Originally presented to FEI – November 19, 2009
**
Good afternoon. For the next 10 minutes or so we’re going to talk about three efficiency levers included in Audit Standard 5, or AS5, that can result in less effort and significant savings in SOX compliance.
To do this, we’ll visit a prison and a conference room. Given the length of some meetings, you might say they are one and the same. In this case, they aren’t. In fact, we’d tell you that the prison is a myth but that would be a scene spoiler. Instead, let’s just say we’ll use it to frame the conversation.
In 1910, Cosmopolitan magazine published a short story titled “The Spanish Prisoner.” It’s about a clever confidence game. Several men, including a brewer, a poet, and two farmers are conned into believing that if they send money to secure the release of a Spanish millionaire imprisoned in a Madrid dungeon, they’ll earn a large reward and the hand of the prisoner’s beautiful daughter. At every turn, the men are asked to pay more and more money, which they do, believing they will get the reward and marry the daughter.
We wonder if in your efforts to comply with SOX this might sound familiar, in that you’re always paying more based on a promise, but have yet to see results for the added expense.
Now, the men involved in the Spanish Prisoner scam are strangers until they meet on board a ship bound for Madrid and discover they are all traveling for the same reason.
Imagine for a moment that you, modern day financial officers, are on that ship, too. While they are thinking of riches and the beautiful daughter, you are thinking about how it seems that spending more and more money is the only way to assure SOX compliance. There is an endless need for new technology, processes and people.
Yet, you also know that since the passage of SOX the few companies reporting material weaknesses have not experienced a significant negative impact to their value which suggests that the benefits of this early warning mechanism have not been as great as anticipated.
And you know that since the PCAOB replaced Audit Standard 2 (AS2) with AS5, only a few companies have achieved permanent savings by taking full advantage of the efficiency levers in AS5.
You’re also familiar with The Pareto Principle, the notion that 20% of the effort yields 80% of the results. And you want to focus on that 20% and ensure that it’s yielding 80%, at least.
Unlike the perpetrator of the Spanish Prisoner scam, we’re not going to ask for money. We’re going to do just the opposite: offer three ideas that can save money and time. And we’ll do this, for the sake of the story, aboard the ship, in the captain’s conference room.
First, we’ll talk about how external auditors can be more efficient by increasing their use of an internal audit department or third party’s work.
Second, we’ll talk about how a company can reduce the number of control activities by implementing a top down, risk based approach.
And finally, we’ll talk about how a company can leverage it’s IT infrastructure to shorten the financial close process, and also leverage the existing financial application functionality to spend less time testing controls.
USE THE WORK OF OTHERS
So first, we gather the Internal Audit team in the conference room. They are an experienced, sea-hardy team. We discuss how to approach this year’s SOX testing so that the external auditor can rely on IA’s work to the maximum extent possible.
For a normal risk area, like payroll and Information Technology, the team explains that the external auditor still won’t consider leveraging 100% of the Internal Audit work. But as we probe more, we find that this obstacle can be overcome with minimal effort, since AS5 removed restrictions on using the work of others if it can be demonstrated a competent, objective third party did the work.
So, we suggest that the internal audit team ask the external auditors to explain where IA has not demonstrated competence and objectivity. They resist. They say, “Our auditors have increased reliance year over year;” or “We don’t want to antagonize our auditors.” Or, “We test this area to make sure our people are doing their jobs.”
But we know that the AS5 criteria for demonstrating competence and objectivity are easy to achieve, and if achieved, can save money as AS5 intended. It requires two straightforward things: for the tester to prove objectivity by demonstrating that he is not the control activity owner, and prove competence by producing work-papers that meet the PCAOB’s standards. This is the easy part.
The hard part is persuading the IA department to have the uncomfortable conversation with the external auditor and establish how this can be done. Companies avoid that conversation because they conjure nightmares of how the external auditor might respond. Chances are, the nightmare will never occur. More likely, the result will be that the team will understand how the work-papers can be improved to maximize reliance and eliminate testing in areas where the external auditor is placing limited or no reliance on Internal Audit’s work.
TOP DOWN APPROACH
The next topic on the agenda is reviewing the scope of SOX testing procedures. Specifically, we want to look at the control activities the company plans to test. We notice that a large number of control activities outside the realm of financial reporting are included in the SOX scope. Indeed, there are other controls outside the scope that if the CFO were asked, would be the primary ones she relies on. And because they aren’t included in scope, they’re not the detailed ones that end up getting tested. We remind the company that their procedures need only comply with the SEC guidance and that no testing is required for controls that mitigate the same risk for the same class of transactions or non-financial risks. Again, there’s resistance. We hear, “That’s the way we’ve always done it,” and “The control activity owners would stop performing their control activities if we don’t test them.” And then we ask, “but did the control activity owners not perform the controls before SOX was in place? What’s different now other than the requirement to test?” And what can you do to take the controls the CFO said she relies on and make them robust enough such that you don’t need all the detailed ones? Those top down controls are the ones everyone in this room should make sure your team is focused.
So, we ask about the captain, in this case, you the CFO. Does the CFO know this? Has she approved of this extra effort to test redundant controls? We suggest that she should know; that raising the question to the top is the best method for resolving the dilemma and eliminating unnecessary items from the scope. Have you had this conversation with your SOX team?
AUTOMATED CONTROLS
Having dispatched those two questions, we talk about the final and perhaps most difficult one: the financial close process. Our goal is to find a common language (or common control activities) to overcome the obstacles that make financial reporting systems resemble a confusing “Tower of Babel” because of the different applications, operating systems and networks that are installed across the globe, like a general ledger on Oracle, payroll on Peoplesoft, a mainframe tracking revenue and equity edge tracking stock options.
The company wants to close its books more quickly and with fewer errors, but the jumble of systems makes it very hard. We ask about the plan to consolidate systems. There isn’t one. We ask, ”Why?” We hear the resistance again: “It’s the way we’ve always done it;” or, “Consolidation isn’t a priority right now.”
And consolidation is hard, but we press on and ask about the percentage of automated controls in the SOX population. The answer is generally somewhere between 2 and 15%.
Which brings us the Ah ha! Moment - the company spends millions of dollars on multiple financial applications yet relies on manual controls 85% of the time, or more, to get its financials right.
So we settle down and give some examples of automated controls.
First, there is testing a three-way match. ERPs like SAP and Oracle can be configured properly for automated three-way match. When this automation is correctly done, companies can expedite SOX testing in manually intensive functions like Accounts Payable. Testers do not have to pull a sample of receiving, invoice, and PO documents and ensure payment rules were followed and exceptions approved. They only have to test configuration and, due to the automated controls, can bypass intensive document sampling. This frees up staff resources, saving time and money.
A second automation option is testing approval workflows for journal entries. When configurations for proper approval workflows are established and effective in ERPs like SAP and Oracle, the manual verification and approval process for specific journal entries, like those that exceed a certain dollar amount, can be automated. No more manual identification of those entries via transaction reports. No more finding samples and testing paper copies of journal entries for handwritten approvals against approval authorities. The time and money that used to be spent reviewing those documents can be spent on something more productive.
It’s natural for the status quo to be more powerful than change; for the crew to hoist the main sail the way they always have. But as companies remain extremely cost conscious, and especially in this unpredictable economy, it’s possible and high time, to leverage built-in automation functionality.
In addition, it’s possible to leverage the SOX infrastructure even further.
Some companies are effectively using the SOX infrastructure to address other compliance requirements specific to their industry, in government contracting with the Defense Contract Audit Agency, for example; in the retail industry to secure personally identifiable or credit card information (CFR 11, PCI); in the pharmaceutical industry to comply with Food and Drug Administration requirements, and for energy utilities to comply with North American Electric Reliability Corporation requirements.
There is also the possibility to drive greater shareholder value by using the SOX infrastructure to assess the effectiveness of revenue generating activities and cost-cutting measures, including reducing the overall effective tax rate.
Okay, so not only have the original men in the Spanish Prisoner story discovered, somewhere in the middle of the Atlantic Ocean that they’re victims of a con, they’ve also had to endure a lot of SOX talk in the Captain’s conference room. But the ship eventually lands in Gibraltar and the men make their way north to Madrid. James, the ne’er do well narrator, has devised a scheme to con those who have already been conned, a second time. He convinces them to let him hold what’s left of their money, that he will find the original con man and make everything right. He enlists Pip, “a wizened old fellow,” as a co-conspirator in his scheme.
But Pip is one crafty fellow. When they get to Madrid, Pip tells James that he knows where the con man, the Spanish prisoner, is. He leads him in the dark of night through narrow, twisting alleys. Then suddenly, a gang attacks James, ties him up and steals the last of the men’s money. And with a wicked smile, Pip introduces himself as the Spanish millionaire who was never a millionaire and never in prison at all.
So, when it comes to rationalizing SOX, it’s better to realize that you’re not in prison, either, that you have options that can preserve your company’s money. These include taking advantage of the changes in AS5 to make your external auditors more efficient, implementing a top down risk based scoping approach, and implementing the built-in automation capabilities of systems whenever feasible. Thank you.