Compliance - Process and Technology
The Sarbanes-Oxley Act of 2002 requires CEOs and CFOs of publicly traded companies
to attest to the accuracy and transparency of their financial statements, and
it accelerates reporting deadlines. Many companies have been digging into their
accounting, consolidation, and reporting processes and discovering that while
they may be substantially in compliance, there is still much work to be done.
The intent of the Sarbanes-Oxley Act framers was to force companies to ensure that their financial reporting systems did what they were always supposed to do. For this reason, complying with the law has focused CFOs on examining and documenting processes and changing them as necessary. This will require sweeping changes and a major overhaul of processes and IT systems for a handful of companies. For most companies, small but important changes must be made to processes and the IT systems that support them.
The starting point for Sarbanes-Oxley compliance is in examining how IT affects the execution of process. With respect to the IT element, CFOs should recognize that three areas in particular need to be addressed:
- Spreadsheets: While they may appear to be cheap and easy, their use must
be minimized. They pose a real control risk and reduce accuracy, agility,
and transparency.
- Closing and reporting systems: These systems must be streamlined to meet
the shorter deadlines. CFOs should view this as an opportunity to eliminate
unnecessary activities and cut the cost of administering the accounting function.
- Document management system: Necessary for efficient Sarbanes-Oxley compliance.
Minimize Spreadsheet Use
Ventana Research believes senior executives should determine how well their systems are functioning and, more broadly, test the maturity of their internal controls infrastructure by asking, where did that number come from? At the original entry level, the answer should come quickly if not immediately. Failure to do so reflects a potential vulnerability that needs to be corrected. Addressing the issue is more a function of process than technology. Once the right processes are in place, application of the appropriate IT tools can ensure a high degree of efficiency, repeatability, and auditability in the preparation of financial statements.
A key vulnerability in just about every mid-size or large corporation stems from the fact that while the general ledger (GL) is the starting point for the vast majority of the data used in preparing financial statements, there are other sources that may not be part of the core accounting systems and may not even be readily accessible.
Scattered Data
Companies routinely use spreadsheets for adjusting entries, consolidations, allocations, and so on. Since these spreadsheets are part of the working papers, their contents and how they were prepared should be well-known to finance staffs, and shenanigans ought to be readily detected. However, there are usually many other spreadsheets, databases, and other forms of electronic files scattered around an enterprise that contain original entries.
They may be on a corporate network (and accessible), or on an individuals hard drive (and not accessible). Some may be obvious, direct feeds into the financial statements (for example, a business unit might still be calculating its fixed-asset accounting on a spreadsheet) and therefore are expected information. Still others may be used to assemble subsidiary data that is not necessarily expected and may be overlooked. These can be a source of fraud and abuse and should be monitored.
Good controllers usually have a grip on all of the points of original entry and minimize these vulnerabilities. However, having to manage this takes time away from other activities, and any slip in oversight creates a risk — a risk that is probably unnecessary.
One common example of important subsidiary information not necessarily included in the GL is the calculation of sales commissions. Many organizations (even those that have deployed compensation management software in parts of the company) use spreadsheets to determine commissions or other variable compensation on spreadsheets. One reason is that it is easy, inexpensive, and transparent to the end user (for example, sales management) compared to other systems. Its important for financial managers and auditors to have a transparent view into the calculation of commissions, which, according to established rules, should be based on the companys reported sales If they do not, it could point to irregularities in revenue recognition.
The relationship between commissions paid and the reported top line is not always a straight line because companies can calculate revenues that drive sales commissions, recognition programs, and the like in a different fashion from revenue calculated according to Generally Accepted Accounting Principals (GAAP).
The differences — which always should be in timing — may reflect a policy that salespeople are paid a certain percentage of their commission at contract signing and the rest when the invoice is paid. Or, commissions may be paid on the full amount of an order, even if GAAP calls for recognition over an 18-month period. The process of mapping commissions paid to revenues recognized is one way to ensure that businesses are not over-reporting or under-reporting sales, and that the factors driving timing differences are consistent from one period to the next.
Enhancing Internal Controls
Companies will always have systems outside of the general ledger that generate original accounting entries, perform summaries and allocations, and otherwise form the basis of the numbers presented in the corporations financial statements. Ideally, all of these would somehow be magically linked electronically to enable enterprise-wide drill-down to the smallest detail. In reality, recording and reporting systems will remain messy, but it is important that they be as transparent as possible.
Although the actual process of how companies manage these non-GL sources of financial information will differ, there are several aspects that ought to be the same. First, the number of non-GL sources of financial data is finite and readily determined, so an inventory can be established, and ownership of this list (or lists if managed from a business unit level) can be assigned to the appropriate members of the finance organization.
Second, the finance organization should determine which of the information sources could and should be incorporated into electronic financial systems, existing or new. In the example of the sales commissions, even without buying compensation software, steps can be taken to make the details and sources of the information in the system transparent. A migration plan for doing this should be designed and implemented rapidly. Third, no new electronic files or documents should be added to the list of sources without being approved by the finance organization.
The above is simply one small aspect of enhancing the maturity of a corporations internal controls system. CFOs ought to analyze the maturity of all aspects of their controls systems. The Sarbanes-Oxley Act has shortened reporting cycles and made it necessary to be more rigorous in enforcing controls. Financial officers must respond by ensuring that all processes meet transparency and auditability requirements, and they must automate these processes as much as possible.
Financial Performance Management
Knowing where the numbers came from should enable CFOs to surface glaring shortcomings in their control and reporting systems. Finance organizations need to be at the forefront in optimizing their processes to cut costs.
IT and Agility
A second area where IT systems can readily support Sarbanes-Oxley compliance is the shortened time between the end of the period and filing with the Securities and Exchange Commission. Currently the deadline for the annual filing is 90 days, and 45 days for quarterly reports. Initially the SEC suggested cutting those back to 60 and 30 days, respectively, for all but the smallest public companies, and called for implementing the cutover in the companys next fiscal year following the enactment. This proposal elicited a great deal of negative comment.
Consequently, the SEC extended the quarterly time-frame to 35 days and phased this in over a three-year period. Nonetheless, a large percentage of Global 2000 corporations will have to make serious changes to their financial systems and processes to be able to comply.
The reason for delaying the shorter deadlines is clear. Discussions with financial officers suggest that today only about half of public companies are able to effect their quarterly close in 10 days or less — a period that would allow ample time for analysis and investigation before filing. For those companies that close on a longer cycle, there are a range of issues they will have to address in both processes and the IT systems used to perform the close. The extension of deadlines and modification of the quarterly close reflects concerns by CFOs that remedying long closes will require a lot of process modification and implementation of IT resources necessary to support the new processes.
It is difficult to be broadly prescriptive about what companies should do to speed up the close-to-file procedure, except to note that CFOs ought to view this as an opportunity to eliminate unnecessary activities and to change methods that create defects and additional work. They also must evaluate any changes in terms of the cost of maintaining the approach once implemented.
Costly and Brittle
For example, one suggested approach to streamlining the close is to create a single instance of a general ledger across all business units. While this might be theoretically feasible, it is completely impractical for almost all companies with annual revenues over $100 million. The cost of implementing the change would be high (consulting services alone would be huge), and the systems would be brittle, requiring that enterprise-wide changes be implemented for any change in one business unit. Mergers, business strategy changes, and so on, would also require major overhauls to be made under a tight deadline.
Two software interventions, though, are indicated in almost all instances. First, companies should deploy software that does consolidation and statutory financial reporting. There are numerous vendors that offer this software, and the packages are all mature. Deploying consolidation and reporting software eliminates the need for most (if not all) of the spreadsheets that are used in the close-to-file process, but the real goal should be to eliminate them entirely.
Figure 1: Document Management System
Adding Document Management
A third area where IT systems can play a positive role in Sarbanes-Oxley implementation is in meeting Sections 302/404 compliance. The sections have dramatic implications for the finance organization. They require that all annual reports contain a statement signed by the CEO and CFO affirming that the information in the companys SEC filings is accurate, and it requires that a companys processes be audited to demonstrate that it has established adequate controls. The terseness of the sections relative to the complexities of financial systems control and the penalties for failure makes Sarbanes-Oxley a sword hanging over the head of senior executives.
Compliance with Section 404 is more about the internal financial process used by the company than anything else. For almost all larger companies, it will mean that everyone with management responsibility in the accounting cycle will have to attest to the accuracy and adherence to policy and process. This part of Section 302/404 conformance can be achieved without a document management system — but why? The attestations are a classic application of this technology. Essentially, the numbers that individual managers sign off on are encapsulated in a document that includes boilerplate confirmations. The document is passed up the chain of responsibility, with workflows to direct it to the right people, and an audit trail to confirm that it was sent to and examined by those required to do so. At any moment, supervisors or senior executives can determine the status of all participants in the process; reminders can be generated automatically if individuals are behind schedule. Document management systems offer additional benefits including:
- Due diligence: In and of itself, document management systems demonstrate
and verify that senior management exercised due diligence in ensuring that
the finance statements were prepared properly.
- Streamlined verification: It reduces the time and effort required to perform
the statement verification process.
- Workflows: Ensures that all recipients receive forms, and allows for electronic
signatures.
- Accessible: Documents are stored electronically and are therefore searchable and can be easily stored and retrieved from anywhere.
Using a document management system for Sarbanes-Oxley compliance need not be a big step. Many companies already have sophisticated document management systems used for other forms of regulatory or legal compliance. They may be able to extend these systems to this function. There are also many lightweight systems that can be deployed and maintained easily and inexpensively to support this requirement. CFOs should weigh these options before embarking on broader and more expensive solutions.
Recommendations
Some software vendors have been quick to seize on the Sarbanes-Oxley Act as a marketing tool. For many organizations, additional investments in their financial IT infrastructure are probably warranted, particularly to eliminate spreadsheets. Yet most Global 2000 companies made substantial upgrades in advance of Y2K, and many have data infrastructures that are consistent with the best practices necessary to be in compliance. Moreover, if there was one lesson learned from the 1990s, it is that automating bad processes is the wrong approach. (Often one spends money to make things even worse.)
Still, there are several areas of financial automation that CFOs need to examine in the current environment. As noted, financial data feeds need to be integrated as much as possible so that the data is visible down to the most relevant level. Accounting elements that are outside of the traditional transactions systems that are not automated should be reviewed to see if, in the current environment, it might make sense to buy or build an application for this function. Spreadsheet use must be minimized. Software to manage consolidations is now mature and has proven its value. Companies that do not use these sorts of systems should investigate if these systems now make sense in the post-Sarbanes-Oxley world.
