Process-Based Approach to Compliance
The Sarbanes-Oxley Act (SOA) was designed to send a message to business that
corruption will no longer be tolerated in any form, and companies are getting
the message. In addition to regulations that require CEOs and CFOs to certify
their financial statements, the Securities and Exchange Commission recently issued
tighter filing deadlines for 10-Ks, 10-Qs, and 8-Ks and real-time corporate disclosure
on items like material events and insider trading. Compliance with Section 404
will require companies to file a management report along with their 10-Ks attesting
to the design and operational effectiveness of internal controls over financial
reporting.
CFOs are feeling the heat like never before to comply with new SEC regulations, restore investor confidence, and protect themselves in the process. They are also overwhelmed by the complexity of the new legislation and are concerned with the increased cost of compliance, with good reason. In a February 2003 report, Financial Executives International estimated that the average Fortune 500 company could spend $3.5 million to $9.5 million in one-time costs, and an additional $2.8 million to $8 million in recurring annual costs, just to comply with SOA.
Pain Points for CFOs
According to SEC Special Counsel Mark Borges, the impact of corporate reforms is to move companies closer to a real-time reporting system. Thats likely to present challenges for many companies as they adjust to shorter reporting deadlines. Figure 1 illustrates some of the top challenges identified by members of the Working Council for CFOs as companies move to institutionalize compliance with SOA. Well review four key issues facing CFOs, then propose a solution.
Figure 1: Sarbanes-Oxley Provisions of Highest Interest and Priority
Source:
"Institutionalizing the Sarbanes-Oxley Act," Working Council for CFOs
Issue 1: CEO/CFO Sign-Off
CEOs and CFOs of publicly-traded companies must certify their financial statements on a quarterly and annual basis, under Section 302 of SOA. Section 906 mandates criminal penalties and jail time for executives filing fraudulent or misleading statements, putting some teeth into the SECs goal of restoring investor confidence in the integrity of public reporting.
Executive certification of financial reports and internal controls constitutes one of the trickiest hurdles to SOA compliance, given the potential jail time and fines CEOs and CFOs face for signing off on fraudulent statements. The Justice Department is working overtime to enforce Sections 302 and 906, having opened more than 150 investigations into allegations of corporate fraud and indicted some 200 executives since the Enron scandal.
Issue 2: Internal Controls
CEOs and CFOs will be required under Section 404 to certify the effectiveness of their internal controls on a quarterly and annual basis, and to prove that efficacy to their internal audit committees. External auditors will also be required to issue an opinion on the efficacy of a companys internal controls.
What is frustrating CFOs most is the lack of SEC definition around exactly what is needed for management to effectively assess and report on internal controls. Most accounting firms are advising clients to adopt the broader definition of internal controls outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its landmark 1992 report. The COSO report expands the definition of internal controls to include financial, operational, and regulatory controls.
The SECs message to corporate America is simple. The days of ad hoc reporting and disclosure activities are over, to be replaced by reliable financial statements produced by financial reporting processes and internal controls that are consistently performing, clearly defined, and effectively managed. SEC General Counsel David Becker recently noted that senior executives must be comfortable that effective processes are being used and calculations can be documented, both externally and for the audit committee.
Issue 3: Accelerated Filings
Although public companies are now faced with tighter SEC filing deadlines, not many are able to meet the proposed timetables. Currently, only 11 percent of the S&P 500 file quarterly reports within 35 days, the proposed new 10-Q deadline. Most companies file quarterly reports within 40 to 43 days, and compressing that timeframe will be challenging. Case in point: The number of companies filing requests for SEC extensions in 2003 jumped 14 percent over 2002, according to a March 2003 USA Today survey.
Issue 4: Real-Time Disclosure
Under Section 403, insider trades must be filed electronically in two business days and posted to the companys corporate Web site one day after the filing. Under Section 409, companies reporting material changes must issue 8-Ks in two business days — almost real time when compared to the previous schedule of five business days for material events and 15 calendar days for nonmaterial events. Also, the SEC is proposing to add 11 new triggering events that require an 8-K. Currently, companies must file an 8-K in the case of nine material events, such as a change in control, major acquisition, or bankruptcy. The proposed 11 new events include ending or reducing a key customer relationship, large write-offs and restructuring charges, material impairments, and changes in a companys rating status.
A Process-Based Approach
Corporate governance issues now dominate four of the top five priorities CFOs face in 2003, second only to battling the tough economy, according to Business Finance magazine. Yet one of the biggest barriers companies face to ensuring SOA compliance and improving corporate governance is their own financial accounting systems, many of which have failed to keep pace with the speed and complexity of business today.
In a report entitled 2003 Best Practices in Financial Analysis, Planning, and Reporting, the Hackett Group notes that the average public company still faces a tremendous accountability gap in the finance area, despite the fact that CEOs and CFOs now have to personally vouch for the accuracy of their quarterly and annual reports. For Hackett, most public companies are operating in the dark when it comes to compliance: they have little or no confidence in their forecasting tools; they create budgets using outdated, incomplete, and often inaccurate data; and they take up to a week or more to simply close their books.
One solution is to transform the finance function, eliminating complexity and uncertainty by adopting a process-based approach to regulatory compliance to enable greater financial transparency and corporate disclosure. By doing so, finance departments can help companies confidently meet each of the top four compliance challenges identified by CFOs around the nation: CEO/CFO sign-off, internal controls, accelerated filings, and real-time disclosure.
CEO/CFO Sign-Off
To support the review and certification processes, CEOs and CFOs need to ensure that their financial statements and underlying financial reporting processes are bulletproof and that enterprise data is drawn from a single source. Companies also need to establish digital paper trails proving that in-depth reviews of corporate ledgers are being conducted continuously by senior management.
According to the Hackett Groups 2003 Profile of World-Class Finance, however, just 9 percent of public companies surveyed had confidence in their reporting and forecasting outputs. Why? Because 47 percent still relied on spreadsheets to reconcile data, rather than rely on sophisticated software that automatically draws financial information from a centralized repository in a manner that ensures integrity and improves efficiency.
As companies move to institutionalize the CEO/CFO certification process, they need to establish a single version of the financial truth to obtain confidence in the numbers. They also need to adopt a process-based approach to regulatory compliance, using world-class technology to automate processes, establish controls, and drive accountability deeper throughout the organization.
Examples of best-practice executive certification capabilities that companies should look for in financial management systems include:
- An enterprise warehouse to collect all enterprise data into a single, global
version of the financial and nonfinancial truth;
- A financial portal to deliver proactive alerts and controls for executives
and managers to continuously monitor the companys performance; and
- A Web-based content management engine to provide auditable, repeatable processes for executive sign-off.
Internal Controls
To comply with new internal controls assessment and management reporting requirements, companies need to institute a sustainable monitoring process for continued compliance over time. The challenge? Most companies still implement and monitor internal controls manually, leaving them exposed to security breaches, fraud, and inaccurate data. In addition, processes alone cannot ensure that a number is recorded accurately. System-based, embedded controls and automated processes are needed.
Many CFOs are not confident that their current systems provide the level of control and auditability necessary to comply with SOA reporting requirements. Indeed, the Hackett Group reports that 89 percent of CFOs have little or no confidence that spreadsheet-based reporting processes provide adequate central control.
Strong, effective internal controls require real-time control and visibility into internal operations. Companies should look for financial management systems that automate and enforce financial reporting and internal control processes through tools like commitment control and workflow. A formal workflow process automates key finance processes, assigns approval authorizations, segregates duties, and eliminates the potential for human intervention and error.
New analytical tools and financial portals can help companies monitor processes and performance on an ongoing basis, using key performance metrics and built-in controls to help employees gain visibility into operations, identify potential anomalies, and take preventative action before they can become material events requiring 8-K reports.
Best-practice internal control capabilities companies should look for in financial management systems include:
- Requisition and purchase order approval (workflow and authorization).
- Automatic three-way match at goods receipt (error prevention).
- Invoice approval and payment (workflow and segregation of duties).
- Additional approval for invoices greater than a set dollar amount (authorization).
- Commitment control as preventive, rather than just detective, control.
- Scorecards and portals to alert management to any significant variances
immediately.
- Tight integration between financial analytics and robust transaction systems to provide closed-loop monitoring, ability to identify and drill down into anomalies in low-level detail before they become material events.
Accelerated Filings
From an IT perspective, the biggest challenge to complying with accelerated filing deadlines is fragmented systems with multiple general ledgers and transaction system interfaces. Regulatory reporting is further slowed by the fact that consolidation is often done manually using Excel and Access to roll up and consolidate reports, creating islands of information that can compromise data integrity and security.
According to former SEC Commissioner Steven Wallman, compliance with accelerated filing deadlines will be tough and more costly than people think, as companies need to worry not just about their IT equipment, but also about the software, training, upgrades, and people that will be needed to put in the new real-time information systems the SEC is seeking.
The foundation for a best-practice approach to meeting accelerated filing deadlines is to eliminate operational complexity by standardizing on a single financial management system and single data repository. Companies should look for the following functionality in their financial management systems to meet the SECs accelerated filing deadlines.
- Aggregate financial data from multiple sources into a single data repository,
to ensure visibility into accounting processes and to support financial audit/validation.
- Make financial details more accessible through a financial portal, to provide
employees with visibility into accounting transactions in a controlled and
secure manner.
- Enable frequent flash reporting at routine intervals during the accounting month so that potential errors can be identified and corrected before closing the books.
Real-Time Disclosure
To comply with new real-time disclosure requirements, companies need to implement strategic, real-time corporate disclosure strategies using Web-based technologies. Automation of the financial reporting, disclosure, and management certification processes ensures that such processes are fast, accurate, and auditable by external parties.
Most companies are unable to execute on real-time disclosure requirements because they lack real-time technologies. Take the new disclosure requirements on insider trading, for example. In 2002, only 5 to 10 percent of companies filed insider trading reports electronically using the SECs EDGAR electronic filing system, with the rest using manual, paper-based filing processes that would be difficult to audit.
Similar challenges exist for improving the creation and publication of corporate disclosure information in real time. In a 2002 survey of 135 of the worlds most respected companies, 84 percent did not have a corporate governance section on their Web site; only 14 percent published their corporate governance policies prominently; and less than one-quarter published a corporate code of ethics.
Financial management systems should enable companies to address the entire corporate disclosure process, establishing auditable, documented processes for creating, approving, and publishing financial reports, management certifications, and corporate governance policies. New technologies like PeopleSofts Investor Portal can help companies meet new real-time disclosure requirements for material events mandated under SOA Section 409, using preconfigured templates to issue 8-K forms within the new two-day reporting deadline.
Other best-practice solutions for compliance with real-time corporate disclosure include:
- Financial portals to deliver prepackaged KPIs and alerts and to allow users
to drill directly into transaction systems to take action before changes
become material; and
- Content management portals to facilitate the regular publishing of performance metrics, policies, procedures, and third-party information so that investors and other key stakeholders receive clear and consistent communications about a companys financial health.
Conclusion
While the costs of compliance are likely to rise, the impact of doing nothing will be much worse. Audit firms are warning clients not to cut corners when it comes to compliance, as doing so could result in significantly greater remedial and audit costs, negative market reaction, ratings downgrades, and even potential fines or jail time.
Executives who take a strategic, long-term view toward compliance will view the new laws as a catalyst rather than just another line-item expenditure. By making long-delayed upgrades to financial systems and instituting best-practice finance business processes, CFOs can not only meet new SOA requirements with confidence, but they can also create the foundation for more efficient and effective finance organizations.
