Although the urban legends surrounding the Sarbanes-Oxley Act of 2002 paint it as something to be feared, Clark Keeler says that it actually presents an opportunity for business leaders to improve and protect their companies.
For many years preceding SOX, CEOs and CFOs signed certifications in their public financial statements asserting that they maintained effective systems of internal controls. However, those assertions were never audited, so there was no verification of their reliability. Then came the downfall of Enron and WorldCom and the enactment of the Sarbanes-Oxley Act.
“The thing that business leaders primarily objected to about SOX was one section of the legislation, Section 404(b). That section required their auditors to ‘attest to, and report on, the assessment made by management,’” says Keeler, a director at Burr Pilger Mayer. “The act came into effect in July 2002 and required the biggest public companies to be compliant and be audited by the end of 2004. The act also incorporated penalties that effectively said, ‘If you fail, your officers can be fined personally or even go to jail.’”
Smart Business spoke with Keeler about how Sarbanes-Oxley has impacted business and why management should look at the act as a blessing, not a curse.
How should business leaders approach Sarbanes-Oxley?
Sarbanes-Oxley focuses on managing the risks around financial reporting. Instead of embracing the requirements as a means of improving internal communication and credibility with external stakeholders, management, as a whole, resisted the act, treating it as a forced-compliance law of little or no value. They too often abdicated responsibility to their auditors and consultants and said, ‘Get us compliant and keep us out of trouble.’ That often led to lack of focus and attention on details rather than the analysis of significant areas of risk. Management could have avoided much of the frustration the act created by approaching compliance as they would have in any other major project: by focusing on and addressing the significant risks and areas of weakness where their businesses could benefit, but not ‘sweating the small stuff.’
How can having strong internal controls help a business leader?
Strong internal controls are good business basics. Their purpose, in relationship to Sarbanes-Oxley, is to prevent or detect the risks of misreporting important financial information. Good internal controls help ensure reliable information on the areas that matter to the readers of the financial statements.
When management can prevent or detect problems before they mushroom into a crisis, the working environment inevitably becomes calmer. Having good information allows them to run their businesses without worrying about the things they haven’t thought of or checked on and it also reduces surprises. Once you have the information you need, on the things that matter, you can focus on the business model issues that really lead to success.
Sarbanes-Oxley requires management to figure out where the risk areas are that could cause them to make material errors in their financial statements. It then requires them to put the controls in place that would prevent the errors from happening or allow them to be detected and corrected in a timely manner. Reliable financial reporting supports management decision-making and provides credibility to investors and other stakeholders. These are good things.
How do you identify your risks?
All business risk assessment starts with determining what can go wrong in significant business processes and what can be done to prevent or detect the effect of those risks. Evaluating financial reporting risk is a basic process that looks at who has a stake in the company, who reads the financial statements, and determines the areas they care most about. Once management identifies the significant items that their stakeholders evaluate, they need to take steps to ensure that the information relating to those items is materially correct. Obviously, you want your stakeholders to know they can rely on the accuracy of what they are reading.
Evaluating what your key business processes are, what impacts them and how you ensure that the processes operate effectively is actually pretty straightforward once you have identified the areas of sensitivity. If it is something you can prevent from ever happening, you take those actions. If you cannot prevent it, you put monitoring controls in place so you know if it happens and give yourself time to react to it. Once you have the controls in place, you simply have to test them periodically to make sure they are still protecting you.
How can having strong internal controls and knowing the details of financial statements benefit not only public companies but private ones?
Having good internal controls is ultimately about controlling the information around your critical business processes. If you have the information to prevent or detect risks to your business, you can manage proactively. You will have reduced the ‘surprises’ in your operating environment and will have gained a measure of control of your business. For a small company looking to sell, reducing information risk to the buyer is critical. If every time your buyer asks a question you have to say, ‘I’ll get back to you in a couple of days,’ their confidence in how much you know about your business and how much they are willing to pay is reduced. Conversely, if every time they ask a question you can answer confidently, their comfort and interest is reinforced.
More importantly, however, internal controls support your day-to-day efforts to create the most value for your company. They keep you focused on the things that matter and provide the reliable information you need to make your best business decisions every day.
Clark Keeler is a director at Burr Pilger Mayer. Reach him at (415) 288-6280 or email@example.com.