Achieving
sustainable Sarbanes-Oxley compliance -- how should the business units and
CFO work together?
|
||||
|
Most companies today are conducting substantial projects around Sarbanes-Oxley Section 404 requirements and, while all of this tortuous effort is admirable, it tends to be inadequately coordinated at the corporate level, leaving individual business units busy without really knowing why.
Insufficient communication between these groups further complicates the challenge of adequate preparation, resulting in an unclear picture of the organization’s audit-readiness that rightly leaves executives highly concerned.
In the limited time remaining before the deadline, the CEO / CFO needs to get back to basics, take control and, through the four-step action plan described below, restore the confidence and support of the business units in their Sarbanes-Oxley compliance program.
At the same time, there is a growing need to transform the initial project effort into sustainable practice as companies realize that the "deadline" isn't the finish line. In fact, for shareholders and even for customers, the filing deadline is the start line, as it marks the beginning of expectations for complete, effective internal controls and transparency for management and board of directors.
SOX programs generally ignore the requirement for the top-down and bottom-up integration and the clearly defined steps defined above which by their very nature, if employed, make the outcome sustainable. They are simply best project management practice.
Step 1: Establish a comprehensive SOX program that can be applied
consistently across the organization with coordinated implementation
This initiative should be driven from the top of the organization with strong
strategic oversight, concentrated on implementing demonstrable controls at all
levels and supported by well-documented procedures. Corporate and business unit
(line of business) coordination in such a project is vital as is IT involvement
to certify all system applications adequately address control objectives.
Auditors will require clear evidence that controls are well designed, in place, implemented to the lowest levels and fully sustainable. A significant effort will be required to train staff at all levels in these new processes and procedures prior to the final audit.
Best practices that can help address these are:
Step 2: Reinforce process centricity through process aligned and focused
work teams
Most utilities have well established value chains and processes, which define
their activities and organization. To ensure sustainable practices after the
deadlines are met, utilities should take a strategic and coordinated approach
that operates across the value chain, institutionalizing the processes around
its familiar structure. The SOX program should use these processes to reinforce
their outputs, leverage the effort spent in their development, and facilitate
communication across units that share process responsibility.
The generic utility value chain in Figure 2 below shows standard processes and the SOX focus in Finance. Placing the emphasis on the value chain provides a well-defined structure to organize the audit preparation in a holistic fashion and allows the business units to support the CFO in achieving the desired outcome and make compliance a continuous practice in which everyone has a stake.
Actions should be:
Step 3: Establish strong communication channels able to communicate
changing requirements throughout the organization
These projects are wide in scope, involving all parts of the organization in
activities that are complex and foreign to most staff. A strong communication
plan must deliver clear, concise messages to staff at all levels ensuring no
wasted effort or time and no gaps in output. This will ensure:
One key area of communication that is often overlooked is external vendors. In many instances entire business processes have been outsourced to an external vendor, but outsourcing a process does not mean the company has outsourced the accountability. Rather, for purposes of the company’s Section 404 obligations, to the extent the service provider’s services affect the company’s internal control over its financial reporting, management of the company and its auditors must consider the activities of the service provider in making their respective assessments. In its consideration, the company must:
Step 4: Establish documentation management capability to exploit the value
of the documentation created during and after the audit.
To maintain a sustainable level of focus and energy, it is highly recommended
that a comprehensive documentation or knowledge management capability be
implemented that will enable the investment in effort to be leveraged going
forward. As shown below, the Sarbanes-Oxley documentation picture is not simple
– processes are shared across business units, multiple (often manual)
inputs/outputs are involved, and typically individuals are only concerned about
their piece of the process. Figure 3 below.
In order to effectively provide a clear understanding of the intent and overall execution of internal control processes, the project requires:
Conclusion
Utility companies cannot afford any delays in reaching compliance. The
consequences of failing your upcoming audit are so great that they warrant a
quick review your Sarbanes Oxley program by answering these questions:
If your answer to any of these questions is NO, chances are that the project needs some adjustment or even redirection.
Companies that do not follow the above steps will likely find themselves struggling to reconcile the disparate information generated by each business unit. Their auditors will be frustrated by the lack of consistency and clarity, and they will be less likely to clear the compliance hurdle.
You and your company cannot afford non-compliance. Ensure the success of all of this costly effort by taking a critical look at your program and seek advice on getting it back on track while there is still time to make the difference.
To subscribe or visit this site go to: http://www.energypulse.net