|Related articles - All articles - The author - Services|
How to cut Sarbanes-Oxley s404/302 compliance costs
Key questions answered
by Matthew Leitch; first appeared on www.irmi.com in January 2005
Identifies the key areas for cost Sarbanes-Oxley s404/s302 cost reduction.
Answers key questions concerning cost tracking and external auditor reaction.
As I write this the Christmas tree is still twinkling in my living room, the children are still playing with their new toys, and there’s still left over food in the fridge and cake in the tin. Christmas excess lingers on but already I’m starting to think ahead to a leaner, harder working January, when I can stop spending so much money and repair the damage done.
By coincidence that’s exactly where we are with Sarbanes-Oxley (SOX) compliance. When the Act and related rules and requirements first appeared we moaned and groaned at the expense and the inconvenience, but in the end the audit firms got what they wanted. Companies were sucked into something that was not a controls improvement exercise, but a massive audit. They spent money on things they didn’t need and put on weight.
If you’ve been involved with a SOX compliance programme you probably feel some pride in it. It was tough but now you’ve done it, or at least have things on track. You see benefits that go beyond mere compliance.
But is that enough for satisfaction? Weren’t there things you would have cut if you could? Things that have been tough to defend? If you had set out to improve control and risk management in your company without the constraints would this be it?
You may be thinking of extending your achievements to more types of risk, but does it make sense to do it exactly the same way as financial reporting, under the constraints imposed by the SEC, PCAOB, and your external auditors?
If you went back over your original concerns, reviewed what you have learned so far, and thought creatively about how to improve the impact and cost of the SOX programme after year 1, would you come up with much?
This article is here to help you get your mind out of the SOX box and reveal some potentially high impact changes that may well be applicable in your company.
Here are some of the likely methods of saving work. Consider where you can use each:
Adjust controls testing to risk, in detail. Everyone selects business units and cycles on the basis of materiality and perhaps other risk factors. However, risk can be used to fine tune work in much more detail, increasing the amount of work in some places, decreasing it in others, and cutting cost overall. In particular, it involves adjusting the amount of work to the amount of change.
Remove unnecessary detail. Even if you can only shave a few percent of the details from your documentation it will help. In many cases it may be possible to do much more than that. At least some of the people who have been writing documentation will have written far too much, creating a maintenance problem for you.
Shift reliance towards health metrics and inherent risk information. You can take away even more detailed controls and tests if you replace them with other evidence. The controls around large scale business/financial processes can be adjusted to generate super-efficient evidence in the form of statistics on error rates, backlogs, and inherent risk factors. Health stats are direct indicators of controls effectiveness that make your evaluation stronger and cheaper.
Remove control weaknesses. Control weaknesses gobble resources. They attract the attention of external auditors, who then want more work. More senior people get involved. Conversations become longer, and repeated. Before you know it your costs have exploded. Remove those weaknesses if you can, and implement a process that adjusts controls in time to meet new challenges so that new weaknesses do not arise.
If it’s really a problem, reformat documentation. Reformatting documentation is unlikely to be a popular idea, but there are some formats that are just too hard to maintain. If any of the following apply then reformatting could be the logical choice: (1) control descriptions have been duplicated to show they apply to more than one risk; (2) linkages are too hard for most people to understand; or (3) controls can’t be displayed in meaningful groups, based on the type of control, owner, etc.
Suppose you stop thinking about your SOX programme and just let nature take its course. What might happen?
More than likely the dedicated resources and budget for it will be slashed for year two and beyond. Even the most sincerely committed business leaders will be expecting big reductions now that the documentation is in place. Most will feel they’ve done enough and the danger is over.
Despite this, costs that have been hidden during year 1 or that are hidden away in the transition to year 2 will tend to remain. (We’ll consider this in more detail later.)
Fortunately, the evidence needed from testing will reduce quickly as it accumulates over time. This will happen to some extent regardless of whether it is sanctioned by regulators.
Unfortunately, there’s a big risk that documentation will quietly slip out of date as the business and its systems change. Do you have a rock solid process, applied everywhere, that proactively identifies the need for changes to controls, plans and carries them out, and updates all documentation and evidence gathering processes? Probably not.
The rules will probably be changed, perhaps to your advantage, but it will be difficult to take advantage of the changes.
Weaknesses in your programme will probably remain due to lack of resources and political will to sort them out.
Do you think people in your business have an unrealistic view of how much the SOX programme has achieved? Do they recognise it is limited to the risk of the accounts being wrong and does not cover all aspects of “financial control”? Do they assume everything has been done in a standard way and the programme proves controls are effective?
These views will hasten cuts for year 2 compliance, despite weaknesses remaining that are more serious than most people realise.
In reality the weaknesses are likely to be so serious that further action is essential, yet it will have to be done with less resource. Consider these points:
Itemising accounting controls does little to counter the risk of controls being over-ridden by very senior people – precisely the behaviour that led to the Sarbanes-Oxley Act in the first place.
The PCAOB’s method of evaluating controls effectiveness does not directly look at effectiveness. It is possible for the design to look sound, and for all controls to be operating as intended, yet to still have ineffective controls. You only need one or two odd but frequent error types that dodge the controls and you have a big problem.
Businesses and their systems change all the time. Many of these changes require changes to controls. Few companies have an organised, methodical approach to this.
On top of these generic problems you may be aware of several specific to your programme.
Cutting people out of roles dedicated to SOX and described as such is the obvious way to show that costs have been cut, but there will probably be other costs that have been hidden or are, at this moment, going into hiding.
It is hard to cut costs unless we are honest about what they currently are. When people are given the job of carrying through an urgent compliance exercise they often use a syndrome of behaviours designed to get things done regardless. Can you confidently say that none of the following has happened in your company?
Initial cost/time estimates that proved optimistic but still influence the perceived costs of the programme.
Paper and online surveys distributed to many people either with no attention to the time needed to respond, or with an unrealistic estimate of time needed.
Software tools (e.g. an intranet website) developed and rolled out, leading to more time spent by perhaps thousands of people going through installation/login procedures, dealing with technical problems resulting, and generally fiddling.
People told that documenting procedures and controls is part of their job and something they should be doing already. It’s one way to deny that extra work has been created.
Documentation and testing work gradually shifted out of the SOX core team and spread through the company. One company already says it has “embedded monitors” in place i.e. people who test controls (probably part time) but don’t live in the SOX team. It will be hard to keep track of the work demands of compliance once it has moved out of the core team.
Claims that automation has radically reduced the workload of compliance. In reality creating databases for this kind of work has a dramatic time saving effect only for certain central reporting processes, but may even increase the workload everywhere else as the amount of data required to be captured and entered gradually creeps up.
Optimistic estimates, denial of costs, and blind faith in databases are part of our corporate culture. The legacy for your company is likely to be a lot of people doing compliance work that is no longer visible or accounted for.
At last, some good news. The regulations are so high level that companies have a great deal of flexibility in how they comply. There are no specific control requirements and effectiveness can be achieved in an infinite number of ways. (Technically, you don’t even need effective controls; you just have to report how effective they are.)
Crucially, the key PCAOB document on how to evaluate controls effectiveness does not say you must document all your important controls and test them. It says your evidence should include some controls documentation and testing. The document says a lot about how to do that, but leaves flexibility to reduce reliance on detailed controls work if there is other evidence.
“We’ve got to make sure the auditors are happy” is one of the thoughts that contributed to our current situation. Countless companies have tried to get their external auditors to say what work they want done, and usually have been disappointed and frustrated by the result. The auditors aren’t very clear about what they want but it sounds like a lot.
Until we lose our fear of the external auditor it is difficult to think freely about alternative compliance approaches, so let’s take a moment to understand the external auditor’s main problem. It is simply that the amount of work he would like done depends on the results of that work. Sophisticated audit firms like PricewaterhouseCoopers prefer to audit incrementally, increasing work where the initial results indicate it, and stopping as soon as their worries are dealt with.
When a company asks its auditors what work they want done for SOX compliance the auditor has a problem. If he says an amount that seems reasonable “on average” there is a risk that poor results might create a situation where there is too little time for the extra work needed for a safe opinion. The obvious alternatives are to stay vague or to ask for more than he will probably need.
Don’t force your external auditor to ask for lots of work. Do a bit of what you have in mind, in good time, and show the auditors what the results look like. Make sure the auditors understand you plan to adapt work to the results, increasing it where there are problems.
Companies can and should rethink their approach to year 2 SOX and look to cutting down the work involved radically, while still removing weaknesses. There is plenty of scope for improvement.
|Related articles - All articles - The author - Services|
|If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details|
About the author: Matthew Leitch is an independent consultant, researcher, and author specialising in internal control and risk management. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it. more