Posts

Talk about mixed messages. The new presidential administration wants what they consider “costly and unnecessary regulations” wiped out. At the same time we have continued pressure by regulatory agencies to strengthen and improve internal controls over financial reporting (ICFR). Anyone who is involved in SOX compliance has to wonder: Is the almost 15-year-old law part of the discussion in Washington? And what should we all be doing in the meantime?

Our crystal ball isn’t any less cloudy than yours, but here’s some advice. Keep in mind SOX’s goal—to have in place a strong ICFR system that prevents a material misstatement of the financial statements. To what extent this is mandated may be in flux, but the benefits of such a program are foundational. It’s good for your valuation, as well as management, employees, investors and anyone you do business with.

 

To keep your SOX program doing what you need it to do, know that it needs to evolve. As your business expands, its interests and risks shift, and leaders come and go, your SOX program needs tending to as well. Here are five ways to make sure yours stays up-to-date, no matter what happens on Capitol Hill.

1. Pay attention to your culture.

Culture plays a huge role in ICFR. What are the expectations for ethical behavior in the workplace? Are these embedded in your workplace culture? Is the pressure to deliver results so great that a blind eye is turned to questionable behavior? These are important questions to ask regularly, as the answers may change when leaders come and go, and the company grows more complex.

No matter how strong your design of controls, without a healthy ethical environment, your ICFR program will be fighting an uphill battle. Tone at the top matters. “In most cases of alleged financial fraud, the CEO and CFO are named in the complaint,” according to a March report from the Center for Audit Quality. “[Securities and Exchange] Commission staff noted that the driver of earnings management—the catalyst for most fraud cases—is often top management, such that the focus on the CEO and CFO is not surprising.”

In addition to the tone set by the senior leadership at headquarters, look at the culture of remote offices, both foreign and domestic. Take into account both the local tone at the top as well as customs and practices and any incentives offered to local leadership for achieving performance goals.

2. Revisit your company’s risk profile.

Business risks change. Are you staying current? Identify anticipated changes in business processes, systems and key personnel, and make sure you are addressing any known areas of risks that need attention. Even if your internal environment is stable, assess how your business risks may have changed due to external factors.

3. Adopt a quarterly review process.

Keep the people responsible for key controls engaged all year long. By carrying out quarterly self-assessments, control owners can get a quick read on areas that are changing and controls that no longer serve the organization. These evaluations can also help prevent surprises when it comes time to test the controls.

4. Seek alignment with your external auditors.

Expectations can change, so stay fluid. The regulatory landscape will continue to evolve as new leadership takes shape at the SEC and the Public Company Accounting Oversight Board, and their priorities and interests are passed down to auditors. Understanding changes in your auditors’ expectations and having clear, proactive communication can make all the difference in your ability to retain an effective SOX program.

Some of the more recent areas of focus by your auditors may include IPE (information produced by the entity) and the related scrutiny to ensure that the data is complete and accurate. In considering the completeness and accuracy of information used in the execution of a control, it is important to pay attention to the relevant data elements.

5. Fold in insights from experts who bring another perspective.

When your external auditor asks for additional controls, how can you tell whether it’s a check-the-box request? What’s a reasonable risk-based response? You can use a co-sourcing finance team as a sounding board to help you formulate the appropriate answers. Experts who work with a variety of companies can offer a broader perspective of what is going on in the industry.

And for smaller companies that need to rely on a single employee for subject-matter expertise, outside experts can fill in knowledge with their “second set of eyes,” such as by evaluating the design of controls or reviewing a complex, nonstandard transaction.

Regardless of whether SOX as we know it goes away or is here to stay, savvy companies will want to keep the benefits of strong, right-sized internal controls.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

Recently we have read press coverage about the CEO of Yahoo losing his job for including on his resume a degree he didn’t have. And last fall, the CEO of Hewlett Packard lost his job over false expense reports.

In both cases, the ethical line was crossed. When that happened, they had to go—that line must never be crossed.

Why is this so important? The answer is that when someone crosses the ethical line, you can no longer trust that person. What happens when you face a situation where you have to rely on that person’s honesty, such as in a management representation letter, if you can’t trust them? The answer is that you cannot rely on them, so the situation cannot be allowed to occur.

Here’s just one example that affected me personally and that I hope will put this in perspective.

I was the CFO of a company when the CEO wanted to hire a new VP of sales whom he and others had worked with before. As a company we had all the personal references we wanted, and the candidate had a great selling history. Perfect guy, or so we thought. We got to the point of wanting to hire him quickly, asked him to complete an application form and started the background check.

Unfortunately, we quickly came up with two issues. He did not have the exact degree he claimed on his application form, and he had answered “no” to a question that the background check showed that he should have answered as “yes.” We asked him about these issues, and after some time he admitted the application form he had completed was inaccurate, that he had overstated the degree and answered the question falsely. He was very apologetic.

So were we, because we couldn’t employ him as a result of the false statements. How could I, as CFO—or the auditors, or the board—ever rely on any statement he may be asked to make when he lied on an application? Or how could we be sure that he was being truthful with our customers when he was negotiating on our behalf? We couldn’t, so we had to pass on him.

The sad fact is that we would have hired him if he had answered the questions correctly. We didn’t care what his degree was in, or about his other answer, but because he didn’t answer those two questions honestly we knew we couldn’t trust him to be honest with us when it really mattered. That’s the bottom line, and that’s why ethics matter.