Compliance programs have always been an aspect of corporate structures. With the passage of the Sarbanes-Oxley Act in 2002 (SOX) and subsequent pronouncements and guidance, especially from the PCAOB, formal compliance programs became a fact of life for all in U.S. publicly traded companies and those companies striving for the day of their IPO. As we near the 12 year anniversary of the passage of SOX, let’s explore 5 myths about compliance programs that have largely precluded most companies from leveraging compliance.
Myth #1 – Compliance Programs do not contribute to Business Success
The urgency coincident with the passage of SOX lead many companies to “bolt-on” a compliance function to address what was understood to be the SOX requirements. This was largely an “all hands on deck” affair that was not well thought out or viewed through the “lens” of strategy.
A shockwave from the demise of Arthur Anderson reverberated through the public accounting community. This understandably led to extreme caution and likely overkill in the amount of work auditors expected from their clients and the amount of their own time they felt were required to render a Sec. 404 opinion. The dissemination of many fine “former-Anderson” executives still glassy-eyed from the voluntary dissolution of their firm after nearly 90 years in business into the remaining Big 4 and other firms only served to magnify the risk-averse nature of audit firms. Firms now asked to render an audit opinion very different from that of the past.
The COSO I/C Framework (Framework) was published in 1992 but the fact of the matter is that very few organizations embraced it. Very few internal audit departments were practicing “integrated auditing”
(significantly codified by Murphy & Parker of Coopers & Lybrand in the late 80s) implied by the Framework via the 3 types of Objectives – Operations, Reporting, & Compliance. As the post-SOX era took hold, there were very few practitioners in corporations or public accounting that had significant experience with the Framework and a very small minority of corporations with a full Framework in place.
The final nail in the coffin of implementing a program/Framework to actually HELP a business succeed was the overemphasis on financial/reporting objectives to the exclusion of operation, compliance and strategic objectives. Essentially, by the time the majority of organizations came around to implementing a program, it was only because they were forced to. This led to ill-planned/rushed programs targeted to meet the minimum to pass and a collective “glad that is behind us” when they were done.
That’s largely how we got to where we are today. Even though many have tweaked their programs to make them more efficient, the hangover remains. The goal at many organizations continues to be to limit the compliance program to meet the minimum requirements to “pass”.
How far we have strayed from the goals of the COSO Framework. The 2nd sentence of the Executive Summary of the 1992 COSO Framework is, “Internal controls are put in place to keep the company on course toward profitability goals and achievement of its mission, and to minimize surprises along the way” (http://www.coso.org/documents/Internal%20Control-Integrated%20Framework.pdf). How often are “profitability”, “achievement of mission” and “minimize surprises” spoken in reference to the compliance activities in your organization? It’s time to leverage compliance.
Now is the time. We are a year on from issuance of the revised COSO framework (http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf). Conventional wisdom is that the SEC will require disclosure of which I/C Framework is used for years beginning in January 2015 (not a typo) and will contact those referencing the 1992 Framework (trivial in an XBRL filing). Rather than simply making adjustments to the new Framework and awaiting new rules, let’s embrace the intentions of COSO and revise our compliance programs to improve our insight and management. Let’s use the Framework to communicate our organization’s objectives and cascade these down to the activity level objectives we need and expect our employees to achieve. Let’s add transparency to the process so we have early warning when objectives are not achieved. Let’s leverage technology to enable these improvements. Finally, let’s formalize the timely evaluation of our programs and commit to continual improvement so that we never again find ourselves in a place where compliance programs are a “bolt on” separated from the mission and success of our organizations.
It is time to dispel the notion that compliance programs do not contribute to business success. Leadership is now required to embrace and adjust compliance programs to be a critical tool to achievement of your mission. It is time to leverage compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/