Posts
A New Frontier: Process Compliance Sarbanes-Oxley is perhaps the most profound revision of securities laws since the 1934 Act that created the SEC in the first place. 404 of the Act in particular provides a subtle but extremely significant expansion in the SECs regulatory authority. Before 404, the main reporting duty revolved around financial results. The regulatory mandate was fairly clear: report your results from operations accurately. Now, the SECs scope also reaches into the processes of obtaining those results, and the mandate is not so clear. A number of related questions arise: what was your process that generated the numbers? Tell me all about it: Was the process reliable? Did it accord to an acceptable framework of enterprise risk management (ERM)? Were there appropriate internal controls in position to flag and curtail financial gimmickry (intentional and unintentional)? How well does your internal control system work, and how does it compare to how it worked before? This change provides an entirely new risk frontier for noncompliance: not only must the ultimate numbers and risks be honestly reported, but the process that generated them must meet a legal standard of propriety
Since 404 doesnt go into effect until June, 2004 for the largest public companies, most of the attention to the law has focused on 302 and the associated criminal penalties in 906 which provide that officers must certify the accuracy of financial statements and to the existence of internal controls. 404 is the part of the law that sets the standards for establishing those internal controls through an internal control structure. The practical effect of these changes is that top executives will need to be much more closely involved in the process of creating financial information. Their underlings will provide more frequent summaries and views of what they are doing, and what data they are using. Accordingly, the basic theme of accountability has flip-flopped: what was once a passive, top-down review of financial outputs cobbled together chaotically at report-time has become a pro-active, participatory bottom-up process driving results.
So it is not just the top corporate officers who are on the hook for compliance, even if they are the only ones who need to sign on the dotted line. Although they traditionally may have been far more focused on the tactical issues of running the business, business and functional unit leaders now confront several key strategic, compliance-related questions:
" Where is the material risk in my business? " Do I have the appropriate controls to mitigate the risk, and to flag trigger-events as they occur? " Are these controls actually being applied in a consistently competent fashion? " Am I confident in attesting to the accuracy and integrity of my financial data on an on-going basis? (You cant expect the CEO to do so if you arent)
This line of inquiry will structure the case when regulatory or litigious-shareholder ire fixates on a surprise that upsets street expectations. Before Sarbanes-Oxley, the basic surprise investigation asked the following: what did you know? When did you know it? Was it material enough to justify public release? Now, a whole separate theory is also available: how did you not know about it? Executives must demonstrate that despite adequate internal control processes, they couldnt know about the surprise. In essence: the risk was not just unknown; it was unknowable.
To prove its position, a company will need a rich cache of information with a precise analytical narrative to explain itself. Analytics -- the tools, processes and expertise for pooling information and drawing meaningful insight -- is not merely a matter of smart business anymore; its a critical component of an overall compliance strategy. (Continued Part 3)
Disclaimer
The information and opinions expressed on this paper are not intended to be a comprehensive description, nor to provide legal advice, and should not be treated as a substitute for specific advice concerning individual situations. While the author and Upper Quadrant has made every attempt to ensure that the information contained in this document is accurate, neither the author nor Upper Quadrant is responsible for any errors or omissions, or for the results obtained from the use of this information.
Since 404 doesnt go into effect until June, 2004 for the largest public companies, most of the attention to the law has focused on 302 and the associated criminal penalties in 906 which provide that officers must certify the accuracy of financial statements and to the existence of internal controls. 404 is the part of the law that sets the standards for establishing those internal controls through an internal control structure. The practical effect of these changes is that top executives will need to be much more closely involved in the process of creating financial information. Their underlings will provide more frequent summaries and views of what they are doing, and what data they are using. Accordingly, the basic theme of accountability has flip-flopped: what was once a passive, top-down review of financial outputs cobbled together chaotically at report-time has become a pro-active, participatory bottom-up process driving results.
So it is not just the top corporate officers who are on the hook for compliance, even if they are the only ones who need to sign on the dotted line. Although they traditionally may have been far more focused on the tactical issues of running the business, business and functional unit leaders now confront several key strategic, compliance-related questions:
" Where is the material risk in my business? " Do I have the appropriate controls to mitigate the risk, and to flag trigger-events as they occur? " Are these controls actually being applied in a consistently competent fashion? " Am I confident in attesting to the accuracy and integrity of my financial data on an on-going basis? (You cant expect the CEO to do so if you arent)
This line of inquiry will structure the case when regulatory or litigious-shareholder ire fixates on a surprise that upsets street expectations. Before Sarbanes-Oxley, the basic surprise investigation asked the following: what did you know? When did you know it? Was it material enough to justify public release? Now, a whole separate theory is also available: how did you not know about it? Executives must demonstrate that despite adequate internal control processes, they couldnt know about the surprise. In essence: the risk was not just unknown; it was unknowable.
To prove its position, a company will need a rich cache of information with a precise analytical narrative to explain itself. Analytics -- the tools, processes and expertise for pooling information and drawing meaningful insight -- is not merely a matter of smart business anymore; its a critical component of an overall compliance strategy. (Continued Part 3)
Disclaimer
The information and opinions expressed on this paper are not intended to be a comprehensive description, nor to provide legal advice, and should not be treated as a substitute for specific advice concerning individual situations. While the author and Upper Quadrant has made every attempt to ensure that the information contained in this document is accurate, neither the author nor Upper Quadrant is responsible for any errors or omissions, or for the results obtained from the use of this information.
About the Author:
This documentis written by Dean Gill and is copyrighted by Mr. Gill and his employer, Upper Quadrant. For additional information, or if you would like to contact Mr. Gill directly, you may do so by email at dgill@upperquadrant.com, or call 703-476-1992. Alternatively you can visit Upper Quadrants website or Marketing ROI website.
No comments:
Post a Comment