My journey with Andersen came to an abrupt end in the Spring of 2002. Not sure if you heard, but there was this energy company called Enron that ended up disrupting our company a bit. I won’t go into much more detail, mainly because they’ve been rehashed as much as any situation can be, but let’s just say that seeing the whole thing unfold from the inside was the stuff that authors of Harvard Business Review dream of. The most substantial byproduct of the whole debacle (aside from the quick and absolute evaporation of my job) was the Sarbanes-Oxley Act of 2002. In one fell swoop, public companies and their accountants were put on notice—they and they alone were responsible for the accuracy of their financial data, with severe consequences awaiting those who failed to comply.
Year One of SOX (as it was often called) was something of a free-for-all. After Andersen went “poof,” I found myself working for an internal audit consulting firm. Every client we served was looking in multiple directions for guidance on this new legislation. In many cases management had not taken the time to document their controls, instead relying on an unwritten, unspoken understanding of how their financial data flowed from transaction to subledger to general ledger. External auditors at the time were very guarded with the advice and guidance they would offer; they themselves weren’t quite sure of what this new requirement meant so they naturally adopted an ultra conservative approach in granting any sort of blessing to their clients’ efforts to adhere to these new guidelines.
And there we were as internal audit, right in the middle. We were trying to counsel management on how they should approach this new requirement while also negotiating terms with the external auditors to ensure the advice we were giving would lead our clients down the path to SOX compliance. I distinctly recall identifying, documenting and testing anything that resembled a financial control in the hopes that the external auditors would ultimately grant their blessing and allow our clients to breathe easier. We spent countless hours writing narratives, building flowcharts, documenting and following up on issues, and pleading with external auditors to give us some indication as to whether it was going to be “pass” or “fail.” All in all, it was a very confusing and somewhat nerve-wracking time for all involved.
A lot has changed since those primitive times. Each of the primary groups impacted by SOX—Management, Public Accountants and Internal Auditors—has more clearly defined what role they play in the overall process, and this definition has been carefully and thoughtfully refined over time. This has allowed publicly traded companies to vastly reduce the cost and effort associated with SOX compliance, and it has provided organizations who may not otherwise need to demonstrate SOX compliance with a roadmap for implementing and enhancing their system of internal controls over financial reporting, giving them more confidence around their own reported financial results.
While we have reached a much more structured and stable point in the SOX lifecycle, it’s never a bad idea to revisit and refresh our understanding of why this structure works. A big reason why we find ourselves in this more predictable state is that all involved parties have a much better understanding of their specific role in the process.
The Role of Line Management
Line management was arguably the group that was most directly impacted by SOX. They had no choice but to improve the structure and support underlying their financial controls. While this certainly caused a lot of confusion in the beginning, many of those impacted used this as an opportunity to identify and eliminate redundancy and inefficiency in their accounting and reporting processes. This in turn allowed them to increase efficiency in their processes and reduce the cost of compliance.
As organizations continue down their path of SOX compliance, it is incumbent upon these line managers to understand that they are the ones who are ultimately responsible for maintaining an effective system of controls. To that end, the expectation should be for them to clearly define and document their processes and assign direct ownership to the individuals who are best positioned to ensure that controls are properly designed and operating as intended. Further, when issues related to their controls do arise, it is management’s responsibility to understand the nature of the issue, identify the actions that will be taken to resolve the issue, and see the issue through to resolution.
Public Accounting Firms: Independent Validation
While they dealt with the fallout of the Andersen collapse (which included ingesting thousands of new employees in a very short time), public accounting firms were in the unenviable position of giving the final opinion on their clients’ overall SOX compliance stature—this without a clear set of guidelines to start with. Since this time, the Public Company Accounting Oversight Board (PCAOB) was formed, and they have established and subsequently refined a clear set of guidelines on how a review of controls over financial reporting should be scoped and executed, lending much-needed transparency to the overall process, particularly as it relates to external auditors.
The external auditor’s role in the process remains largely unchanged: to serve as the independent body that validates whether an organization’s financials are accurately stated, as well as whether the system of controls in place to produce the financials is operating as intended. In terms of identifying concerns that may impact an investor’s ability to rely on an organization’s financial results, the external auditors also determine the materiality thresholds that drive the significance of issues, and they determine whether management has appropriately addressed the issues brought to their attention.
Internal Audit: An evolving and vital role
As in the early days of SOX, internal audit finds itself positioned between the other two parties. Only now they focus less on identifying and testing controls and more on evaluating the effectiveness of the programs in place to determine the overall structure and effectiveness of those controls. The extent to which IA is involved in the overall SOX validation process will certainly vary by organization, but at a minimum, IA should consider the impact of their work on the entity’s system of financial controls and determine whether they are in a position to help provide assurance over those controls.
In some cases, IA may have the opportunity to assist the external auditors with their testing in an effort to help control or reduce external audit fees. And recently there has been an increased expectation that IA not only helps evaluate the effectiveness of the controls themselves but also give an opinion on the overall effectiveness of their organization’s internal risk and compliance processes.
While the players haven’t changed much, the nature and extent of their involvement in the process certainly have. In working together the last 15+ years, these groups have collectively made the prospect of complying with SOX much less daunting and more of a value-adding element of an organization’s overall governance program.