Achieving sustainable Sarbanes-Oxley compliance

Achieving sustainable Sarbanes-Oxley compliance -- how should the business units and CFO work together?

9.24.04

John Hall, Principal Consultant, PA Consulting

Douglas Cunningham, Consultant, PA Consulting

The Issue
The deadline for Section 404 compliance is rapidly approaching with most companies currently required to comply by their first fiscal year ending on or after November 15, 2004. With the clock quickly ticking, companies in the public utility sector are racing to meet the deadline.

Most companies today are conducting substantial projects around Sarbanes-Oxley Section 404 requirements and, while all of this tortuous effort is admirable, it tends to be inadequately coordinated at the corporate level, leaving individual business units busy without really knowing why.

Insufficient communication between these groups further complicates the challenge of adequate preparation, resulting in an unclear picture of the organization’s audit-readiness that rightly leaves executives highly concerned.

In the limited time remaining before the deadline, the CEO / CFO needs to get back to basics, take control and, through the four-step action plan described below, restore the confidence and support of the business units in their Sarbanes-Oxley compliance program.

At the same time, there is a growing need to transform the initial project effort into sustainable practice as companies realize that the "deadline" isn't the finish line. In fact, for shareholders and even for customers, the filing deadline is the start line, as it marks the beginning of expectations for complete, effective internal controls and transparency for management and board of directors.

SOX programs generally ignore the requirement for the top-down and bottom-up integration and the clearly defined steps defined above which by their very nature, if employed, make the outcome sustainable. They are simply best project management practice.

Step 1: Establish a comprehensive SOX program that can be applied consistently across the organization with coordinated implementation
This initiative should be driven from the top of the organization with strong strategic oversight, concentrated on implementing demonstrable controls at all levels and supported by well-documented procedures. Corporate and business unit (line of business) coordination in such a project is vital as is IT involvement to certify all system applications adequately address control objectives.

Auditors will require clear evidence that controls are well designed, in place, implemented to the lowest levels and fully sustainable. A significant effort will be required to train staff at all levels in these new processes and procedures prior to the final audit.

Best practices that can help address these are:

Appoint a single project manager reporting to the CFO
Develop a single program for the organization that applies to all business units
Staff project teams with representatives from all parts of the business
Provide audit training for the complete team
Tightly manage clearly defined timelines
Make training available as early as possible and coordinate training program with overall timeline
Develop base processes and standard templates to be used by all business units
Demonstrate implementation to lowest levels using simple logs
Document all communication and training provided

Step 2: Reinforce process centricity through process aligned and focused work teams
Most utilities have well established value chains and processes, which define their activities and organization. To ensure sustainable practices after the deadlines are met, utilities should take a strategic and coordinated approach that operates across the value chain, institutionalizing the processes around its familiar structure. The SOX program should use these processes to reinforce their outputs, leverage the effort spent in their development, and facilitate communication across units that share process responsibility.

The generic utility value chain in Figure 2 below shows standard processes and the SOX focus in Finance. Placing the emphasis on the value chain provides a well-defined structure to organize the audit preparation in a holistic fashion and allows the business units to support the CFO in achieving the desired outcome and make compliance a continuous practice in which everyone has a stake.

Actions should be:

Use process expertise already in existence so as not to miss key control gaps
Simplify implementation by exploiting the organization of existing business processes
Insure financial controls are implemented for technical staff performing new financial functions
Carefully consider the inputs and outputs of each process, including clear evidence that the process is being executed as designed
Identify process enhancements through the addition of controls and clearly document these procedures to facilitate communicating and implementing the process within the organization
Leverage the SOX effort (documentation and processes) by looking for additional benefits such as possibly using these as a step towards ISO9000 certification
Identify and plug any outsourced process control gaps

Step 3: Establish strong communication channels able to communicate changing requirements throughout the organization
These projects are wide in scope, involving all parts of the organization in activities that are complex and foreign to most staff. A strong communication plan must deliver clear, concise messages to staff at all levels ensuring no wasted effort or time and no gaps in output. This will ensure:

Management confidence that implementation at lower levels is happening successfully can be maintained Project requirements and changes are quickly communicated to all relevant parties
Clear messages are sent to all levels – no gaps in expectations
Staff is kept informed of progress, new developments and achievements and any issues

One key area of communication that is often overlooked is external vendors. In many instances entire business processes have been outsourced to an external vendor, but outsourcing a process does not mean the company has outsourced the accountability. Rather, for purposes of the company’s Section 404 obligations, to the extent the service provider’s services affect the company’s internal control over its financial reporting, management of the company and its auditors must consider the activities of the service provider in making their respective assessments. In its consideration, the company must:

Effectively communicate its expectations of internal controls to the service provider
Obtain a mutual understanding of the company’s control over the activities of the service provider
Obtain assurance that the service provider’s controls are relevant to the company’s financial reporting
Obtain evidence that such controls are operating effectively within the provider’s organization.

Step 4: Establish documentation management capability to exploit the value of the documentation created during and after the audit.
To maintain a sustainable level of focus and energy, it is highly recommended that a comprehensive documentation or knowledge management capability be implemented that will enable the investment in effort to be leveraged going forward. As shown below, the Sarbanes-Oxley documentation picture is not simple – processes are shared across business units, multiple (often manual) inputs/outputs are involved, and typically individuals are only concerned about their piece of the process. Figure 3 below.

In order to effectively provide a clear understanding of the intent and overall execution of internal control processes, the project requires:

Documentation sets that are stored in knowledge management repository that is easily accessible to all who need it and need to maintain it
Documentation sets that are process aligned and designed to enhance process documentation efforts throughout the organization
Documentation sets that are easily maintained and communicated through centralized template management and control, with deltas automatically communicated to users at update

Conclusion
Utility companies cannot afford any delays in reaching compliance. The consequences of failing your upcoming audit are so great that they warrant a quick review your Sarbanes Oxley program by answering these questions:

Is staff at every level clear on what they are doing and why?
Do you communicate regularly and often about SOX developments and progress of the project?
Is there a single project with a project manager reporting to the CFO?
Is there a repository for your documents and will the auditors understand it’s structure and your controls documented within it?
Is it easy to manage documentation in your company; is there a system and process in place for this – is documentation managed at all?
Have you considered your third-party vendors in the process?
Are your leveraging all of the costly effort put into process design and implementation in your company?
Are there representatives from all parts of your business in the work teams?
Does the implementation agenda provide for sustainable processes after the audit?

If your answer to any of these questions is NO, chances are that the project needs some adjustment or even redirection.

Companies that do not follow the above steps will likely find themselves struggling to reconcile the disparate information generated by each business unit. Their auditors will be frustrated by the lack of consistency and clarity, and they will be less likely to clear the compliance hurdle.

You and your company cannot afford non-compliance. Ensure the success of all of this costly effort by taking a critical look at your program and seek advice on getting it back on track while there is still time to make the difference.

To subscribe or visit this site go to: http://www.energypulse.net