Author: Bill Zoellick (Page 4 of 5)

Today’s Financial Times includes a front page story about the effect
of Sarbanes-Oxley on the fees companies are paying to external auditors: 
On the average, they have doubled this year.  Yow ! 

The FT story emerged from a study of large company spending on SOX
compliance published earlier this week by the Corporate Executive Board, a
consulting firm.  The same study reported that, in addition to the higher
fees for auditing, the companies surveyed spent an average of $5 million to $8
million on SOX Section 404 compliance work in 2004.

The numbers are in the news because companies with fiscal years ending
December 31 will be releasing their annual reports over the next few
weeks.  This will be the first year that these companies will have to
report on the effectiveness of their internal controls, as required by Section
404 of the Act. After the companies make their own assessments of internal
controls, the auditors are required to render an outside opinion on the internal
controls.  In a related story in today’s Financial Times, titled
"Crunch Time," sources from the Big Four accounting firms estimate
that perhaps 10% of the companies will report that there are material weaknesses
in their system of controls.

It appears that we will find out how the markets react to reports of material
weaknesses.

The FT reports that companies typically have three questions for their
auditors:

• Are we in the clear?  Are our controls effective?
• How can we make SOX compliance less expensive?
• How can we turn this into something we can do year after year?

In diagnosing the sources of "material weakness" in internal
control systems, auditors put problems with information technology systems at
the top of the list.  The problems take different forms, but include
difficulties in controlling access to data and difficulties associated with the
project-oriented focus that has been characteristic of initial compliance
efforts.

The companies that reveal material weaknesses over the next four weeks will
almost certainly stay in "project" mode — they will have no other
choice.  But, for the 90% of the companies that successfully make it
through the first year of Section 404 testing and evaluation, the real challenge
will be how to turn this from "crunch time" into a normal part of
business — a part that supports, rather than subtracts from, the rest of the
business.

Are there readers of this column who can share, in general terms, the steps
that their companies are taking to make this transition?  It seems
reasonable to expect that increased use of content-based technologies to
automate parts of the internal control system would be part of the
solution.  Is that turning out to be the case?  Send me an
email or post a comment.

A few weeks ago Deloitte published a really useful, short whitepaper titled
"Under
Control: Sustaining Compliance with Sarbanes-Oxley in Year Two and Beyond." 
(You can download the paper for free, but access requires registration.)

Recognizing that meeting first year SOX 404 compliance requirements was a
real fire drill for many companies, the paper asks the important question of how
to turn this into something that is sustainable.  You should download and
read the full paper, but I will pull out a couple of observations that seemed
particularly important:

• Many companies approached their initial SOX compliance efforts as a
  "project."  To the extent that the project focus helped
  meet the deadlines, it was a good thing.  But it is also a potentially
  crippling attitude that companies must consciously undo over the coming
  year.  Internal control and SOX compliance requirements never
  end.  They need to become part of daily operations, not a special
  project.  Facing the need to  "change gears" squarely
  will be important.
   
• The internal audit team often emerged as a central part of the
  compliance "project" in year one.  That made sense for the
  first year, but may not be the right approach over the long
  run.  Without more staff and resources, continued work on SOX would
  displace important internal audit work.  Perhaps even more critically,
  if if internal audit becomes responsible for implementing and managing
  controls, they will not be in a position to provide an objective
  evaluation of those same controls.
   
• Information technology was often not well integrated into first year
  compliance efforts — the focus was on meeting the deadline, not on
  building a workable, sustainable system.  Many companies will find that
  it is possible to make the process more efficient and sustainable by
  making strategic technology investments.

The paper is a nice overview of the problems faced by companies now that
initial deadlines have been met.  It is the kind of paper that I put in my
files for future reference.

A few weeks ago Deloitte published a really useful, short whitepaper titled “Under Control: Sustaining Compliance with Sarbanes-Oxley in Year Two and Beyond.” (You can download the paper for free, but access requires registration.)

Recognizing that meeting first year SOX 404 compliance requirements was a real fire drill for many companies, the paper asks the important question of how to turn this into something that is sustainable. You should download and read the full paper, but I will pull out a couple of observations that seemed particularly important:

• Many companies approached their initial SOX compliance efforts as a “project.” To the extent that the project focus helped meet the deadlines, it was a good thing. But it is also a potentially crippling attitude that companies must consciously undo over the coming year. Internal control and SOX compliance requirements never end. They need to become part of daily operations, not a special project. Facing the need to “change gears” squarely will be important.
• The internal audit team often emerged as a central part of the compliance “project” in year one. That made sense for the first year, but may not be the right approach over the long run. Without more staff and resources, continued work on SOX would displace important internal audit work. Perhaps even more critically, if if internal audit becomes responsible for implementing and managing controls, they will not be in a position to provide an objective evaluation of those same controls.
• Information technology was often not well integrated into first year compliance efforts — the focus was on meeting the deadline, not on building a workable, sustainable system. Many companies will find that it is possible to make the process more efficient and sustainable by making strategic technology investments.

The paper is a nice overview of the problems faced by companies now that initial deadlines have been met. It is the kind of paper that I put in my files for future reference.

Every few months my wife and I have a party. Apart from the goodness of
seeing friends, it also forces us to get the house cleaned up. A good thing all
around.

It is in this same spirit that Stephen Ashton, director of Global IT business management
at the investment bank Dresdner Kleinwort Wasserstein says that Sarbanes-Oxley
is good for IT.  (See the article, "Sarbanes-Oxley
‘Good for IT‘", by Andrew Donahue published yesterday by ZDNet
UK.)  Despite having 10% to 15% of the banks total headcount currently
committed to compliance ( !! ), Ashton feels that the gain is greater
than the pain. “We have just completed a data center review. The thing that came out of it was that we have
tons of information but very little knowledge. There is a lot of partial and inaccurate data in our
systems."  Ashton also talked of now having to invest in bringing
together disconnected "silos" of information that had just developed
over time, without planning.  Dresdner Kleinwort Wasserstein is now
investing in cataloging and integrating this information to make it useful.

We don’t really decide to have parties to get the house cleaned up.  But
it is a nice side-effect.  Are readers finding good side-effects of
Sarbanes-Oxley compliance?

According to an article in Monday’s Financial Times, China
Construction Bank, one of China’s "Big Four" state lenders, is
considering shelving its plans for listing its shares on the New York Stock
Exchange.  Presumably, the reason for skipping the NYSE listing is the
expense and trouble of compliance with Sarbanes-Oxley.

There could also be another side to the story, according to the FT
article. It is also possible that Sarbanes-Oxley would shed light in dark
corners that the bank might like to keep dark. Other Chinese banks have had
large amounts of assets tied up in non-performing loans and have run into
obvious problems with corporate governance.  For example, according to the FT
article, "Chinese media reported on Monday that two officials at Bank of China – another Big Four lender which is planning a $3-$4bn international IPO – had fled the country following the disappearance of up to Rmb1bn ($121m)." 
Yep, looks like an internal control problem to me.

So, maybe the problem with Sarbanes-Oxley is that it might do what we would
expect it to do — protect investors.

Anyway … China isn’t the only place outside the US to have trouble with
Sarbanes-Oxley.  According to a Tuesday Financial Times article, SEC
Chairman William Donaldson gave a speech that day at the London School of
Economics in which expressed willingness to try to find ways to ease the burden
of filing requirements for foreign companies.  Under current rules, foreign
filers must meet Section 404 requirements for reports filed after July 15 of
this year.

To me, this ties back into the thinking expressed in yesterday’s post on
"Bad
News or Benefit."  It seems likely that the details of SOX
compliance will get tinkered with over the next year or so as the SEC works to
find the balance between the cost of the regulations and the benefits that they
deliver.  If a company approaches Sarbanes-Oxley strictly from the
standpoint of meeting compliance requirements, these changes will be
frustrating, adding to the cost of compliance. 

On the other hand, if a company takes a broader view–moving beyond mere
compliance–and approaches internal control as part of a plan to improve
performance and governance–then the potential changes in deadlines and
modifications of requirements are just noise of on the side of the arena–the
goals and direction of the bigger game are not changed.

Last Friday’s evening edition of the American Public Media radio program
"Marketplace" had a short piece about Sarbanes Oxley.  (Here is a
link
to the program — I am not sure how long the link will be good ..). 
The gist of the story was that Sarbanes Oxley sure seemed like a good idea right
after Enron, but–now that companies are facing the effort and costs of
implementation–there is backlash leading to an effort to get Congress to change
the law.  According to this story, there is a significant lobbying effort
underway, led by the US Chamber of Commerce and others,  to make
"technical corrections" to SOX.  

There is a related story in today’s online edition of Business Week Online,
titled "A
Dream of Simpler Accounting," bylined by Amey Stone.  Stone’s
article covers a speech given by Don Nicolaisen, the Securities & Exchange Commission’s accounting chief,
at the New York State Society of Public Accountant’s conference yesterday.

Nicolaisen’s speech focused on his desire to simplify accounting rules by
moving away from detailed prescriptions to an approach based more on adherence
to principles.  (One of the problems with very detailed rules is that they
can encourage companies to "game" the system … finding ways to skirt
the edge of ethics and of sound accounting principles while still technically
staying within the bounds of the rules.  Another problem, of course, is
that detailed rules, universally imposed, can be onerous for many companies,
particularly mid-sized companies.)  But, as Amey Stone reported in her BW
article, Nicolaisen’s speech on principles soon devolved into a defense of the
very detailed rules associated with Sarbanes Oxley.  Nicolaisen reported
that he hears a lot of "noise" about Section 404 compliance.

I’d love to get a discussion going with some readers here as to whether SOX
is onerous and too detailed, or whether it is a necessary step in the direction
of guaranteeing standards of internal control over financial reporting. 
But, apart from that discussion, it seems that, for many companies, Sarbanes
Oxley is JUST about compliance, rather than about making an investment that will
pay off in improved performance.

"Compliance" just means that you have followed the rules and can be
(relatively) free from fear of sanctions and penalties.  But internal
control can be so much more than that.  It can be about improved processes,
increased efficiency, and more effective governance. When companies talk about
"compliance" initiatives, does that imply that they are more focused
on avoiding the negatives than on seeking return from the positives?

The Sarbanes-Oxley Act doesn’t just impact US companies.  Non-US
companies listed on US stock exchanges must also comply with the act.  Many
of them don’t like it.  Here is a good
article in The Register with a dateline of January 11 that provides a
quick summary.

This morning I attended a workshop on the impact of Sarbanes-Oxley on
nonprofit organizations.  The combination of SOX and nonprofits intrigued
me.  Since Sarbanes-Oxley is all about public companies, with rules issued
by the SEC, my impression was that the connection between SOX and nonprofits was
zip.  It followed that the workshop was likely to be either very
interesting or very short.

It turned out to be very interesting.

Boiled down to essentials, there at least four ways in which the governance
and internal control concerns intersect with nonprofit organizations:

• The "whistleblower protection" in section 1107 of
  Sarbanes-Oxley, which provides substantial penalties for any retaliation
  against employees or others who provide law enforcement officers with
  information about possible violation of Federal law, applies to nonprofits
  as well as to other kinds of entities.
• The penalties for document destruction in section 802 of
  Sarbanes-Oxley also apply to nonprofits.
• As SOX applies to more and more for-profit entities, parts of it are
  emerging as the expected standard of performance in the eyes of public and
  private funding sources.  At the very least, nonprofits should expect
  that expectations regarding conflicts of interest, audits, and evidence of
  internal controls will increase and will follow the general outline of SOX
• Some states are beginning to consider state regulations that impose parts
  of the COSO framework and other aspects of SOX on nonprofits. 
  California has already passed such legislation.  (For a summary of
  other state activity, take a look at this
  document from the National Council of Nonprofit Associations).

Practically speaking, my sense was that the most immediate impact on
nonprofits from a content management point of view was that, regardless of size,
these organizations need to document policies and procedures and ensure that
they are available and that they are used.  The focus of this effort
should, of course, be on staff and on board members, but should also extend to
volunteers who act as agents of the organization.  The policies and
procedures should include mechanisms for handling employee complaints and
document retention and destruction, in accord with SOX requirements.  They
should also, of course, deal with broader internal control issues such as
handling cash, soliciting and accounting for donations, making bank deposits,
and so on.