Author: Bill Zoellick (Page 5 of 5)

Last fall Ernst & Young published the results of a survey on trends in the implementation of internal controls,
focusing in particular on the progress that companies were making in meeting
Section 404 deadlines for Sarbanes-Oxley.  Since the publication date was
last October, this isn’t breaking news … but the existence of the survey was
news to me and I found it useful and interesting.  (You can get to the
Acrobat file by clicking here.)

The general message is (surprise!) that companies were finding that it was
taking much more effort than they expected and that they were not, in general,
sticking to the schedules they had put into place earlier.

But there are also findings that are a more surprising.  Here is an
example:  59% of the companies surveyed said that they were tracking their
testing and remediation work in an Access database or an Excel spreadsheet ( !!)
.  The implication is that these companies are not at all able to provide
real-time information about remediation across the organization.  Bummer.

Here is another one:  nearly 30% of the companies surveyed had not yet
selected a technology platform for 404 compliance implementation.  Since
these companies will have, in general, met their initial deadlines without
making a platform commitment, that suggests that there are a good number of
companies that have worked through the first round of 404 issues without making
a big technology buy.  These companies are in a good position to bring
clear expectations and requirements to their planning and purchasing.

2005 is the year that Section 404 internal controls become required for all
SEC filers, not just the accelerated filers. It is a pretty good bet that there
will be more companies coming to terms with the issues highlighted in the
E&Y survey.  It is worth a look if you haven’t seen it.

I have been spending a lot of time with the Sarbanes-Oxley Act (SOX) lately — and have run across a really useful book. The title is Beyond COSO: Internal Control to Enhance Corporate Governance, by Steven J. Root (Wiley, 1998).

Yes, I know … the book predates SOX. When it was published, people were still talking about what a great company Enron was. Undergraduate accounting students were still hoping to land a job with Arthur Andersen. That is part of what makes the book useful.

As many of you probably know, SOX and the SEC don’t  prescribe just how a company must set up internal controls — the SEC only requires that you use a suitable, recognized control framework. In the final rule, the SEC points out that COSO — the framework developed by the “Committee of Sponsoring Organizations” of the Treadway Commision — is such a “suitable” framework.

What make’s Root’s book so interesting is that it is a critique of COSO.  At the heart of this critique is Root’s concern that COSO focuses too narrowly on controls to ensure accurate financial reporting, giving short shrift to the kinds of operational controls that often really make a difference between a business that succeeds and one that doesn’t.

When you look at SOX, you can take Root’s concerns and add an exponent.  Compliance with section 404 of SOX takes what little emphasis there is in COSO on matters other than financial reporting and discards it: 404 compliance is ALL about internal controls to ensure the accuracy of financial reports.

To be sure, accurate financial reporting is a good thing. But it is a rare CEO who decides that what it will take to make his or her company great is better financial reporting.  Improved quality, a stronger connection to the customer, returns exceeding the cost of capital — yes — these are things that management focuses on.  But, better financial reporting?

The sad thing is that improved internal controls really can improve quality, customer response time, and the decision making required to improve return on investment.  But a company that focuses solely on SOX compliance is going to miss these things.

Is this a topic — a concern — arising in your companies as you come to terms with SOX?

Anyway, take a look at Root’s book. It provides a historical perspective on SOX that is missing from some of the recent focus on “compliance.”