It has been said that a pessimist sees the difficulty in every opportunity and an optimist sees opportunity in every difficulty. Similarly, the corporate executive can view regulatory requirements created by Sarbanes Oxley and the PCAOB with disdain or as a catapult for positive change throughout the organization. Private companies, which today face increased pressure to implement a control environment from lenders, partners, and investors, will face challenges similar to their public counterparts.
A SOX 404 implementation program can be managed to gain organizational efficiencies and achieve more effective processes. In the same way, companies that implement a control environment to satisfy outside requirements can benefit from efficient and effective processes that arise from this initiative. The guidelines below will help organizations realize benefits of organizational change while implementing a sound control environment.
The transition to the 2013 COSO framework implies a more robust and daunting control environment. Developing a set of guiding principles for the organization and each business function links policies to strategy and sets the foundation for an effective control environment. Guiding principles capture intent, establish the tone at the top, and rally the organization to implement the right control activities.
A mid-sized construction group used guiding principles as a motivation tool and a way to give each function a sense of purpose and identity in their new environment. The control, monitoring, and risk management activities and policies were then tied into the guiding principles to ensure a common tone was established and integrated.
Lesson Learned: Undertaking large initiatives such as creating and implementing a control environment presents the perfect opportunity to reunite the organization. The best place to start is with guiding principles.
The mere thought of conducting a risk assessment wreaks drudgery. Organizations benefit when the risk assessment process is seamlessly integrated with the business planning process. This one forward-looking process is more efficient than two separate processes.
A key element of the business planning process is a financial budget for the upcoming year. Why not also make the risk assessment a product of planning? Recently, a large developer integrated the risk assessment with planning and budgeting, adding only two weeks to the entire four-month planning and budgeting process. Completing both initiatives simultaneously offered a more holistic approach to both processes and exposed risks and opportunities which would have been harder to discover by looking at each process separately.
Lesson Learned: The total benefit gained by integrating the risk assessment and planning process is far greater the sum of the two initiatives completed separately. Organizations can use this integration as a starting point for organization-wide, integrated process change.
During a controls and process mapping exercise, it is important to understand the purpose of each step in a process. Many rapidly growing companies inherently have bad processes that worked for a small company but aren't necessary for a larger organization.
Often, large construction organizations spend an inordinate amount of time physically matching vendor invoices to checks for the controller’s signature. This step served the company well when they were small, but as they grew into a larger public company, this was wasteful and didn't serve a purpose. By implementing more efficient controls into the disbursement process, the company eliminated the paper matching process.
Lesson Learned: Don't be afraid to look for ways to eliminate waste as a part of the SOX 404 implementation or review process. Along each step in the implementation/review process, ask, “Is this a necessary step, and does this step make sense for a company of our size?”
Companies have no choice but to address the mounds of regulatory requirements to comply with SOX and SEC regulations from lenders, partners, and investors. Organizations who adopt a pessimistic viewpoint and focus on the difficulties will continue to fight an uphill battle. However, those who view these requirements as a catalyst for change will recognize benefits that far outweigh the costs.
