5 Myths About Compliance Programs (Myth #4) – We Only Need To Worry About Financial Controls/SOX
Those of us who have spent time in internal audit have a love/hate relationship with the Sarbanes-Oxley Law (SOX). On the one hand, managers were agreeable to implement internal controls that we felt were important all along because these now “had to be done for SOX”. On the other hand, many internal control procedures that are important but not related to financial reporting suddenly were unimportant because they were “not related to SOX”. I know many of us, myself included, have remained silent when managers implemented processes/controls that we knew were in the best interest of the company under the banner of SOX, when we fully knew that these really weren’t related to SOX.
If public companies had embraced proper internal controls way back in the early 1990s when the COSO Framework (http://www.coso.org/documents/Internal%20Control-Integrated%20Framework.pdf) was first issued, or if they had decided to embrace it fully following SOX in 2002, perhaps they would not have lost control of the financial reporting process. The lessons were not fully learned and following the 2008 financial crisis Congress passed the Dodd-Frank Act which further extended the rule-making power of the PCAOB (http://pcaobus.org/Standards/Pages/StandardSettingProcess.aspx) , a quasi-governmental body which is now a promulgator of rules for accounting and financial reporting. This is a dramatic shift from 2001 and prior when accounting and financial reporting were largely self-regulated by the accounting profession and related professional organizations.
A careful reading of the May 2013 revision of the COSO Framework (http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf) makes it clear that the bar has been significantly raised to reach a conclusions that an organization has an effective system of internal control. My reading is that one of the goals of the new framework is to reduce the “wiggle room” for companies that have not yet implemented strong “Tone at the Top” entity-level controls. COSO 2013 defines 17 Principles and requires adequate and functioning internal controls to satisfy ALL of the Principles. Even if this requirement is interpreted in a narrow way to somehow focus on the “Reporting” objectives only, the very nature of the way the Principles are stated must lead to a broader definition. A company must now have more robust entity-level controls than required in the past. For example, Principle #4, “The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives”. (p.9 http://www.protiviti.com/en-US/Documents/Resource-Guides/Updated-COSO-Internal-Control-Framework-FAQs-Second-Edition-Protiviti.pdf ). I do not see how a company that does not have formal and enforced job descriptions or a strong, scheduled and demonstrable performance review process can satisfy this principle. Training programs for Code of Conduct, workplace harassment and the like just don’t cut it because these have nothing to do with the employee understanding the control objectives related to their tasks, which is the requirement of the Principle. I’m sure there are many organizations that “passed” SOX in the past that do not have adequate processes that will hold up to scrutiny when examined in relation to this Principle. This is just one example. It will no longer be possible for a company to only worry about the financial controls and obtain a “clean” SOX 404 opinion or for their management to feel comfortable signing the section 302 statement w/ the SEC stating that their organization has effective internal controls.
Activist investors and pension funds will no longer own the stock of a polluter, a manufacturer that has sites w/ labor issues, etc. Employees want to be proud of the company they work for and the good works it does. Even though many work at places they are not proud of out of necessity, they will leave without second thought if given opportunities at companies they admire. Let’s face it, Apple and Google have a much easier time attracting talent than most of us do. My participation in the Best Buddies Hyannis Port Challenge fund raiser as a member of team Kenneth Cole gave more personal pride as an associate of Kenneth Cole than any other single experience (or three-time experience in this case) during my 7+ years there. These are the intangibles that make the employee stay at work late or on weekends without a second thought (in addition to their core professionalism and personal desire to do a good job that is unrelated to whom they work for). The best companies know that that they must focus on all aspects of compliance and lead by example to be admired.
The time for excuses is past. Ever broader requirements have been thrust upon us via the regulatory system (SOX, Dodd-Frank, and PCAOB) and the professional self-regulatory system (COSO 2013) because many (most?) organizations have not embraced compliance as an integral part of their culture and processes. If the scandals continue, the requirements will continue to broaden. It is far better that we lead our organizations to a place where our organizations (and clients) will embrace and leverage compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/