Creating Business Value Through Optimized Compliance Practices

Size: px
Start display at page:

Download "Creating Business Value Through Optimized Compliance Practices"

Transcription

1 Creating Business Value Through Optimized Compliance Practices Applying the COSO Guidance COSO Applies to Companies Large and Small The proposed COSO guidance is not just for small- and midcap companies. It also applies to large, closely-managed accelerated filers with decentralized, autonomous business units having characteristics of smaller public companies, foreign issuers with U.S. divisions, and private companies seeking to reduce risk and improve their overall governance practices. Executive Summary It is widely recognized that section 404 of the Sarbanes-Oxley Act (SOX) places a disproportionate burden on smaller public companies. The twin pressures of increased regulatory complexity and higher audit fees hit smaller companies hard. And most smaller companies are not only strengthening their internal controls and governance practices, but also negotiating with external auditors on what constitutes a reasonable and appropriate level of financial statement risk. To address this problem, The Committee of Sponsoring Organizations (COSO) of the Treadway Commission recently proposed guidance for smaller public companies, providing management with a tool to help establish effective and streamlined compliance processes, reduce costs and risks, increase value, and manage the expectations of everyone involved in the Sarbanes-Oxley compliance process. The following pages outline ways to leverage the COSO guidance to optimize compliance practices and create business value. Organizations can effectively assess the need for a framework such as COSO by considering a number of key issues. Regulatory complexity, strategic changes and overall risks within the organization all play into the decision. In addition, organizations should also determine their required level of investment by determining their desired future state on the Compliance Maturity Continuum. Through a leadership position on the COSO task force, Jefferson Wells played a key role in the development of this important guidance. Insights gleaned from the guidance development process are now reflected in the Jefferson Wells Sustaining Internal Control Compliance methodology used with clients around the world.

2 Introduction In July 2002, the Sarbanes-Oxley Act became law, transforming the regulatory landscape for publicly traded companies in the United States. The law s implementation brought new regulatory bodies, rules, filing requirements, audit standards and a host of new costs. Those compliance costs are disproportionately high for smaller companies since they consume a larger percentage of revenue when compared with larger organizations with more established infrastructures. A speaker at a recent Public Company Accounting Oversight Board (PCAOB) roundtable noted that his organization s compliance costs are now 6.5 percent of sales, when prior to Sarbanes-Oxley, the company s entire General and Administrative expenses amounted to just 8 percent of sales. A recent survey by Foley & Lardner indicates that the average cost of being public for a company with revenue below $1 billion has increased $2.4 million or 223 percent post-sox. These figures include audit fee increases of 84 percent for small-cap and 92 percent for mid-cap companies. And things do not appear to be improving in year two. NASDAQ and the American Electronics Association, an organization representing smaller companies primarily in the technology sector, recently surveyed companies regarding SOX year-two compliance costs. Results show companies with market caps between $125 million and $750 million expect about a 10-percent decline with those below $125 million in market cap expecting no decrease. These costs not only eat into corporate earnings, they also influence companies decisions to go public, raise capital, make acquisitions and focus on specific strategic initiatives. Though serving a public good, Sarbanes-Oxley can make it more difficult for small- and mid-cap companies to compete. As the compliance challenges for smaller public companies became obvious, various regulatory agencies began taking steps to mitigate the legislation s negative effects on this important segment of the U.S. economy. In December 2004, the Securities and Exchange Commission (SEC) launched the Advisory Committee on Smaller Public Companies (ACSPC) to assess the current regulatory system for smaller companies under the securities laws of the United States and to make recommendations for changes. The committee met periodically throughout 2005 and expects to provide recommendations for rule making to the full Securities and Exchange Commission in the Spring of In conjunction with formation of the ACSPC and at the request of the SEC, COSO established a task force to develop guidance for implementing the COSO control framework in smaller businesses, aimed at assessing and reporting on the effectiveness of internal control over financial reports. This effort was especially important since the PCAOB s Auditing Standard 2 (March 2004), the main rule driving current internal audit approaches, explicitly refers to the COSO framework. The SEC s Advisory Committee on Smaller Public Companies based its classification of companies on market capitalization. It defines larger public companies as those organizations that comprise the top 94 percent of total U. S. market capitalization, or those with approximately $700 million in market capitalization. Smaller companies are those that fall below that level. The COSO guidance is attentive to characteristics of smaller companies rather than metrics. In contrast, the SEC s guidance, which is under review, defines approximately 80 percent of public companies as smaller. COSO s new proposed guidance enables smaller public companies to begin the work of optimizing key aspects of their control environments. The guidance provides management with tools to manage both external audit s expectations and the

3 management-external audit relationship, and also clearly illustrates how to cost-effectively design and implement internal controls. As the SEC and PCAOB consider crafting new rules specific to smaller public companies, they will also need to consider how to incorporate this COSO guidance. What Makes a Small Business? Among the main difficulties the COSO Task Force faced was to clearly define the smaller public company environment: to develop common terminology describing small businesses and identifying specific challenges. The task force incorporated key characteristics of smaller public companies into its guidance and addressed obstacles to effectively implementing internal controls. The COSO Task Force opted to use characteristics to describe small business rather than market capitalization. COSO s definition of a smaller business includes characteristics such as a simple product line, a small group of owners who dominate the management of the business, wide spans of control, geographic concentration and an operating size that makes it difficult to benefit from economies of scale. The guidance clearly points out that, None of these characteristics by themselves are definitive. In adopting this approach, COSO establishes parameters and a guide to define the small business issue put to it by the SEC and PCAOB, and that is challenging the investment community and the marketplace. In addition, the proposed guidance also recognizes that large, geographically dispersed, decentralized companies often have entities with many, if not all, of the characteristics of a smaller business. The task force also specifically highlighted challenges faced by smaller companies when implementing internal controls and the supporting compliance framework. These challenges include: Obtaining sufficient resources to achieve adequate segregation of duties. Management s ability to dominate activities. This increases opportunities for improper management override of processes in order to accomplish financial reporting objectives. Attracting independent, outside parties with financial and operational expertise to serve on the board of directors and on the audit committee. Obtaining qualified accounting personnel to prepare and report financial information. Controlling information technology. Controls over information systems, particularly application and general computer controls, present challenges to smaller businesses. Even with the assistance provided by the guidance, smaller businesses, still at the mercy of the SEC, PCAOB and audit firms, are challenged to apply the guidance in a manner that reduces compliance costs, improves risk management and eventually delivers some form of business value. Where to Begin? Since Sarbanes-Oxley appeared on the scene two and a half years ago, public companies have tried to determine what it is, how it affects their businesses, what they need to do to be compliant and even when they will be required to comply. Smaller public companies face the same challenges as large ones when it comes to complying with SOX regulations and dealing with outside auditors. Most companies now find themselves negotiating with external auditors on what constitutes a reasonable and appropriate level of risk. Understandably, smaller companies often feel less empowered to voice what they believe to be the most reasonable approach for their organizations, and instead manage many financial reporting and

4 related internal control decisions at the direction of their external audit firms. With the release of the COSO report, smaller public companies now have one more piece of external guidance to assess and implement. Most executives are frustrated, trying to discern what it all means, whether to implement the guidance and where to start. So where to begin? First, a smaller public company should determine whether it even needs to implement a framework such as COSO. It is critical to establish clear objectives before undertaking a project of this significance. Some questions to consider include: What are your compliance requirements? All public companies will eventually need to file under Sarbanes-Oxley. Most will follow the COSO framework. Beginning work now allows time to implement the guidance in an orderly fashion. In addition, many companies face multiple regulatory considerations. Applying the COSO framework may yield efficiencies as different rules are addressed through a single framework. How compliance-driven are your products or services? If products or services are driven by heavy compliance requirements, then a stronger control environment would not only help with financial reporting but also strengthen the organization s overall management. How complex is your business? The new guidance indicates that when management of smaller organizations relies on internal controls solely for running the business and makes no assertions on effectiveness, the level of controls and documentation can often be less formal. This affects third parties (external auditors) ability to assert as to the effectiveness of internal controls. What strategic changes are you planning? Organizations planning to go public or be acquired may need to strengthen internal control processes in advance of such a move. Many acquirers are increasing their due diligence and will also want to evaluate the internal controls of target companies since effective controls can streamline the integration process and avoid compliance and risk issues. Are you effectively managing risks? Regardless of compliance requirements, companies should manage and control a wide range of risks including strategic and operational risks. Excessive losses or significant unmitigated risks could signal a need for the COSO framework a proven approach to stabilizing overall financial performance. Are you creating enough shareholder value? Sound governance practices typically yield shareholder value as corporate objectives are more consistently met. The COSO framework applies to organizations trying to improve their ability to deliver on strategic commitments, be it sales forecasts, expense reduction efforts or IT development projects. Once a company has established the need for a framework, it needs to establish a desired target value. The Jefferson Wells Compliance Maturity Continuum helps companies determine a target value and understand the effort required to achieve that performance level. The Compliance Maturity Continuum consists of five phases. The first two are geared at simply meeting the legal requirements of being in business. At the third level, Sustainable, organizations focus on the efficiency of meeting compliance requirements. Entering the fourth level, Integrated, companies target a reduction in business risk as they try to minimize the effects of internal and external events. Companies reaching the fifth level, Optimal, have successfully implemented solid governance practices and are consistently achieving strategic objectives. Companies can

5 use the Compliance Maturity Continuum to set goals, gauge their efforts and select the tools that will enable them to reach their desired level. With a solid understanding of why they are implementing a framework like COSO and establishing achievement expectations, companies can begin to extract value from the COSO guidance by applying it to specific circumstances and objectives. Foundational Year-One Compliance / Project-based Fundamental Minimum Required Beyond Year-One / Disclosure and Change Management Processes Compliance Maturity Continuum Sustainable Operational Internal Control Compliance Activities / Process-based Integrated Compliance Integrated into Fabric of Business / Mature Governance Processes Optimal Continuous Monitoring & Risk Assessment / Real-time Response Through Use of Technology / Enterprise Risk Management Adopted Business Value Internal Audit Strategic Planning Treasury Risk Management Legal Compliance Management Maturity

6 Streamlined Compliance Applying the COSO framework streamlines compliance efforts as companies move toward the Sustainable level on the Compliance Maturity Continuum. At its most elemental level, COSO guidance can be used to benchmark current internal control efforts. The guidance is structured around 26 principles with attributes, approaches and examples provided on how each principle can be implemented by smaller public companies. By comparing current efforts to the examples, an organization can quickly identify business processes with inadequate or excessive controls. 1. Integrity and Ethical Values Sound integrity and ethical values, particularly of top management, are developed and set the standard of conduct for financial reporting. 2. Importance of Board of Directors The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control. Control Environment Risk Assessment Control Activities 3. Management s Philosophy and Operating Style Management s philosophy and operating style support achieving effective internal control over financial reporting. 4. Organizational Structure The company s organizational structure supports effective internal control over financial reporting. 5. Commitment to Financial Reporting Competencies The company retains individuals competent in financial reporting and related oversight roles. 6. Authority and Responsibility Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting. 7. Human Resources Human resource polices and practices are designed and implemented to facilitate effective internal control over financial reporting. 8. Importance of Financial Reporting Objectives A precondition to risk assessment is the establishment of objectives for reliable financial reporting. 9. Identification and Analysis of Financial Reporting Risks The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed. 10. Assessment of Fraud Risk The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives. 11. Elements of a Control Activity Policies and procedures are established and communicated throughout the company, at all levels and across all functions, that enable management directives to be carried out. 12. Control Activities Linked to Risk Assessment Actions are taken to address risks to the achievement of financial reporting objectives. 13. Selection and Development of Control Activities Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives. 14. Information Technology Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.

7 Information and Communication Monitoring Roles and Responsibilities 15. Information Needs Information is identified, captured and used at all levels of a company to support the achievement of financial reporting objectives. 16. Information Control Information relevant to financial reporting is identified, captured, processed, and distributed within the parameters established by the company s control processes to support the achievement of financial reporting objectives. 17. Management Communication All personnel, particularly those in roles affecting financial reporting, receive a clear message from top management that both internal control over financial reporting and individual control responsibilities must be taken seriously. 18. Upstream Communication Company personnel have an effective and nonretributive method to communicate significant information upstream in a company. 19. Board Communication Communication exists between management and the board of directors so that both have relevant information to fulfill their roles with respect to governance and financial reporting objectives. 20. Communication with Outside Parties Matters affecting the achievement of financial reporting objectives are communicated with outside parties. 21. Ongoing Monitoring Ongoing monitoring processes enable management to determine whether internal control over financial reporting is present and functioning. 22. Separate Evaluations Separate evaluations of all five internal control components enable management to determine the effectiveness of internal control over financial reporting. 23. Reporting Deficiencies Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action, and to management and the board as appropriate. 24. Management Roles Management exercises responsibility and ownership for internal control over financial reporting. 25. Board and Audit Committees The board of directors perform their oversight responsibilities relating to the achievement of effective internal control over financial reporting. 26. Other Personnel All company staff accept responsibility for actions that directly or indirectly impacts financial reporting. Also included in the guidance are samples and templates that can be leveraged to speed the implementation of specific principles. As companies identify areas with inadequate controls, they can reference relevant examples, providing tactical guidance so they avoid moving forward where significant control gaps and risks exist. In addition, the COSO guidance dedicates an entire chapter to identifying, evaluating, and planning for risk mitigation. By linking internal control efforts to specific risks, a company can better focus its efforts. As stated in the guidance, A thorough and well thought-out risk assessment is a precursor to ensuring effective and efficient control activities. Lastly, the guidance focuses on establishing an effective monitoring process, emphasizing this element of the original 1992 COSO framework, particularly in smaller business settings. Because management in smaller companies is closer to the action it is better able to identify abnormal activities and direct a response to the correct individual. Monitoring is an efficient form of internal control as it coincides with the normal dayto-day activities of smaller company executives. Peppered throughout the COSO guidance are examples of how smaller public companies can use monitoring to streamline compliance efforts. The benefits of streamlining the compliance processes are obvious. Fewer errors and reduced costs can provide a company with lower compliance-related costs than its competitors.

8 Reduced Risk Three of the 26 principles are related to risk and risk assessment. Principle number nine specifically calls for the creation of a risk assessment process to achieve financial reporting objectives. The risk assessment process encompasses a wide range of strategic and operational risks, such as changes in economic conditions, competitor and industry changes, technology changes, IT applications, and fluctuations in customer demand. Taking time to assess risks on a quarterly basis, as the COSO guidance suggests, allows an organization to reduce the number and magnitude of avoidable losses, reducing the variability of financial performance. In a recent CFO Executive Board survey of businesses impacted by Hurricane Katrina, 40 percent of respondents stated that their companies will not only deal with business restoration issues and fluctuations in commodity prices, but will also absorb all hurricane-related costs! Organizations that conduct appropriate risk assessments and then build mitigating steps into their control environments can avoid events that destroy shareholder value. The CFO Executive Board evaluated risks that drove the largest declines in market capitalization over one full business cycle, from 1988 to The largest risk category creating market capitalization declines was strategic risk, which accounted for 65 percent of the loss in value. Operational risks accounted for 13 percent of the declines, with legal, and compliance and financial risks contributing 7 percent and 15 percent, respectively. Non-financial risks were the ones that in the end posed the biggest threat to organizations. Establishing good risk management practices as outlined in the COSO guidance can help companies avoid these types of losses. As regulators cajole audit firms to adopt a more riskbased, top-down approach to their testing, a huge side benefit is that companies efforts in this area should begin to reduce external audit fees. Improved Business Value Streamlined control processes and enhanced risk management practices reflect the proper tone-atthe-top, a key element affecting business value. With improved monitoring and oversight, and greater individual accountability, businesses are better able to achieve their strategic objectives. The COSO guidance provides a platform from which organizations can continuously streamline and enhance their controls surrounding mission-critical processes. It also enables organizations to more efficiently accomplish strategic initiatives because the risks inherent in those types of projects will be better managed. Finally, the guidance prepares organizations for major structural changes such as going public, acquiring another entity or being acquired. A recently released study by the Economist intelligence unit found that companies are beginning to realize benefits from improved risk management. In the survey, 25 percent of respondents had improved shareholder value as a result of boards of directors taking greater responsibility for risk management. In addition, 24 percent lowered insurance costs and 23 percent improved returns on investment. In the end, the COSO guidance provides a roadmap so companies can more easily establish those disciplines that drive the creation of business value and minimize events that destroy it. How Jefferson Wells Can Help Jefferson Wells is uniquely positioned to assist companies in efficiently and effectively implementing the key components of the guidance. Christine Bellino, Jefferson Wells Director of Technology Risk Management, represented the firm on the COSO Task Force as a Co-Chair. The firm was able to contribute insights from experience gained over thousands of engagements into the development of this guidance. Insights gleaned during the guidance development process are now reflected in the Jefferson Wells Sustaining Internal Control Compliance methodology used with clients around the world. This methodology assists smaller companies in implementing the guidance s key components and the Jefferson Wells tools leverage the extensive experience of our professionals to complement the framework.

9 Jefferson Wells delivers professional services in the areas of internal audit, technology risk management, tax, and finance and accounting. We serve clients, including Fortune 500 and Global 1000 companies, through highly experienced, salaried professionals working from offices across North America and Europe. To learn more about our firm and professional services, visit our Web site at Jefferson Wells International, Inc. is not a certified public accounting firm.