Nothing focuses an FD’s or CEO’s mind like the threat of jail, which explains why the US Sarbanes-Oxley Act of 2002 is exercising companies all over the world. To be sure, the act is asking for nothing that CEOs and FDs should not already be practising. It wants to achieve a high degree of confidence that these senior corporate executives understand what lies behind the numbers in their reported results.
Before Sarbanes-Oxley, the world tended to take this for granted. Corporate scandals with key executives claiming ignorance of what was really going on changed things. The new element in the act is that executives now have to confirm their confidence in the numbers by signing the figures off personally. Moreover, under the act they are personally responsible for ensuring the accuracy of the resulting picture.
It follows from this that companies caught by the act are under extreme pressure right now from CEOs and FDs to ensure the maximum degree of transparency in the data-gathering and reporting process. In an ideal world, you want this process to be fully auditable, with sign-offs delegated to middle managers (who then become responsible and liable to jail time themselves) in every one of a global corporation’s far-flung subsidiaries.
David Turner, international business manager at financial software vendor CODA, says that passing around bits of paper is just not good enough in this environment. Paper trails are too subject to unauthorised amendment.
CEOs want to know that the figures which make up the accounts are fully auditable, and that all the reporting managers who have signed off their numbers are prepared to stand by them.
The answer is partly to put solid internal processes in place, and partly to have the whole information-gathering and sign-off process automated in software – preferably with a workflow engine underneath to ensure that the right business logic drives each step in the data-gathering and sign-off chain of command.
Mark Stimpson, VP of product management at Cognos, reckons that business intelligence companies have a vested interest in Sarbanes-Oxley since they have long been up against the need for accuracy and reliability in financial reporting. There is very little point in planning if the figures you are using don’t stack up.
This means that organisations can gain substantial benefits by moving the same disciplines they use for planning, which is to say the best practice procedures into the Sarbanes-Oxley arena. “Reporting actuals lets you know about problems after they have happened. Planning highlights any problems in advance, particularly if you use driver-based planning and high-frequency forecasting,” says Stimpson.
Driver-based planning is where people are basically asked to submit a supporting narrative outlining the assumptions that are behind their numbers. High-frequency forecasting means reiterating the planning process at short, frequent intervals. If these practices are adopted, and you have participation from (everyone) in the planning process, you tend to get reliable numbers and a good audit trail,” he comments.
From a technology perspective, however, there are three key sections in the act – 302, 404 and 409. The first requires certification by key executives. The second mandates the production of a new kind of report on the internal controls over the financial reporting process. The third (409) strengthens the requirement to notify markets of material events that may impact the company’s results.
There is no doubt that the act has implications for a broad range of businesses, not just US quoted public companies. Any UK company with a US listing or a listed US parent is caught, and any company thinking of listing in the US at any time in the future will need to give Sarbanes-Oxley considerable thought.
Already in the US, a draft standard is in place dealing with the role of external auditors in evaluating a company’s internal controls as demanded by Sarbanes-Oxley. The big change there is that, in the past, external auditors have been able to rely on the fact that internal controls are the responsibility of management. Now the proposal is that external auditors should be directly responsible for substantively testing those controls.
As a result, Sarbanes-Oxley is likely to result in audit fees going up dramatically. Paradoxically, this may be happening at a time when the reputation of the audit profession has probably never been lower.
Johnny Cheetham, director of operations at Cartesis, which specialises in group accounts consolidation software, points out that consolidation software with a good workflow engine can help an organisation to manage the close process in a rigorous and auditable way. Such a system can be set up so that the procedures defined for the reporting processes cannot be deviated from, and it is clear who is responsible for inputs at each stage.
Fortunately, much of the technology to achieve this is available. Microsoft, for example, already has all the necessary elements, though you have to combine some esoteric pieces, such as Microsoft Sharepoint Portal, its new addition to Office known as InfoPass, and Microsoft Project, to get the job done. As Microsoft says in its white paper on Sarbanes-Oxley, these tools and a good suite of financials provide “a solid foundation for compliance experts to advise companies on compliance”.
This somewhat tortuous wording is Microsoft’s way of admitting that “Microsoft Business Solutions (MBS) alone can’t deliver Sarbanes-Oxley compliance”.
MBS has four different financial packages under its aegis – Navision, Great Plains, Axapta and Dr Solomon.
CODA’s new Sarbanes-Oxley module, and its closely related Collaborative Close module, was built from CODA’s own internal version of Collaborative Close. CODA financial controller Jason Eames was responsible for directing its build. In essence, what Eames and the development team did was to model the close process as a series of discrete tasks. “What we did was write down what we thought each member of staff involved in the close process did, and set it up as a discrete task. Then we talked with them and usually discovered that they did something other than what we had written down, so we modified the task list.”
Once the tasks are identified, they are developed in Microsoft Project and run as an internet site on the Sharepoint Portal. Users from around the world who own particular tasks are then prompted by a workflow engine via email to log on to the site and attend to their task.
Some clever under-the-bonnet code using Microsoft’s InfoPass can go off and populate a form with data from the financial systems as soon as the user clicks on their task. They then verify, reconcile or add figures, depending on the nature of their responsibility and the task they are carrying out. In a Sarbanes-Oxley version, the system would also capture their sign-off of their end of the task. Each time a task is completed, the workflow engine prompts the next group of task owners to complete their end of things.
One of CODA’s classic close problems is intercompany reconciliation. Clicking on this task enables the person responsible to open up a form which is automatically populated with numbers by pulling out the relevant figures for companies A and B from the financials database. “The system gets both sides of the intercompany balance from two different companies’ books, so it is not just dumb workflow pushing documents around. You can do smart things that give the appropriate people access to the right figures direct from the ledgers,” he says.
Another closure problem which has relevance to materiality in Sarbanes-Oxley is making provision for bad debt. The workflow engine enables the finance function to task those sales people closest to each client with deciding if a provision against their debt is required for the end of period and, if so, how much. They enter the figures directly on the web in the form associated with their part of the task tree and the financial controller is then able to see how extensive the suggested provisions are and what the narrative justification for the provision is. Once accepted, it posts directly to the financials. All this is fully auditable.
Eames points out that this example shows how provisional and subjective judgements about values can be readily documented and made transparent and auditable. The trick when defining this kind of system is to agree a sufficient number of tasks to model what really happens at a sufficient level of granularity in the real world. Sarbanes-Oxley compliance is added to the collaborative close process through a clear sign-off process by task owners. The company then has a record of the actions of all executives with responsibility for sign-off of key figures.
Of course, other companies besides Microsoft have some or all of the component pieces required to craft a Sarbanes-Oxley solution. All the major ERP vendors with blue chip US clients have had to think out an approach to the problem. Oracle, for example, has had a workflow engine as part of its database technology for the past eight years. It, too, has turned its attention to a compliance module and has a product called Oracle Workflow Compliance.
As Steve Gold, Oracle country manager for Scotland, observes: “There is not a conversation that occurs with clients these days that does not include some reference to corporate governance and Sarbanes-Oxley. These are genuinely matters that are keeping CEOs and finance directors awake at night.” ?:
O2's new CFO Patricia Cobian discusses the joined-up approach required to improve digital connectivity - and its vital role in improving the UK's economic growth prospects
The emergence of the challenger banking sector and fintech in general is creating strong opportunities for accountants with retail banking skills
View our archived webinar, including Oracle and a host of ‘Fast Data’ experts, to discover how financial professionals can help create a Fast Data business
Yahoo’s data breach highlights difficulty in determining whether unauthorised access to data has occurred
Cyber risk is a dynamic threat as criminals seek more creative ways of extracting value from reputable businesses. The new wave of attackers are sophisticated and skilled, and may lie low inside a network for weeks, or months, before taking definitive actions