TEC 2017: SOX compliance—pulling away from a ‘C’ grade
Editor’s Note: The sixth annual Wdesk user conference is underway in Las Vegas. This week we have a special guest contributor taking over the blog and giving us live updates from the conference. Please welcome Matt Kelly, Editor and CEO of Radical Compliance.
So there we all were on Monday, several hundred of us, warming up for the 2017 Wdesk user conference by attending the SOX & Internal Controls Professionals Group Summit to talk all things internal control.
On stage was Jeremy Sucharski, GRC, SOX, and Internal Audit Partner at Armanino. He was sharing thoughts on good and bad practices for SOX compliance, and he mentioned one phrase he has heard many times from CFOs.
“I just want to get a ‘C’ on SOX. I just want to do the bare minimum and be done.”
That’s not a surprising attitude per se, especially if your company is new to compliance and perhaps a bit bewildered at all the time, energy, and investment required in those early years. Still, it’s an unwise attitude to have—one that suggests your CFO doesn’t really get what SOX compliance is about.
SOX compliance is about strengthening business and financial processes to make them more reliable. That means you have to understand how those processes work and where the risks to those reliable business processes are.
Hence, for example, audit firms pester you for flowcharts rather than narratives. Flowcharts force you to distill a financial process down to its bare essentials, including the risks and controls you have in place. Sucharski encouraged SOX summit attendees to perceive compliance in terms of business or process cycles rather than accounting controls, and he’s entirely right.
CFOs who only want to get a ‘C’ on SOX can’t see the forest of good business process through the trees of Section 302 disclosures and Section 404 audits. To them, SOX compliance is an accounting exercise to meet regulatory requirements.
They don’t grasp that the minutiae of internal control testing is part of a larger effort to improve corporate accountability for financial statements—or that companies that take financial reporting seriously get rewards.
The rewards of SOX compliance
During a later session at the SOX summit, I hosted a fireside chat with Greg Wilson, former Deputy Director of the PCAOB’s Division of Registrations and Inspections. We talked about the challenges of articulating that cost-benefit analysis of SOX. Namely, the costs are precise and quantifiable (you do pay fees for consulting, auditors, or software, after all), but the benefits are diffuse.
For example, companies with strong SOX compliance programs, including Section 404(b)’s annual audit of ICFR, experience fewer financial restatements than companies that don’t comply with Section 404(b). Academic studies show that companies with fewer material weaknesses in financial reporting are at less risk for financial statement fraud and are more likely to get better valuations and credit ratings from Wall Street banks. You might also file earnings releases more quickly, since you’re more confident in the numbers that eventually will be filed in the 10-Q.
Do all those benefits exceed the dollars spent on compliance? That’s hard to tell, and for inexperienced companies, the answer might be no. But in that case, the question is more about how the company can improve financial processes and rationalize controls to gain those advantages—not whether we should weaken the rules, so companies can go public more cheaply, in every sense of the word.
I was pleased to see that attendees at the SOX summit seemed to perceive the issue the same way. Wilson and I polled the crowd, “Should SOX 404(b) be repealed?” and nearly 75 percent said no.
Now, if we could only get the CFOs of Corporate America to feel the same way.
About the Author
Matt Kelly is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. He maintains a blog, RadicalCompliance.com, where he shares his thoughts on business issues and speaks on compliance, governance, and risk topics frequently. Kelly was named as "Rising Star of Corporate Governance" by the Millstein Center for Corporate Governance in the inaugural class of 2008 and named to Ethisphere’s "Most Influential in Business Ethics" list in 2011 (no. 91) and 2013 (no. 77). Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Mass., and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.