|
|
||||
|
Taking command of your financial control safeguards
When it comes to lax financial controls for your business, no news can actually be very, very bad news that you’re just not aware of yet. Case in point: Enron, WorldCom and a litany of other high-profile accounting scandals that have triggered reforms for how public companies control their financial reporting processes, including the requirement that CEOs and CFOs quarterly sign off on the effectiveness of their controls and annually obtain an independent validation. To stay on the leading edge of this "sea change in financial reporting requirements," management needs to take more responsibility for internal financial controls and push for better documentation and testing, says Guy Lander, an attorney and author of What Is Sarbanes-Oxley?, an overview of the 2002 law that’s making a big impact on corporate governance. The Sarbanes-Oxley Act (SOX), which is currently being phased in for public companies based on size, has several requirements designed to promote ethical, transparent financial reporting. These include independent audit boards, a curb on insider transactions and loans, and new requirements for CEOs and CFOs, who on an annual basis must:
Even if your company has never had even the slightest accounting irregularity, the onus is on you to proactively verify that you have the right checks and balances in place, that they’re functioning as intended, and that as your business changes, your financial controls change too. "You need to have the right processes in place, and you need to document and prove you have the right processes in place," Lander says. Midsized companies like Kansas-based Elecsys Corporation, which operates with a lean three-person accounting staff, are having to think hard about how to stretch limited resources to meet the new requirements. The firm’s size makes compliance a challenge in a few ways, says chief financial officer Todd Daniels. "It’s partly a question of manpower — we all have plenty to do already as it is," Daniels says. "Plus, since everyone wears several different hats, it’s difficult to achieve the segregation of duties and strict access controls required under the law." Elecsys has time — it’s not required to be SOX-compliant until April 2007 — but Daniels is considering a few steps to get ahead of the game. One is to hire one new full-time staff member to work exclusively on this issue during the next two years. "We also may bring in outside expertise early on in the process to help us develop a blueprint we can then take over and use moving forward," he says. The firm, which provides electronic manufacturing services and also develops remote monitoring solutions for the oil-and-gas pipeline industry, is also keeping an eye on ongoing Securities and Exchange Commission (SEC) proceedings regarding SOX. While the law currently takes a "one-size-fits-all" approach regardless of company size, the SEC is considering whether smaller firms should have more flexibility in meeting the requirements. Larger public companies that are already subject to the new financial-control requirements — those with a market capitalization of $75 million or more — say compliance has generated both extra costs and operational benefits for their companies. A survey of 224 public companies with average revenues of $2.4 billion found the average cost of compliance was about $3.14 million, according to a report by Financial Executives International. At the same time, a separate survey found that more than 60 percent of company directors thought the new requirements had a positive effect on their companies by strengthening internal controls. And about the same percentage of private companies say they’re implementing at least some of the SOX best practices themselves because they make good business sense. Bringing a company’s internal financial controls in line with SOX requirements is a major effort —particularly in the first years, according to Lander. But the benefits can extend beyond simply being in compliance. "Creating a system where everything’s documented and tested regularly improves the reliability of your financial reporting, but it also can identify inefficiencies — like unnecessary duplication between your business units, or manual tasks that could be handled more cost-effectively by automation," he says. Some of the key issues to consider in upgrading your accounting procedures in light of SOX, according to Lander and other financial-control professionals, include: Tapping the right expertise. Because achieving SOX compliance can be time-intensive, the challenge for most companies is to add to their existing resources — by hiring new staff, expanding the responsibilities of internal audit staff, hiring a third-party auditor or a hybrid of all the above — as cost-efficiently as possible. "We’re planning to bring in a third party early on to look at our single most-critical process, which is the monthly close, to see how our current procedures compare to what SOX requires in that area," Daniels says. "I hope we can learn from that and establish a really efficient, streamlined plan to use in evaluating other areas, like sales." Focusing on the most critical areas. Zero in on the business units, accounts and processes that have a significant impact on your financial statements and the controls you use to minimize risk and achieve goals. For example:
Financial-control professionals say it’s important to note that those key controls, which should be documented in flow charts and reports and manuals, can occur throughout your organization, not just in the finance department. "Information technology is a particularly vital area to review, for example, because it supports order entry, authorization and other steps in a transaction," Lander says. An AMR Research Survey, in fact, found that 85 percent of companies think SOX will require them to make changes to their IT and application infrastructure. Effective testing and monitoring. Do your financial controls function in practice like they do on paper? To find out, experts recommend that you test procedures via:
Note that if you outsource payroll or other accounting-related functions, you still have some responsibility for ensuring your vendor procedures are up to par. A starting point often is to obtain an annual service auditor’s report (SAS 70 Type II) from the vendor. Reaching year one of SOX compliance takes a commitment of time, money and effort that most companies can’t sustain in year two and beyond. The successful companies, experts say, are those that can convert that drive into a clear, detailed plan; update it to reflect new acquisitions, products and other key changes; and work on compliance steadily throughout the year rather than in one frantic year-end push. Working with the independent auditor. Given conflict-of-interest concerns, just how close is too close in dealing with the external auditor who ultimately must sign off on your internal controls? A line is crossed, according to the SEC, when an auditor becomes a decision-maker, rather than an advisor. Ultimately it’s management’s responsibility to make the key decisions about accounting policies and procedures. At the same time, nothing in the new requirements prohibits you from continuing to freely consult with the auditor about designing controls, testing and other issues that can affect the quality of the audit. While laws change, solid accounting principles and long-term success have always gone hand in hand. Review your procedures to ensure you’re meeting the "gold standard" of financial reporting as your customers, investors and business partners expect. | ||||
RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.
2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978
