Sarbanes-Oxley – A Call to Action by Chris Trayhorn, Publisher of mThink Blue Book, March 11, 2004 If you work for a publicly traded US company, chances are you’re pretty familiar with the Sarbanes-Oxley Act (SOX). As a result of SOX, CEOs and CFOs have for the first time personally asserted to the validity of financial statements, exposing themselves to criminal prosecution. This was a landmark event, refocusing the executives on “minding the mint” and raising the accounting visibility across organizations. What you may just be realizing is that confirming financial statements was merely the first step in a series of evolutionary guidelines the act comprises. What was once viewed as an accounting-only law is now being driven to all parts of the organization. CIOs are increasingly involved as financial data guidelines are escalating in importance and solutions are sought to support auditable processes. To determine your SOX readiness, consider these questions from the CEO/CFO perspective: Would I be willing to put my neck on the line that all of the material accounts and transactions are documented accurately and completely? Am I confident that all material accounts and operations have adequate and tested internal controls? Would a review of these tests satisfy an auditor? Do I believe a consistent rigor is applied across the enterprise to enforce internal controls and assure adequacy for material operations? Can I be sure that documents required to support legal inquiries are retained as needed to meet regulatory requirements? If you answered no to any of these questions, chances are you’ll need to pull up your SOX. Although the act has a number of sections, we believe that those with the most near-term impact are shown in Figure 1. A SOX Action Plan Obviously, these SOX requirements will have a pervasive impact on your organization. No surprise here because the goal of SOX is to reach across the organization creating a pervasively ethical corporate environment and appropriate business behaviors. Given this broad goal, what can be done to make this a reality? Since the assertions required are at the executive level, a top-down approach offers the greatest promise that the executive will be satisfied with the methodology and assertions that they must make on behalf of controls. To align with executive needs, this top-down approach is best driven by a representative from the CFO’s office or another senior resource charged specifically as a SOX program compliance officer (see Table 1). Planning Planning is critical given the regulatory guidelines and time frames involved. Assigning a goal-oriented compliance program manager helps drive compliance activities within the organization. Frequently, outside support will be required to help the program manager get up to speed and develop the materials to communicate and train the staff. Since there are inherent conflicts between the external auditor used by the firm and the SOX compliance process, companies typically engage consulting firms with strong change management practices to drive the change. In cases where particular issues of the Financial Accounting Standards Board or generally accepted accounting principles apply, other audit firms also are frequently engaged to provide deep technical expertise. Technology A number of vendor software solutions exist to support a centralized compliance capability. Most solutions focus on a component of compliance (e.g., 404 or 802). However, a few bridge the gap. Some solutions have the added feature of predefined control templates that help to expedite documenting controls and increase overall SOX efficiency. However, it’s important to note that software alone isn’t the answer. With culture change and creation of a pervasively ethical business environment as a goal, the project must be managed top-down to drive change in the organization. Some Good News The vision and direction provided by SOX provides the promise of simplified accounting processes, enhanced technical capabilities, and ultimately increased investor confidence in the coming years. Companies, now recognizing the SOX work in front of them, are using it to drive process and organizational changes, breaking through entrenched resistance and looking for opportunities to recast the financial reporting landscape. In fact, over the next few years, a significant portion of financial systems investments will be driven solely by SOX compliance needs. SOX is looming as a major “to do” for 2004. Many companies, still in the (404, 802) awareness stage are unclear on the full scope of actions required. Given the possibility of civil and criminal charges, as well as the almost certain impact to share values if initiatives fall short, it’s clearly time to get the compliance house in order. Key actions include: Defining a compliance program management role; Creating a SOX plan to meet requirement deadlines; Determining what technologies will be employed to document and report activities; Working top-down to define controls and objectives; and Monitoring compliance testing to verify the program is on track. A critical point is that SOX is pervasive; it changes the way business is conducted. As a result, SOX requires a hands-on effort and senior management commitment. Chances are that there is still time to comply with requirements, but the clock is ticking. For section 404 in particular, compliance can be no later than the end of the third quarter of 2004, and it could be much earlier depending upon your fiscal year. How do you get started? Take the initial step to get a compliance office up and running and identify your SOX reporting milestones. Hitting these milestones is critical. Remember, with SOX, there are no second chances. Filed under: White Papers Tagged under: Utilities About the Author Chris Trayhorn, Publisher of mThink Blue Book Chris Trayhorn is the Chairman of the Performance Marketing Industry Blue Ribbon Panel and the CEO of mThink.com, a leading online and content marketing agency. He has founded four successful marketing companies in London and San Francisco in the last 15 years, and is currently the founder and publisher of Revenue+Performance magazine, the magazine of the performance marketing industry since 2002.