Twin boys, one an optimist and one a pessimist, awake Christmas morning with gifts in their bedrooms. The pessimist walks up to a pile of toys and is irritated. “Do I have to read the instructions?” he complains. “These toys will break anyway.” The optimist finds a pile of manure in his room and exclaims, “There has to be a pony in here somewhere!”
Public company executives often find themselves looking at the mounds of regulatory requirements created by Sarbanes Oxley and the PCAOB with disdain like the pessimist. Although mounds of manure are a reality, there is a pony!
A SOX 404 implementation program can be managed in such a way to gain organizational efficiencies and achieve more effective processes.
During a controls and process mapping exercise, it is important to understand the purpose of all steps in a process. Many fast-growing companies inherently have bad processes in place that worked for a small company.
A large oilfield services company spent an inordinate amount of time physically matching vendor invoices to checks for the controller’s signature. This served the company well when they were small. As a larger public company, this was wasteful and did not serve a purpose. By implementing more efficient controls in the disbursement process, the company eliminated the paper matching process. Do not be afraid to look for ways to eliminate waste as a part of the SOX 404 implementation or review process.
Set Guiding Principles
The transition to the 2013 COSO framework implies a more robust and daunting control environment. Developing a set of guiding principles for the organization and each of the business functions links policies to strategy and sets the foundation for an effective control environment. Guiding principles capture intent, establish the tone from the top, and rally the organization toward implementing the right control activities.
A mid-sized exploration and production company used guiding principles as a motivation tool and as a way to give each function a sense of purpose and identity in the new environment. The control, monitoring, and risk management activities and policies were then tied into the guiding principles to establish and integrate a common tone.
Integrate Risk Assessment and Planning
The mere sound of conducting a risk assessment wreaks drudgery. The risk assessment process should be integrated with the business planning process. One seamless, forward-looking process is more efficient than two separate processes.
A product of the business planning process is a financial budget for the upcoming year. Why not also make the risk assessment a product of the planning process? A public midstream company integrated the risk assessment with planning and budgeting and only added a week to the entire four-month planning and budgeting process.
Companies have no choice but to address the mounds of regulatory requirements to comply with SOX and SEC expectations. Why not use the compliance process to improve other processes in the organization, too?