CLICK HERE  |
 |
|  |
Date Posted: 08/10/2005
Retaining a Talented and Dedicated Staff: The Hidden Cost of Sarbanes-Oxley
By Patrick Taylor, CEO of Oversight Systems
Ask any executive in America what’s the greatest corporate resource, and you’ll hear: people, people, people. Nationwide, companies invest more in training and retaining good employees than they do on nearly any other business expense. Corporate knowledge or time in the saddle is time-consuming to achieve and costly to replace. That’s why the overall job dissatisfaction of employees responsible for Sarbanes-Oxley compliance is turning the heads of corporate executives.
According to the 2005 Oversight Systems Financial Executive Report on Sarbanes-Oxley, nearly half of financial executives feel the greatest issue related to SOX compliance is the need to maintain the morale of employees responsible for compliance activities. The second most frequently cited challenge to ongoing compliance is the reduction of internal and external costs.
The results of the Oversight survey expose the key compliance issue: SOX compliance presents ongoing requirements and companies simply cannot afford to repeat their year-one compliance efforts. The tangible costs have been extremely high; compliance burdens employees with extra work, which they too often view as redundant, unnecessary, and a distraction from their actual work and goal of creating value.
Low employee morale and high job dissatisfaction present hidden expenses to SOX compliance – costs that quickly add up. First, a rise in employee turnover leads to direct expenses in job training, including the compliance-related education that went into year-one compliance efforts. Second, low employee morale threatens the business benefits achieved in the first year of SOX. Third, executives must recognize the threat low moral poses to a company’s culture and tone toward financial integrity and compliance.
The solution is to link SOX compliance to tangible business benefits and automate rote compliance tasks, such as the testing and monitoring of internal controls.
Turnover & Compliance Training
In an April 2005 article from an IOMA management journal, Autodesk Inc. CEO Carol Bartz credited the company’s $6 million SOX compliance efforts for identifying and correcting 16 inconsequential control deficiencies and one $7,000 financial deficiency. “Now I’m proud of that. But the fact of the matter is, I have a demoralized staff,” Bartz said. Of Autodesk’s 135 internal auditors, 130 were focused on Sarbanes-Oxley Section 404 compliance “doing mind-numbing testing” of internal controls.
While the work may be “mind numbing,” internal auditors are in high demand. An internal auditor and SOX compliance manager at a Fortune 500 manufacturer recently joked that her view of Sarbanes-Oxley was much like a MasterCard commercial:
Audit Fees … $1.8 million
Consultants … $800,000
Job security for internal auditors for the next 5 years … priceless
Others have joked that Sarbanes-Oxley should be known as the “Full Employment Act.”
The fact remains that anyone with a CPA or accounting degree is almost guaranteed a job today. As these educated and highly-paid professionals tire of their “mind-numbing” compliance work, companies risk losing these employees to other businesses, public accounting firms, and emerging compliance consulting venues.
Turnover is also a risk for non-audit employees. Companies have spent millions on compliance training for financial and operations-line employees who are now responsible for and directly affected by the morale-deflating requirements of SOX. According to a study by Financial Executives International, a company with revenue between $1 billion and $4.9 billion spent more than $750,000 on internal compliance expenses of which training was one of the major costs.
Much of the Sarbanes-Oxley pain originates from auditors training veteran employees about new ways to document the job that they were already performing. In this environment, private companies provide much more enticing employment opportunities. And every time one of these employees walks out the door, a company’s compliance expense rises.
Low Morale Threatens Corporate Culture
Job dissatisfaction creates a tangible expense when it leads to increased turnover. Other more intangible costs emerge when those unhappy employees stick around and become unproductive workers. With this mindset, these employees go about their SOX compliance responsibilities as a checklist of minimum requirements as they seek any way to minimize their follow-up work. Clearly, this emerging culture threatens ongoing Sarbanes-Oxley compliance and sets a tone throughout an enterprise that financial integrity is not a corporate priority.
In this environment, all benefits of SOX compliance are at risk – and there are clear benefits. In the 2005 Oversight Systems Financial Executive Report on Sarbanes-Oxley, financial executives reported the following tangible benefits of compliance after remediating control deficiencies:
· 49 percent claim SOX compliance resulted in reduced risk of fraud and errors
· 48 percent claim they now have more efficient financial operations
· 31 percent claim error rates have declined
Of the group, only 14 percent said that remediating control deficiencies has had no real effect on financial operations; and a handful, 12 percent, report less efficient financial operations after complying with SOX.
The 2004 Oversight Systems Financial Executive Report on Sarbanes-Oxley reported similar benefits. Nearly three quarters (74 percent) say their companies realized a benefit from SOX compliance. When asked to identify the benefits from SOX, the Oversight Systems survey reported that:
· 46 percent claimed SOX compliance ensures the accountability of individuals involved in financial reports and operations
· 33 percent claimed SOX compliance decreases the risk of financial fraud
· 31 percent claimed they have reduced errors in financial operations
· 27 percent claimed SOX improves the accuracy of financial reports
· 25 percent claimed SOX compliance empowers the board audit committee by providing it with deeper information
· 20 percent claimed SOX strengthens investor view of the company
But companies with low employee morale have little chance to achieve these returns from their compliance efforts and, in fact, risk increased overall compliance costs.
Link SOX to Business Benefits
Executives who publicly curse Sarbanes-Oxley are only exacerbating the problem of low employee morale within their companies. Public and private comments that criticize the law only reinforce to their employees that compliance-related work is a waste of time. While the debate over SOX continues, SOX compliance remains a requirement.
To raise employee morale, executives should link SOX compliance to tangible business benefits and goals. In this way, executives should position their compliance efforts similarly to other corporate initiatives, such as Six Sigma or total quality management.
In fact, Sarbanes-Oxley compliance closely resembles these quality-improvement programs, because SOX provides public companies with a golden opportunity to enhance the quality of their financial operations.
A proven total quality management approach, such as Six Sigma, can both sustain SOX compliance and provide tangible value to shareholders. Six Sigma's DMAIC (define-measure-analyze-improve-control) closed-loop control system mirrors the document-test-remediate-monitor principles of Sarbanes-Oxley Section 404 compliance. Applying closed-loop control principles to financial processes sustains the requirements of SOX compliance while achieving the benefits of a quality regimen.
The classic Six Sigma process has direct parallels to SOX requirements for internal controls. First you documented your controls and then went through a process of testing. After remediating any deficiencies, now you’re in the process of monitoring to see what you do on a continual basis.
For companies that utilize Six Sigma, this is an understandable process that ties directly to a proven method of quality assurance. For companies that have not adopted a quality regimen, SOX compliance can introduce them to the benefits of managing a process to predefined expectations.
Companies, such as Motorola, General Electric, and DuPont offer documented case studies on the power of Six Sigma. In each of these success stories, the achievements of the initiative link back to the strong support the program received from top management. Similarly, executives must reinforce SOX compliance as a top corporate priority and lift employee morale by tying compliance to tangible benefits of quality financial operations, such as reduced payment errors, decreased days sales outstanding, and more efficient operations.
With business-related goals and the proper incentives, compliance can become a source of pride and raise employee morale.
Automate Controls
The second step toward raising employee morale for those responsible for Sarbanes-Oxley compliance is to reduce the manual burden and automate the rote processes for these workers. Many companies are now evaluating how to accomplish this in SOX compliance year two.
According to the 2005 Oversight survey, 60 percent of financial executives claim they are implementing technology solutions that automate manual processes required for compliance to reduce both the burden on employees and the many costs of complying with Sarbanes-Oxley.
This starts within the financial systems, which can be configured much like a manufacturing facility with controls that prevent errors and fraud by restricting access and functions for individuals working in the system. As the manufacturing facility, these enterprise resource planning or ERP systems can be configured to deliver quality, but they also involve a significant human element.
While ERP systems provide the conveyer belts that move information through the various steps along the process, people play a major role with regard to data entry and approvals. The conveyer belt automates some of the controls that employees would otherwise manually perform for SOX compliance. However, the pervasive human element inherent in these systems mandates extensive testing due to the risks of fraud and errors. ERP systems greatly reduce compliance work performed by production-line employees, but internal auditors face the significant task of auditing IT systems.
Companies have tried to address the risk of error, fraud, and simple control violations by tightening the embedded controls of the ERP system. However, the stronger the preventive controls, the broader the restrictions throughout the process and the greater the hindrance to productivity, which frustrates production-line employees by restricting them from getting their work done efficiently.
In short, tighter controls reach a point of diminishing return, because the human element can never be removed from the process. By linking compliance to business objectives, such as quality financial operations, companies can leverage SOX expenses to identify errors as they happen and before errors create downstream costs.
Automate Controls Testing
To comply with Sarbanes-Oxley Section 404, most companies have structured their internal controls as outlined by the COSO (Committee of Sponsoring Organizations) internal controls framework. However, much of the laborious work could be avoided if companies placed more emphasis on the framework’s monitoring component.
Few debate that companies have underutilized the monitoring component of the internal control framework within their first-year SOX efforts. Many companies are too focused on detailed control activities and miss the opportunity to monitor transactions for control compliance.
The analogy in manufacturing is that you inspect for quality along the way. For example, Chip manufacturers don’t wait until the end of the production line to look for microchip defects. Instead, chips are inspected in each manufacturing step, because it’s more cost-effective to find a flaw in a silicon wafer and discard it before chip circuitry is burned.
Companies should approach their financial processes and internal control testing in the same way. Continuous monitoring raises the quality of financial operations as well as automates the manual work that auditors would have spent testing the embedded controls within a financial process. The solution is to automate the manual compliance tasks with technology, such as continuous monitoring.
By automating the “mind-numbing testing” of controls, internal auditors can then devote their time toward investigating identified control exceptions and creating value for their companies – in other words, performing the job they were hired to do before SOX came along.
Continuous Transaction Inspection
Real-time transaction inspection provides one way to sustain compliance through automated monitoring and reporting on your control system. Transaction inspection automates the testing of auditors and fraud examiners across every transaction to provide real-time prevention and detection of control exceptions. By extending standard, routine testing and reporting a 24x7 view of every transaction, companies can reduce their SOX costs and derive value from their compliance investment.
For example, real-time transaction inspection works in the order-to-cash process to identify control violations relating to customer credit limits. Once a customer reaches its credit limit, a sales manager could create a new customer record in the ERP system to continue to book orders from this customer. In this case, an advanced continuous inspection system recognizes a new customer file is actually a duplicate – maybe not an identical match, but something similar that the ERP system could not catch on its own. By identifying this control exception at the moment it’s created, the company avoids the risk exposure of over-extending credit to a customer.
Transaction inspection automates an auditor’s analysis for non-judgmental transactions, such as looking for segregation of duties violations, invoice errors, duplicate payments, and unbalanced journal entries. Internal auditors can then focus their efforts on the most risk-prone areas of the business where they can add the most value.
The success of any continuous monitoring solutions depends upon six main criteria:
1. Domain Expertise. The solution should deliver out-of-the-box functionality with the audit tests that automate the work of your internal auditors. If your auditors must spend weeks and monthly writing their own custom audit tests, you’ve lost the benefit of continuous monitoring.
2. Automation. Continuous monitoring is meant to reduce work, not create more work. All data extraction and analysis must be automated – meaning no manual effort. Auditors and managers should receive alerts of potential control exceptions without spending their day reviewing dozens of reports.
3. Real-time. Continuous monitoring is more than just checking something once a week or once a day. Continuous monitoring requires real-time analysis where as soon as the financial system processes a transaction that transaction is tested for all possible errors and control violations.
4. Support Multiple Financial Systems. Most organizations have more than two financial systems. A continuous monitoring solution must consider transactions from every financial system in its analysis.
5. Accuracy & Reliability. A continuous monitoring system must provide accurate results with no false negatives and very few false positives. In other words, the system must not miss anything or trigger more than a couple false alarms each week.
6. Exception Handling. Continuous monitoring must do more than raise flags; it should give internal auditors a process for managing control exceptions and documenting their response. Executives and external auditors should have a higher-level view to make sure all events were properly handled.
Conclusion
While the costs of Sarbanes-Oxley compliance continue to add up, executives must recognize the hidden costs that are not as obvious as the ever increasing audit fees and consulting engagements. Employee morale is an issue that must be addressed. Linking SOX to business improvement and automating the rote tasks of compliance are the first steps in eliminating this hidden expense.
About the Author
Patrick Taylor is recognized as a leader in the convergence of controls monitoring, information security and the implementation of technology to boost corporate governance. As CEO of Oversight Systems (http://www.oversightsystems.com), Patrick is responsible for understanding customer needs for operational governance and making sure those needs are met in Oversight's product development. Patrick recognized that most IT security and financial system controls focus on user access and role management but don't address the need to understand the integrity of what people do in their authorized roles and activities. After speaking with executives from across the country, Patrick launched Oversight Systems to pioneer the concepts and technology for transaction integrity monitoring.
As a thought leader in continuous monitoring, Patrick has spoken at several compliance and audit industry conferences from organizations, such as the Institute of Internal Auditors, the Institute of Management Accountants and the Association of Certified Fraud Examiners. As a respected information security industry insider who served in various product management and strategic marketing roles with Internet Security Systems and Symantec, Patrick is a frequent speaker at conferences, such as RSA, Networld + Interop, Comdex, NetSec and the Goldman Sachs Information Technology Conference.
In addition to his previous experience with ISS and Symantec, Patrick worked in leading roles with ORACLE, Red Brick Systems, GO, Air2Web and Fast-Talk. Patrick has a Bachelor of Mechanical Engineering with honors from the Georgia Institute of Technology and a MBA from the Harvard Graduate School of Business Administration.
| |
Advertisement |
 |
|