IBM Business Consulting Services Sarbanes-Oxley: A call to action deeper Executive brief
The following article was written for and published in The Utilities Project: Volume 4 - Positioning for Growth by Montgomery Research. March, 2004.
Contents 1 Sarbanes-Oxley: A call to action 3 A SOX action plan 4 Some good news 5 About the author 5 About IBM Business Consulting Services Sarbanes-Oxley: A call to action The Sarbanes-Oxley Act goes beyond financial statements to require a sound methodology, including implementation management, determination of technological requirements, and compliance monitoring. If you work for a publicly traded U.S. company, chances are you re pretty familiar with the Sarbanes-Oxley Act (SOX). As a result of SOX, CEOs and CFOs have, for the first time, personally asserted to the validity of financial statements, exposing themselves to criminal prosecution. This was a landmark event, refocusing the executives on minding the mint and raising the accounting visibility across organizations. What you may just be realizing is that confirming financial statements was merely the first step in a series of evolutionary guidelines the act comprises. What was once viewed as an accounting-only law is now being driven to all parts of the organization. CIOs are increasingly involved as financial data guidelines are escalating in importance and solutions are sought to support auditable processes. To determine your SOX readiness, consider these questions from the CEO/ CFO perspective: Would I be willing to put my neck on the line that all of the material accounts and transactions are documented accurately and completely? Am I confident that all material accounts and operations have adequate and tested internal controls? Would a review of these tests satisfy an auditor? Do I believe a consistent rigor is applied across the enterprise to enforce internal controls and assure adequacy for material operations? Can I be sure that documents required to support legal inquiries are retained as needed to meet regulatory requirements? If you answered no to any of these questions, chances are you ll need to pull up your SOX. 1
Although the act has a number of sections, we believe that those with the most near-term impact are shown in Figure 1. Figure 1. Sarbanes-Oxley sections with near-term impact. SOX Description Impacts to you 302 404 802 CEO and CFO must personally certify to the accuracy of fi nancial statements and the effi cacy of internal disclosure controls- Completed! Requires annual report by management on internal controls attested by external audit forms. To be implemented in 2004, companies must document and test controls three months in advance of the fi scal year end. For example, for a Dec. 31, 2004 fi scal year end, controls must be documented and tested by Sept. 30, 2004. Criminal penalties for failure to comply with record retention policies, including assurance of no destruction, alteration, or falsifi cation of records. The CEO/CFO requires continued visibility and confi dence surrounding fi nancial data accuracy and completeness. Processes must provide visibility to material accounts and transactions to support assertions. Materiality, risks, and internal control procedures must be documented and tested. Any weaknesses identifi ed (if material) must be mitigated. The procedures, tests, and mitigating controls must be in an audible format. Management CEO/CFO must attest at risk of criminal penalty to the effectiveness of the controls. Key points a consistent, top-down rigor must be applied to defi ning procedures and test steps. Documentation must be centrally controlled (on an automated system if at all possible) and test results must provide management-level visibility to weaknesses. Section 802 raises issues for both business and technical groups. From a business perspective, we need to determine what to retain, how long to keep it, and a fi nal disposition. On the technical side, companies are challenged to provide content management type capabilities for the variety of documents and formats. For example, spreadsheet-based support for revenue calculations, portable document format (.pdf) reports generated from ERP applications, e-mails, etc., may all qualify for retention to support at the income statement revenue caption. Companies will need to drive retention policies top-down to retain what is needed. Another component of 802 is that companies should establish emergency policies for retention in the event of legal inquiry. 409 This requirement is still evolving, but the SEC is considering rules providing for realtime disclosure of material events. New accelerated fi ling rules will go into effect over time. 10Qs 35 days 10K s 60 days This increases the pressure on fi nancial reporting in all areas. The need to expedite the close process will likely drive signifi cant transformation in the fi nancial group. Processes must be streamlined and ineffi ciencies driven out. Technologies surrounding ERPs (extension of capabilities, or driving more from the technology in-house) will be required to deliver results. Data and transaction reliability must be baked into fi nance functions since correction cycles will be signifi cantly reduced. Data warehouses and content management systems will increase in importance to provide availability of fi nancial support data and to provide a quick and reliable repository for data supporting fi nancial statements. Source: IBM Business Consulting Services, 2003. 2
A SOX action plan Obviously, these SOX requirements will have a pervasive impact on your organization. No surprise here because the goal of SOX is to reach across the organization creating a pervasively ethical corporate environment and appropriate business behaviors. Given this broad goal, what can be done to make this a reality? Since the assertions required are at the executive level, a top-down approach offers the greatest promise that the executive will be satisfied with the methodology and assertions that they must make on behalf of controls. To align with executive needs, this top-down approach is best driven by a representative from the CFO s office or another senior resource charged specifically as a SOX program compliance officer (see figure 2). Planning Planning is critical given the regulatory guidelines and time frames involved. Assigning a goal-oriented compliance program manager helps drive compliance activities within the organization. Frequently, outside support will be required to help the program manager get up to speed and develop the materials to communicate and train the staff. Since there are inherent conflicts between the external auditor used by the firm and the SOX compliance process, companies typically engage consulting firms with strong change management practices to drive the change. In cases where particular issues of the Financial Accounting Standards Board or generally accepted accounting principles apply, other audit firms also are frequently engaged to provide deep technical expertise. Figure 2. Compliance process undertaken by program manager. Monitor Establish accountability Defi ne controls Test Document Source: IBM Business Consulting Services, 2003. 3
Technology A number of vendor software solutions exist to support a centralized compliance capability. Most solutions focus on a component of compliance (e.g., 404 or 802). However, a few bridge the gap. Some solutions have the added feature of predefined control templates that help to expedite documenting controls and increase overall SOX efficiency. However, it s important to note that software alone isn t the answer. With culture change and creation of a pervasively ethical business environment as a goal, the project must be managed top-down to drive change in the organization. Some good news The vision and direction provided by SOX provides the promise of simplified accounting processes, enhanced technical capabilities, and ultimately increased investor confidence in the coming years. Companies, now recognizing the SOX work in front of them, are using it to drive process and organizational changes, breaking through entrenched resistance and looking for opportunities to recast the financial reporting landscape. In fact, over the next few years, a significant portion of financial systems investments will be driven solely by SOX compliance needs. SOX is looming as a major to do for 2004. Many companies, still in the (404, 802) aware ness stage are unclear on the full scope of actions required. Given the possibility of civil and criminal charges, as well as the almost certain impact to share values if initiatives fall short, it s clearly time to get the compliance house in order. Key actions include: Defining a compliance program management role Creating a SOX plan to meet requirement deadlines Determining what technologies will be employed to document and report activities Working top-down to define controls and objectives Monitoring compliance testing to verify the program is on track. 4
A critical point is that SOX is pervasive; it changes the way business is conducted. As a result, SOX requires a hands-on effort and senior management commitment. Chances are that there is still time to comply with requirements, but the clock is ticking. For section 404 in particular, compliance can be no later than the end of the third quarter of 2004 and it could be much earlier depending upon your fiscal year. How do you get started? Take the initial step to get a compliance office up and running and identify your SOX reporting milestones. Hitting these milestones is critical. Remember, with SOX, there are no second chances. About the author Richard Lulie is an Associate Partner at IBM specializing in financial solutions and Sarbanes-Oxley compliance for the Communications and Utilities sectors. Mr. Lulie is a CPA with over 20 years of experience including audit, business transformation, and financial software implementation. He can be reached at richard.lulie@us.ibm.com. About IBM Business Consulting Services With consultants and professional staff in more than 160 countries globally, IBM Business Consulting Services is the world s largest consulting services organization. IBM Business Consulting Services provides clients with business process and industry expertise, a deep understanding of technology solutions that address specific industry issues, and the ability to design, build and run those solutions in a way that delivers bottom-line business value. 5
Copyright IBM Corporation 2004 IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America 05-04 All Rights Reserved IBM and the IBM logo are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. G510-3622-00