Advisory
Sox Comes Calling
The Trickle Down Effect
Jun. 01, 2007
Practicing accountants should all give a cheer for S-O-X. Every business is impacted by the Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as Sarbanes-Oxley or SOX. The politicians attempting to plug holes and round up the animals escaping from the open barn door have provided the foundation for enactment of Sarbanes-Oxley. They have done much more than they ever anticipated.
SOX’s Design & Intent
SOX was designed by a committee to handle issues surrounding business management and financial reporting. The intent of the Sarbanes-Oxley Act is to improve the accuracy and reliability of corporate disclosures. It created new standards for corporate accountability as well as new penalties for acts of wrongdoing. Key to understanding within the accounting community is how SOX changed the interactivity among corporate management, accountants and auditors.
The Impact on Small & Medium-sized Businesses
While SOX was designed for public companies, it is absolutely clear that SOX impacts small and medium-sized businesses in a major way. Companies of every size must implement people and technical resources that improve internal controls over operations. In this way, the SOX regulations can boost reliability over financial statements.
Public companies have to comply; it’s the law. Any appeal to a higher authority requires lots of legal support and the probability that non-compliance can result in penalties and/or jail time. The consequence of fines is less onerous then the very real impact of prison confinement.
The establishment of regulatory standards for the public companies is clearly having a trickle-down effect on all non-public companies. The trickle is migrating to a fire hose as these standards have become the standard for all assessments surrounding operations and procedures. Banks are encouraging the implementation of SOX compliance. For example, Wells Fargo bank has a page devoted to SOX information (www.wellsfargo.com/com/focus/sox). This web page includes the following sentence that applies to all companies, regardless of size:
“Instituting the controls envisioned by SOX will patently require a concerted effort. Over time, however, your initial investment should be amply compensated by the benefits of increased transparency and control.”
Today’s transaction-based systems have created islands of data that have a growing number of tentacles to other systems. With every system impacting every other system, there is an increasing collaboration of strengths and weaknesses throughout a company’s business operations. One system’s controls impact every other system. This can be complicated. The smaller business may not have all of the internal staff needed to implement appropriate SOX standards based controls. Accountants can certainly play a role applying their skills to design and implement proper controls.
This article explores a few of the technology tools and products for small firms and how small to medium-sized tax and accounting firms can use such tools.
ACCOUNTANTS & RELIABILITY
Accuracy and reliability are what accountants should be all about. Federal regulations are important but do not have to be the sole driving force for supporting controls over transactions and reporting. SOX has removed the “I never knew and was not there” defense from everyone’s legal vocabulary. The accuracy of financial reporting is no longer just the accounting department and public auditor domain. Of course, the higher up the pay and responsibility scales, the more accountable one becomes.
One of the values of SOX is how it shines a very bright light on improved financial reporting responsibilities along with new internal controls and procedures for the maintenance of financial accounting records. It is understandable that the intent of Sarbanes-Oxley is to enhance corporate governance and strengthen corporate accountability.
A few of the key intended enhancement points include the following:
- Improved internal checks and balances within corporations
- Establishment of new levels of control and sign-offs
- Full and complete financial disclosures
- Full transparency of corporate governance
We will not debate how the regulations are written and how they are enforced by government employees. Rather, it is a basic premise that organizations of every conceivable size can benefit from better management of their business operations. This includes the proper selection and implementation of technology-based products that can provide effective support for critical issues such as the review and assessment of internal control.
The most widely used and probably most widely trusted product in the Accountant’s toolkit inventory is the Excel spreadsheet. While the use of Excel has never been perfect, it has proven to be reliable and capable of being used through a range of applications. It is the “ACF” of accounting tools — Accountant’s Comfort Food. Because of its versatility, extensive array of formulas and rows and columns, accountants have properly made this a daily “go to” program.
Excel can perform well to analyze data. More effort is needed to identify data elements, data interactions and accumulative data reporting. Remember that Excel is not scalable and cannot be used to collect large amounts of data for analysis.
One of the keys needed to map to SOX regulatory issues requires the capability to manage data over multiple time periods. This includes drilldown and drill up capability that can cover a wide range of accountant assessment and review of data and transactions.
CONTROLS, PROCEDURES, REPORTING, OH MY!
The trickle-down effect of SOX is all about improving controls surrounding the business transaction cycles. This is a natural activity for accounting firms. Accountants with knowledge about the integration of business and technology can provide substantial benefits to clients. Clearly, accounting firms can and should help companies implement, change and grow. The noise surrounding SOX gives accountants more documented reasons to reach out and offer assistance to their clients.
Calvetti, Ferguson & Wagner, P.C. (CFW; www.cfw-cpa.com) is a full-service accounting firm based in Houston, Texas. The firm started serving public and private companies in 2003 with two partners. Today, they have more than 30 staff and partners. Marcus Wagner, partner in charge of the firm’s risk management services group, understands the significance of providing SOX compliance services. The risk management group is dedicated to supporting a wide range of IT and Systems-related activities, including SOX compliance, IT development practices, quality assurance for existing systems, and wide to narrow reviews of internal controls.
The trickle-down effect of regulatory issues like SOX compliance, Wagner states, “has pushed the firm to find CPAs who are entrepreneurs. A lot of the staff members come from Big 4 training and are now seeking to expand and grow beyond working within huge firms. This entrepreneurial spirit is pervasive throughout the entire organization.” Wagner uses this forward thinking to support the firm’s approach to IT-related non-audit work.
Within the firm, the real secret to SOX services is the use of proper software tools. Their primary applications are the tools from DoubleCheck Software (www.doublechecksoftware.com). Wagner’s experience is that “many CPA firms do not understand technology.” Consequently, he feels it is essential for accountants to partner with computer vendors such as DoubleCheck Software. This creates a blended partnership using the best skill sets of each. Accounting firms have subject matter expertise and can gain client insights. The software provides the appropriate technical products to dig deep within the computer-maintained records.
CFW is very careful to sustain audit independence, especially within the SOX regulatory environment. This work is done for non-audit clients and is often the result of a referral from the company’s audit firm. This includes small and large companies. Small companies do not have sufficient resources to do their own compliance testing. Larger companies, with a large internal IT department, still want the external review and assessment of their internal processing.
Clients can be separated into two categories: those that want to be responsible for internal controls by themselves and firms that seek outside professional accounting type help to test and assess controls. The more open the client, the easier it is for the accountant to provide professional business advice.
CFW’s use of DoubleCheck Software enables a one-time engagement as well as a continuing engagement that can be a service over an extended period of time. Key is the capability to extract data from client processing systems based on filters established by the CFW team. This process can also be performed by the internal IT group. It is expected that computer firewalls and other access controls are in place to manage the outside auditor’s ability to enter and navigate through the client’s systems.
An accountant’s business approach should be to recognize the range of services that can be offered from this platform surrounding SOX and related internal control assessments. This work includes, but is not limited to the following: Financial Statement Auditing, SAS 70 reviews, new systems development, existing systems upgrades, new hardware installations, etc. There are lots of trickles for the accountant to consider.
The above services can be performed for accounting firm clients along with public audit clients of accounting firms. The need for audit independence does give rise to a lot of opportunities. It is valuable to maintain good relationships with other firms.
“Effectiveness is repeatable,” says Joe Cincotta, President/CEO of DoubleCheck Software. The company specializes in products that are used for IT reviews and assessments. This is ideal for SOX compliance. The vendor’s customer base includes large public companies, small and midcap firms, and professional accounting firms. The vendor’s products are currently used as enterprise solutions and for one-time projects. Accounting firms, like CFW, can turn around and offer the product to their client or have the client become a direct customer.
On the PDF here, DoubleCheck Software identifies the range of elements that can be included for any of the analyses in support of IT reviews. For SOX compliance, this illuminates that IT testing generates information that can later be used to map the results with financial transaction reporting and government regulations.
Audit and compliance applications need to provide a range of implementation formats:
- As a standalone application, where the testing extracts information from a static set of data fields for after-the-fact transaction testing
- As an integrated application, extracting transactions as they occur to determine active processing errors
- As an online application where the tester can access the test computer through remote links either through an Internet or internal network connection
- As a monitoring system, where the testing application is operating in background, and, when an alarm filter is triggered, active information is transmitted to internal audit staff, external accountant or both
More and more systems will be monitored through some form of remote linkage — Internet access, private telephone networks, or direct PC connections.
Risk needs to be managed. According to Cincotta: “As part of the DoubleCheck Solution Suite, The Risk Center identifies, measures and analyzes financial and operational risk in a repeatable and consistent manner. Through management dashboards and an advanced reporting engine, key information is available on demand. Moreover, the automated notification system prioritizes alerts that are essential for incident notification. The Risk Center components provide a comprehensive, policy-driven, risk-centric approach to process control management essential in reducing risk, supporting compliance and improving organizational performance.”
For SOX, the capability to perform continual testing of systems can be a very cost-effective method to monitor ongoing systems operations. The trickle-down effect here is the ability to do more than even SOX requires. Testing every transaction within a period provides more assurance than doing statistically sound random testing.
Another vendor in this space is Transition/1 with its software product line eProcessManager (www.t1mas.com). Kent Busse, President, Transition/1, has a long track record of working with the trickle-down world of government regulations. Kent recognizes that, “Reviews and assessment of IT is probably one of the least publicized issues in middle market accounting firms.” Busse sees that firms are “kind of aware” but do not yet fully appreciate the extensive additional audit hours needed.
It is necessary to use a software application for testing SOX compliance. The work requires more than just documentation on top of documentation. Busse suggest that reviewing internal controls can add an average of 200 to 400 hours of added work.
Consequently, significant preparation needs to go into any compliance work. When installing third-party software, multiple users can be assigned, each with their own user name and password. Each user can have a different level of security access. In this way, auditors can access the files and create a report without having to be physically located at the client’s office. Keep in mind that this requires approval and authorization by the client. No accountant will just randomly access a client’s computer without such access being part of a specific assignment.
As work under SOX becomes more of a continuing process, it is clear that additional compliance efforts will transfer to the development side of IT. With new systems being designed and implemented on a never-ending basis, there is always need for setting up and maintaining intensive test environments as a way to manage and control complex IT issues.
With either DoubleCheck or Transition/1, controls can be set up to be either automated or manual with special attention to the reporting when any one or multiple tests fail. Each test can have a digital signature appended to identify who did the work. In addition, any risk or negative event can trigger additional information sent to the process owner, which can include one specific person or multiple people. When aligning people, processes and technology, companies can implement controls that improve operational issues and lead to the proper construction of business best practices.
The value proposition for accounting firms is the capability for this work to align transaction data controls, document management, and financial reporting controls with overall business strategies.
The SMB enterprise can receive substantial benefits from the trickling down of SOX compliance issues. Internal controls and risk management are integrated requirements for business best practices. The enterprise staff can be trained by the accountant/business advisor who can guide them towards effective business operations. This is not just another accounting standard. This is all about making the business avoid missteps and failures that can occur when management does not take processing controls seriously. Obtaining a non-qualified accounting advisory opinion can be as important as receiving an auditor’s non-qualified financial opinion.