In 2002 congress passed The Public Accounting Reform and Investor Protection Act. Under the principal sponsorship of senator Paul Sarbanes and representative Michael Oxley, the legislation is more popularly known as "Sarbanes-Oxley" or "SOX."
SOX was enacted to restore confidence in the capital markets and enhance the integrity of the accounting system in response to a number of major corporate and accounting scandals involving some of the most prominent companies in the U.S. SOX establishes new or enhanced standards for corporate accountability and penalties for violation.
SOX is comprised of 11 titles that address compliance and accountability requirements, standards, and expectations for publicly listed companies on U.S.-based exchanges. For forest products companies, undertaking SOX compliance is akin to becoming compliant with EPA Cluster Rule guidelines and legislation. Frequently, the scope of effort required to become SOX compliant is on the scale of a Y2K conversion.
While several of the key sections of the act have already taken effect, this article focuses on the implications of Section 404: Management Assessment of Internal Controls. The significant increase in the number of securities class-action lawsuits and associated losses from 2000 to 2002 (Figure 1) is evidence that businesses continue to struggle with internal controls long after the accounting scandals reshaped the U.S. equity markets.
Section 404 takes effect for periods ending November 5, 2004, and after, and it requires each annual report of the issuer to contain an "internal control report," which:
- States management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting
- Contains an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting
- Requires the company's external auditor to attest to and report on the assessment made by the management of the issuer.
Key implications for business and IT
Section 404 will place even more demands on finance and IT organizations to support the business and keep analysts and shareholders comfortable. Moreover, it is important to recognize research findings that suggest the market favors companies that demonstrate improved financial disclosure. Management may have a more effective capability to address key business fundamentals and minimize risk. Figure 2 depicts this relationship in an analysis of public energy entities that have become vulnerable under the weight of public scrutiny.
Finance and IT organizations will be challenged with additional rigor in providing adequate and efficient financial and management information control and accuracy as well as partnering with other business organizations to deliver reliable results and add value. Similar to Y2K results, internal control and accuracy will only be as strong as the weakest link—be it transaction, consolidation, or reporting based. Finance and IT should expect significantly increased internal and external expectations to:
- Ensure GAAP and SEC compliance
- Produce accurate external forecasts and help to manage them
- Provide timely and relevant management reporting
- Ensure consistent adherence to internal controls
- Proactively assess and manage operational risks.
To deliver on these expectations, finance and IT organizations will be required to partner with other organizations in the business to:
- Provide information technology that delivers accurate information, permitting reliable data-based decision making and promoting collaborative analysis
- Improve and document financial processes and provide subsequent education to other organizations within the business to facilitate corporate-wide ownership of the reporting process
- Deliver value-added analysis and insight to improve business performance
- Ensure adequate involvement and expertise in core operational processes, strategic business processes, and major projects where internal controls exist and financial information is sourced
- Develop people who have the skills and tools to play a broader role in managing and analyzing the business
- Evaluate core competencies and outsourcing activities that do not add value to the process.
Companies have traditionally found it difficult to provide a definitive source of direction for compliance and reporting requirements that guide the development of these capabilities. This is primarily the result of the SOX documentation's lack of a clear definition of internal control. However, the U.S. government and its agencies have accepted the use of the U.S. auditing standards outlined in standard AU319 and will reference this standard for compliance with Section 404.
AU319 incorporates the definition of internal control from the Committee of Sponsoring Organizations (COSO) from the Treadway Commission Report of 1992. COSO broadly defines internal control as a process—effected by an entity's board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations. Addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources
- Reliability of financial reporting. Relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly
- Compliance with applicable laws and regulations. Deals with complying with those laws and regulations to which the entity is subject.
COSO provides clear guidelines in the following key areas to adequately address the objectives of these categories:
- Control environment. Governance structure and attitude that set the tone for the control consciousness of the organization and provides the foundation for all other control components
- Risk assessment. Identification and management of control risks that forms the basis of defining control activities
- Control activities. Processes, policies, and procedures that ensure control activities are effectively carried out, managed, and improved
- Information and communication. Processes, policies, and procedures that ensure the pertinent information is identified, captured, and communicated in a timely manner
- Monitoring. The control component that ensures the overall control process is managed, effectively audited, and improved.
The integration of these components and objectives is known as the COSO Framework and may be found on the COSO Web site (www.coso.org).
As with finance, IT plays a critical role in ensuring effective internal control. Similar to the COSO Framework, the Control Objectives for Information and Related Technology (CobiT) Framework developed by the IT Governance Institute is the accepted set of guidelines by the "Big 4" audit firms to ensure acceptable IT security, risk management, and control practices. CobiT provides guidelines and toolsets to facilitate development of these capabilities in core IT areas:
- Planning and organization. Includes governance and strategic planning, IT architecture, skills and training
- Acquisition and implementation. Includes program development and change, acquisition or development of software, infrastructure
- Delivery and support. Includes computer operations, information access and interfaces, data completeness, security, management of third-party services
- Monitoring and evaluating. Includes methods, policies, procedures, and internal audit.
Although these two frameworks may appear overwhelming to practitioners, it is imperative that businesses faced with meeting SOX compliance requirements work closely with their auditors to determine the appropriate level to which COSO and CobiT should be applied. The result of this exercise will produce a set of control requirements and opportunities that can be addressed and subsequently leveraged to deliver competitive advantage.
Opportunity for competitive advantage
Forest products companies should not be surprised that their list of control requirements and opportunities is fairly long. During the last several years, the forest products industry has been faced with intense acquisition and consolidation activity, a tendency to decentralize operating models, market globalization, raw material, and end-product pricing volatility; and ever-increasing customer expectations.
The rapid and dynamic nature of these pressures has forced companies to frequently be reactive rather than proactive with the result naturally, and often necessarily, short-term as opposed to long-term focused. These responses have created a set of critical impediments to value creation:
- Complex financial infrastructure. Redundant and/or multiple financial organizations utilizing inconsistent financial processes; multiple GLs driven by complex legal entity structure and other financial transactional systems; cumbersome financial consolidation tools; and proliferation of non-standard reporting tools or complex spreadsheet consolidations for actuals, plans, budgets, and forecasts
- Complex and fragmented supply chain. Non-standard and inconsistent processes, manual processes linked together to attempt to simulate an integrated supply chain, redundant supply chain organizations and infrastructure elements, multiple base transactional systems performing the same supply chain functions often differently
- Inefficient business decision making. Lack of credible data to support fact-based decision making, limited use of decision enabling tools, multiple reporting and analysis organizations frequently attempting to address the same issues and often producing different results
- Complex application and integration architecture. A host of custom and/or packaged solutions frequently providing the same functionality (just in a different region); complex integration architecture that nobly attempts to "lash" these applications together to provide a common face to the customer and adequate information for the business.
Interestingly, it is these very impediments that drive SOX control challenges. It is critical to realize that while improving internal control mitigates risk, solely ensuring SOX compliance will not eliminate the root causes impeding value creation. It is also important to realize that the lack of a single infrastructural element both underlies and drives these impediments: an integrated information infrastructure. An example of a properly integrated infrastructure is depicted in Figure 3 and is characterized by:
- Consistent use of information terms; common "business language"
- Consistent definition and application of common business processes based on a simplified operating model
- Clear data ownership and information governance
- Reliable transactional information sources
- Information repositories that collect and aggregate information accurately, efficiently, and consistently
- Consistent information reporting that provides flexibility across multiple reporting dimensions while maintaining a single "version of the truth."
Trying to address all of these information challenges to meet the requirements of SOX 404 and its other sections is obviously an approach that would not lead to timely compliance. However, recognizing that the elements of a sound information infrastructure may be utilized to identify and remove inhibitors to value creation provides organizations with an opportunity to create competitive advantage instead of merely executing a compliance function.
SOX compliance is largely a natural outcome of organizations that maintain a sound information infrastructure to support enterprise performance decision-making and disciplined business practices. As with large-scale Y2K or Cluster Rule compliance initiatives, some short-term fixes or compliance activities must be undertaken. However, forest products companies that deploy a longer-term program to address core information and value creation opportunities will not only meet their SOX requirements, but will also create the opportunity for real competitive advantage.
TIM KUTZ is an associate partner in Accenture's Forest Products Industry Group, Atlanta, Ga.; GEORGE MARCOTTE is a senior manager in Accenture's Finance and Performance Management Service Line, Boston, Mass.; and LES STONE is an associate partner in Accenture's Finance and Performance Management Service Line, Philadelphia, Pa.