It has been said that a pessimist sees the difficulty in every opportunity whereas the optimist sees opportunity in every difficulty. Similarly, the corporate executive can view regulatory requirements created by Sarbanes Oxley and the PCAOB with disdain or as a catapult for positive change throughout the organization. Private companies, who today face increased pressure to implement a control environment from lenders, partners, and investors, will face challenges similar to their public counterparts.
A SOX 404 implementation program can be managed to gain organizational efficiencies and achieve more effective processes. In the same way, companies who implement a control environment to satisfy outside requirements, can benefit from efficient and effective processes that arise from this initiative. The guidelines outlined below will allow organizations to realize benefits of organizational change while implementing a sound control environment.
Set Guiding Principles.
The transition to the 2013 COSO framework implies a more robust and daunting control environment. Developing a set of guiding principles for the organization and each of the business functions links policies to strategy and sets the foundation for an effective control environment. Guiding principles capture intent, establish the tone from the top, and rally the organization to implement the right control activities.
A mid-sized construction group used guiding principles as a motivation tool and a way to give each function a sense of purpose and identity in their new environment. The control, monitoring, and risk management activities and policies were then tied into the guiding principles to ensure a common tone was established and integrated.
LESSON LEARNED: Undertaking large initiatives such as creating and implementing a control environment presents the perfect opportunity to re-unite the organization and the best place to start is the guiding principles.
Integrate Risk Assessment and Planning.
The mere sound of conducting a risk assessment wreaks drudgery. Organizations benefit when the risk assessment process is integrated with the business planning process as one seamless and forward-looking process is more efficient than two separate processes.
A key element of the business planning process is a financial budget for the upcoming year. Why not also make the risk assessment a product of the planning process? Recently, a large developer integrated the risk assessment with planning and budgeting adding only two weeks to the entire four-month planning and budgeting process. Completing both initiatives simultaneously provided a more holistic approach to both processes and exposed risks and opportunities which would have been more difficult to discover by looking at each process separately.
LESSON LEARNED: The total benefit gained by integrating the risk assessment and planning process is far greater the sum of the two initiatives completed separately. Organizations can use this integration as a starting point for organization-wide, integrated process change.
During a controls and process mapping exercise, it is important to understand the purpose of each step in a process. Many fast-growing companies inherently have bad processes in place that worked for a small company but are unnecessary for the size of the organization they have become.
Often large construction organizations spend an inordinate amount of time physically matching vendor invoices to checks for the Controller’s signature. This step served the company well when they were small but as they grew into a larger public company, this was wasteful and did not serve a purpose. By implementing more efficient controls into the disbursement process, the company eliminated the paper matching process.
LESSON LEARNED: Do not be afraid to look for ways to eliminate waste as a part of the SOX 404 implementation or review process. Along each step in the implementation / review process, ask yourself, “Is this a necessary step and does this step make sense for a company our size?”
Companies have no choice but to address the mounds of regulatory requirements to comply with SOX and SEC regulations and requirements from lenders, partners, and investors. Those who view these requirements as a catalyst to change across the organization will recognize benefits that far outweigh their costs. Organizations who chose to take the pessimistic viewpoint will continue to fight an uphill battle by focusing solely on the difficulties the requirements present.