It is easy to see why, after Sarbanes-Oxley became law in the early 2000s and internal-control testers and reviewers became sought-after professionals, that the demand for their talents sometimes went to their heads. From being the mostly ignored internal audit department to becoming the highly noticed glamour boys and girls of their own movie called Corporate America, their first instinct was, “The power is with us and let us start policing.” I admit that happened to me, but only for a minute.
Two things happened to make me quickly snap out of it. First was a reflective process where I decided that I did not want to make a career out of solely pointing out errors that other people made — that would be too much negativity day in and day out. Then, during a chance encounter after hours with a corporate controller, she blurted out, “You know the best thing about having you on our team is that I feel more secure when I go home every night, that things are working optimally and the world will not fall apart tomorrow morning.” Viola! The statement was made by her, but the big impact was on me. In her mind, I was collaborating with her and giving her peace of mind, but in my mind, I had seen myself as the cop. I preferred her outlook and embraced it.
From that moment on, finding SOX errors became secondary to my working as a thoughtful partner who uncovers positive opportunities in the organizations I work with. Consider these real-life examples from my experiences:
- SOX became a revenue generator when testers helped a disc drive maker realize that it had been needlessly throwing away material that was actually quite valuable. The finding began with a control test that read, “Excess inventory is classified as scrap and authorized.” Looking for authorization controls, the SOX testers wondered why the excess material from the precious metal (the inventory) used to make the disc drives was not worth anything. It was just thrown away. A group of employees, who had previously been ignored on this issue, revealed that the metal could be recycled at a fraction of the cost of discarding it, to actually make new disc drives and add new revenue to the bottom line. An outside perspective, through a SOX exercise, brought this opportunity to the forefront.
- A company that took a conservative approach to its SOX control for the cycle counts of inventory had a monthly reconciliation process. The cautious way of doing things had an upside when management looked at the results of the reconciliation and decided to streamline the entire inventory management and supply chain process, which saved millions in costs and contributed to the closing process getting cut down by a week.
- A retail giant was planning to implement a new system in the supply chain area and wanted to consider SOX upfront to ensure that prior to going live, the new system would pass all the relevant IT general computer controls (including user and developer access, termination, passwords and change management). This was a first for the retailer, which didn’t usually take SOX into account in the early stages of a new system. The proactive effort saved it time and money. The SOX readiness testing led to the operations side working more closely with the IT side, granting early buy-in, creating better communication between the two groups, and leading to an overall more efficient supply chain process. The net impact was a savings of $3 million, and the project went live and operational three months ahead of schedule.
- The reach of SOX sometimes spills over to IT security and PCI compliance (the data security standard used by the payment card industry). This was evident in a retailer that was planning to break away from its publicly listed parent and go public on its own. As the team I was working with was putting the SOX controls in the various areas, we realized that although it did not having a direct impact on the company’s SOX compliance, the IT security systems did not rein in customers’ credit card information as much as it should. While this security gap sounds like a huge hole in today’s privacy-conscious environment, this finding was made back in 2007. Even then the very prudent upper management team, including the CEO and CFO, saw the need to plug the gap; they had the foresight to put in place strong IT security measures and encryption technology and prevent their customers’ credit card information from getting plastered on Times Square. If only all the retailers had followed suit! This company was not just ahead of the game in IT security; it also met PCI compliance, thanks to the initial recommendations that turned up during the SOX work.
The above is only a short list of the process improvements I have seen firsthand during my time working heavily in SOX. The point is that, if the only cap I had worn while going about my SOX testing was that of a policeman, I would never have seen past the brim to play a part in those process improvements. These are examples of positive changes from SOX that revealed new revenue opportunities or saved money. And, on a personal level, they have reinforced my profile as a “trusted partner” even in the eyes of the people being subject to SOX controls. This, as any SOX tester will testify these days, is the ultimate goal. Any feeling of being a SOX cop is long gone. All it took was a slight change in mindset and approach.
Vivek Kumar is a member of the RoseRyan dream team. He has been working in SOX since the time it became law and from both sides, in-house and as an external consultant. When not doing SOX, Vivek keeps himself busy playing tennis and making feature films, the first of which hits theaters this summer.