Working In Uncertainty
How to cut Sarbanes-Oxley s404/302 compliance costs: Key questions answered
by Matthew Leitch; first appeared on www.irmi.com in January 2005.
As I write this the Christmas tree is still twinkling in my living room, the children are still playing with their new toys, and there's still left over food in the fridge and cake in the tin. Christmas excess lingers on but already I'm starting to think ahead to a leaner, harder working January, when I can stop spending so much money and repair the damage done.
By coincidence that's exactly where we are with Sarbanes-Oxley (SOX) compliance. When the Act and related rules and requirements first appeared we moaned and groaned at the expense and the inconvenience, but in the end the audit firms got what they wanted. Companies were sucked into something that was not a controls improvement exercise, but a massive audit. They spent money on things they didn't need and put on weight.
Rediscover your dissatisfaction
If you've been involved with a SOX compliance programme you probably feel some pride in it. It was tough but now you've done it, or at least have things on track. You see benefits that go beyond mere compliance.
But is that enough for satisfaction? Weren't there things you would have cut if you could? Things that have been tough to defend? If you had set out to improve control and risk management in your company without the constraints would this be it?
You may be thinking of extending your achievements to more types of risk, but does it make sense to do it exactly the same way as financial reporting, under the constraints imposed by the SEC, PCAOB, and your external auditors?
If you went back over your original concerns, reviewed what you have learned so far, and thought creatively about how to improve the impact and cost of the SOX programme after year 1, would you come up with much?
This article is here to help you get your mind out of the SOX box and reveal some potentially high impact changes that may well be applicable in your company.
Question #1: Where and how can we cut costs?
Here are some of the likely methods of saving work. Consider where you can use each:
Question #2: What will happen if we don't deliberately do anything different?
Suppose you stop thinking about your SOX programme and just let nature take its course. What might happen?
More than likely the dedicated resources and budget for it will be slashed for year two and beyond. Even the most sincerely committed business leaders will be expecting big reductions now that the documentation is in place. Most will feel they've done enough and the danger is over.
Despite this, costs that have been hidden during year 1 or that are hidden away in the transition to year 2 will tend to remain. (We'll consider this in more detail later.)
Fortunately, the evidence needed from testing will reduce quickly as it accumulates over time. This will happen to some extent regardless of whether it is sanctioned by regulators.
Unfortunately, there's a big risk that documentation will quietly slip out of date as the business and its systems change. Do you have a rock solid process, applied everywhere, that proactively identifies the need for changes to controls, plans and carries them out, and updates all documentation and evidence gathering processes? Probably not.
The rules will probably be changed, perhaps to your advantage, but it will be difficult to take advantage of the changes.
Weaknesses in your programme will probably remain due to lack of resources and political will to sort them out.
Question #3: What should we do about the SOX programme weaknesses we still have?
Do you think people in your business have an unrealistic view of how much the SOX programme has achieved? Do they recognise it is limited to the risk of the accounts being wrong and does not cover all aspects of ‘financial control’? Do they assume everything has been done in a standard way and the programme proves controls are effective?
These views will hasten cuts for year 2 compliance, despite weaknesses remaining that are more serious than most people realise.
In reality the weaknesses are likely to be so serious that further action is essential, yet it will have to be done with less resource. Consider these points:
On top of these generic problems you may be aware of several specific to your programme.
Question #4: If we lose most of our core team won't that be the same as cutting SOX costs?
Cutting people out of roles dedicated to SOX and described as such is the obvious way to show that costs have been cut, but there will probably be other costs that have been hidden or are, at this moment, going into hiding.
It is hard to cut costs unless we are honest about what they currently are. When people are given the job of carrying through an urgent compliance exercise they often use a syndrome of behaviours designed to get things done regardless. Can you confidently say that none of the following has happened in your company?
Optimistic estimates, denial of costs, and blind faith in databases are part of our corporate culture. The legacy for your company is likely to be a lot of people doing compliance work that is no longer visible or accounted for.
Question #5: How much flexibility do we really have?
At last, some good news. The regulations are so high level that companies have a great deal of flexibility in how they comply. There are no specific control requirements and effectiveness can be achieved in an infinite number of ways. (Technically, you don't even need effective controls; you just have to report how effective they are.)
Crucially, the key PCAOB document on how to evaluate controls effectiveness does not say you must document all your important controls and test them. It says your evidence should include some controls documentation and testing. The document says a lot about how to do that, but leaves flexibility to reduce reliance on detailed controls work if there is other evidence.
Question #6: How can we make our external auditors happy with our changes?
‘We've got to make sure the auditors are happy’ is one of the thoughts that contributed to our current situation. Countless companies have tried to get their external auditors to say what work they want done, and usually have been disappointed and frustrated by the result. The auditors aren't very clear about what they want but it sounds like a lot.
Until we lose our fear of the external auditor it is difficult to think freely about alternative compliance approaches, so let's take a moment to understand the external auditor's main problem. It is simply that the amount of work he would like done depends on the results of that work. Sophisticated audit firms like PricewaterhouseCoopers prefer to audit incrementally, increasing work where the initial results indicate it, and stopping as soon as their worries are dealt with.
When a company asks its auditors what work they want done for SOX compliance the auditor has a problem. If he says an amount that seems reasonable ‘on average’ there is a risk that poor results might create a situation where there is too little time for the extra work needed for a safe opinion. The obvious alternatives are to stay vague or to ask for more than he will probably need.
Don't force your external auditor to ask for lots of work. Do a bit of what you have in mind, in good time, and show the auditors what the results look like. Make sure the auditors understand you plan to adapt work to the results, increasing it where there are problems.
Companies can and should rethink their approach to year 2 SOX and look to cutting down the work involved radically, while still removing weaknesses. There is plenty of scope for improvement.
Words © 2005 Matthew Leitch. First published January 2005.