SOX) lately — and have run across a really useful book. The title is Beyond COSO: Internal Control to Enhance Corporate Governance, by Steven J. Root (Wiley, 1998).
Yes, I know … the book predates SOX. When it was published, people were still talking about what a great company Enron was. Undergraduate accounting students were still hoping to land a job with Arthur Andersen. That is part of what makes the book useful.
As many of you probably know, SOX and the SEC don’t prescribe just how a company must set up internal controls — the SEC only requires that you use a suitable, recognized control framework. In the final rule, the SEC points out that COSO — the framework developed by the “Committee of Sponsoring Organizations” of the Treadway Commision — is such a “suitable” framework.
What make’s Root’s book so interesting is that it is a critique of COSO. At the heart of this critique is Root’s concern that COSO focuses too narrowly on controls to ensure accurate financial reporting, giving short shrift to the kinds of operational controls that often really make a difference between a business that succeeds and one that doesn’t.
When you look at SOX, you can take Root’s concerns and add an exponent. Compliance with section 404 of SOX takes what little emphasis there is in COSO on matters other than financial reporting and discards it: 404 compliance is ALL about internal controls to ensure the accuracy of financial reports.
To be sure, accurate financial reporting is a good thing. But it is a rare CEO who decides that what it will take to make his or her company great is better financial reporting. Improved quality, a stronger connection to the customer, returns exceeding the cost of capital — yes — these are things that management focuses on. But, better financial reporting?
The sad thing is that improved internal controls really can improve quality, customer response time, and the decision making required to improve return on investment. But a company that focuses solely on SOX compliance is going to miss these things.
Is this a topic — a concern — arising in your companies as you come to terms with SOX?
Anyway, take a look at Root’s book. It provides a historical perspective on SOX that is missing from some of the recent focus on “compliance.”