The curtain went down on Act One of Sarbanes-Oxley a couple of weeks ago. In April, the Securities and Exchange Commission (SEC) held an open discussion in Washington and a compliance software vendor, Certus, put on their own conference in San Francisco called Frontlines. We wrote up our conclusions from the latter event at that time.
Our views were borne out in the subsequent public 'clarification' of the intent of the law by the Public Company Accounting Oversight Board (PCAOB) and SEC, and also by changes in the specific wording of the auditing guidelines (e.g., going from suggesting that auditors could rely on the work of others to insisting they must rely on the work of others). In our judgment, Act Two of Sarbanes-Oxley will involve far less pettifogging, but that does not mean all companies can relax. Ventana Research expects about one-third to one-half of public companies will face process-related compliance issues this year and more than half will find they have real issues with the controllability of their IT systems. Almost all companies will need to focus on ways to achieve efficient, sustainable compliance. US filers subject to Sarbanes-Oxley Section 404 have entered a completely new world from the one they lived in for the past two years. Most have completed their initial compliance efforts and almost all have “passed.” While we believe a majority of companies found there was value in the effort to examine and document processes and in uncovering vulnerabilities and inefficiencies, there was near unanimous agreement that the audit process itself was flawed. All too frequently, it focused on minutiae and lost sight of the real objectives of the Act. In recent weeks the PCAOB and SEC have made it clear they received that message loud and clear.Ventana Research thinks there are six key themes in Act Two of Sarbanes-Oxley compliance:
“Efficient sustainable compliance” is the phrase of the moment. The PCAOB's and SEC's insistence that auditors not dwell on detail is a positive event. It means companies that implement process and systems changes which allow them to control at higher levels and/or automate manual processes will be able to see a return from this investment through diminished audit costs. Since the message from the PCAOB was, in effect, that process and systems improvements that promote overall control should be rewarded, we recommend companies invest in areas where they have control issues, or where they can eliminate costs of achieving acceptable controls. Despite the PCAOB's insistence that auditors avoid pettifogging, we expect about one-third to one-half of US filers face significant additional work fixing their financial systems. Act One of Section 404 was about identifying processes and implementing controls and tests. Act Two, for many companies is about remediation of the issues they discovered but did not have the time to correct. Some of our discussions with practitioners over the past few months leads us to think that while they may be avoiding the minutiae in next year's audits, there are plenty of substantive issues that still must be addressed. So while auditors may not be allowed run up the tab on little things, there are still areas they can delve into, particularly in the bottom third of companies, those that struggled to achieve a minimum level of compliance in their first audit. That noted, we believe the bulk of the justification for such investments comes not from Sarbanes-Oxley compliance, but a reduction of finance department operating costs. Changes that promote compliance are the same changes that will make finance process execution more efficient: efficiency driven by increased automation, error reduction and increased process commonality. Sarbanes-Oxley appears to be pushing out financial reporting dates for some public companies. There is some element of “CYA” double- and triple-checking (which may be temporary), but other process issues such as getting approval from the audit committee may also be at work. Since most audit committee members are non-executive directors (with their own business schedules and priorities) and because they are now expected to examine the results in depth, getting those directors to sign off is adding time to the financial reporting process. Shortening both the close and the report production process ought to be important priorities to accelerate public announcement of financial results. We expect auditors to shift a greater part of their attention to IT system controls. In our view, this is a “mens sana in corporo sano” (a sound mind in a healthy body) issue. To the extent that corporations rely more on IT automation to remove points of control issues, they must be certain they are controlling the IT systems well. All CIOs in public companies will need to familiarize themselves with CobiT (Control Objectives for Information and related Technology – a framework for managing IT processes to limit business risk while satisfying technical issues and performance requirements) if they are not already familiar. We think the work in this area is insufficient, and that it represents a potential point of vulnerability for many corporations. The good news from the Sarbanes-Oxley reviews is the governing bodies (the PCAOB and SEC) understand the legitimacy of the Act was being undercut by well-intentioned but nonetheless nonsensical front line interpretation of the rules. Still, a significant segment of the public company population (we estimate between one-third and one-half) have more work to do in improving risk controls in their organization. Furthermore, we think a majority of companies can benefit by applying an “efficient compliance” approach to process and systems improvements. AssessmentRedesigning processes to achieve efficient Sarbanes-Oxley Section 404 compliance will be an important priority for finance and IT organizations for the next several years. Ventana Research advises corporations to find ways to employ higher-level controls and to shrink the number of controls they operate and monitor. We also advise companies to invest in IT systems that will enable them to do this. Finally, we recommend investing in systems that will automate the administrative and record keeping aspects of the compliance effort as well.
Ventana Research is the preeminent research and advisory services firm helping our clients maximize stakeholder value with Performance Management throughout their organizations. Putting research in a business and IT context we provide insight and education on the best practices, methodologies and technologies that enable our clients to leverage assets to understand, optimize, and align strategies and processes to meet their goals and objectives.