Q&A: Taking the Pain Out of Sarbanes-Oxley Compliance

Sarbanes-Oxley compliance needn’t be a backbreaking ordeal

Starting this November, all publicly traded U.S. companies must be in compliance with Section 404 of the Sarbanes-Oxley Act (SOX), which says that organizations must establish, maintain, and certify an adequate internal control structure and procedures to safeguard the integrity of their financial reporting.

Section 404 is giving some organizations fits, but Phil Strand, director of financial intelligence with business intelligence SAS Institute Inc., says that it needn’t be a backbreaking endeavor. For starters, he points out, there’s no clear standard for just how many controls and procedures need to be documented. More to the point, he stresses, if companies tap some of the knowledge they’ve already developed as a result of other efforts—such as ISO 9000 certification—their Sarbanes-Oxley compliance planning can be a lot less onerous.

Let’s start off with an easy one: What does Sarbanes-Oxley compliance entail, and what does a company need to do to be in compliance?

Because of the scandals that have occurred in the past, the SEC is now saying that you—every publicly traded company—must define the process in which you … provide me the financial statements that you do. For example, you must define in the internal controls and procedures, how you do a bank reconciliation. That needs to be a piece of information that is housed somewhere—for example, in this product that we call SAS Corporate Compliance. All of it is just one control or procedure that the SEC is saying that all publicly traded companies must have documented.

So, for example, your accounts payable process might involve the matching of a purchase order and an invoice, and you have to go through the whole process, and then you have to test that process, and after that test, somebody validates whether it’s effective or not effective, saying, "Yes, you are in compliance with Sarbanes-Oxley Section 404.”

The only problem with this is that because this all is so new, there aren’t a lot of real clear definitions for some of these things.

What do you mean?

The law has not said how many processes you have to have. The law says "You must be able to provide us with the detail of how you provide us with your financial reporting." They’re just starting the attestation right now. The SEC is just going through this right now, saying, “Why did I get 300 processes for this company, but only 50 for this other one?” So there’s no rhyme or reason yet that says it has to be a specific number.

What’s required, then, for an organization to get compliant? Is it enough to identify certain salient procedures—bank reconciliation, accounts payable, and so on—and ensure that the appropriate controls are in place, and then have an outside auditor look them over?

That’s a good question! A lot of it comes down to partnering—but how do you partner? In order to define all of your activities, all of your internal controls and procedures, [there are] a couple of things you can do. There’s COSO, which is the Committee On Sponsoring Organizations, that is comprised of the AICPA [American Institute of Certified Public Accountants], the FEI [Financial Executives International], and a lot of accounting groups that got together and said, "Here’s what we think is a pretty blanket group of internal controls and procedures."

Having said that, COSO is an acceptable framework for people to use to submit to the SEC. But another acceptable way is the way that Deloitte, PwC, KPMG, any of the Big Four defines internal controls and procedures. But if you have a retail industry versus manufacturing, your internal procedures may be different … we partner with the Big Four to help provide that list for the end-user customers. So we basically provide to the customer the house, the framework, the structure in which they can house all of their internal controls and procedures …

So it’s possible for organizations to go it alone, so to speak, and use the COSO framework to demonstrate their compliance? Are a lot of them doing this?

A lot of them are working by themselves right now, but they must have the intervention of an outside auditing firm. It’s not just something that you can validate internally—it has to be validated by their external auditing firm. The challenge companies face right now is the expensive associated with this.

General Electric—they’ve said that they’ve spent between $38 and $45 million on this over the last two years. AMR Research Group says that for every $1 billion in revenue in your organization, you will spend $1 million writing your compliance internal controls and procedures. What a lot of people don’t know is that they can take advantage of existing work they’ve done [in their organization] to make this process much easier and less expensive.

Like what?

Well, remember ISO 9000? Those were awards that people got a long time ago—in the 80’s and 90’s—because they decided to show the quality organization that they were. They decided to be transparent so people could say, "Look, this organization has these rules, these processes in place," so if someone wants to know how we reconcile our bank statements, he can go to page 10 and it’s all spelled out for him.

All that Sarbanes-Oxley is saying is that you need to go back to that same kind of thought process for your finance departments for what you’re going to provide to the SEC. So that if your company is more transparent, you cannot any longer take a look at an asset and reclassify it as an expense.

We’ve talked a lot about Sarbanes-Oxley Section 404, which deals with these controls and procedures, but there’s also Section 409, which has a lot of CIOs pulling their hair out. What does that involve, and what are the challenges associated with it?

Section 409 deals with material events. … Right now, if something in your company occurs that has a material effect on your financial reporting for that quarter or that year, you must report that to the SEC within 14 days. Sarbanes-Oxley says that you now must do that within 48 hours.

So if I am a manufacturer and my supplier of raw materials increases the price of one of my raw materials by a penny, that causes a ripple effect that says, instead of having very positive earnings, I’m going to be losing money for that quarter. The thing is, most companies have taken a look at this [48 hour requirement] and decided that it’s just not possible, not today, at least. So I think [the SEC is] starting to agree that 48 hours is too quick, so maybe we’ll make it four days, instead of 48 hours. Even that’s too quick, though, if you ask a lot of companies.

SAS can help you here by using our data mining and the analytics that are associated with it. We can go out there and look for any transactions that are occurring, and whatever your business rules are, [SAS Enterprise Miner] will send a message to the internal auditors that says, there are some inconsistencies here. Also, the data-mining piece allows you to go out and take a look at all of your payables, receivables, your customers, [and] your vendors. For example, if you are selling to a major customer and that customer goes bankrupt and you’re not going to be selling to him too much, it can send a message [to your internal auditors].

Getting back to Section 404 compliance—you’ve got a compliance offering [SAS Corporate Compliance], I know that Deloitte offers one, and IBM is in the mix, too. Why do customers need a software tool to help them document these controls and procedures, however? What’s the advantage of using a software-driven product?

At SAS, we have a lot of experience dealing with [compliance]. We’ve had a number of regulatory bodies that have said, “We need compliance solutions,” so SAS has cooked up some of these solutions.

One of these is a solution for the FDA that allows drug development, it allows a pharmaceutical company to take a drug from inception to the market, and it supports all of the steps that are needed in between to validate that this drug is healthy, it is safe, and all of that stuff. We have solutions for the Patriot Act, for Basel II.

So what’s the advantage of using [a Sarbanes-Oxley compliance tool] from SAS? It’s that we’ve been in business for 27 years and we’ve been dealing with these kinds of compliance issues for more than a decade. We have that experience. Customers are definitely coming to us and saying, “We know that you’ve got the technology, we own your data mining, or know that you do data mining, so how can you help us set up this?” So they are coming to us, and we are responding to them.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.