Sarbanes-Oxley (SOX) section 404 did a great disservice and service to improving financial governance and controls. The disservice was the amount of time and attention sucked up in the 2002-2006 period as companies worked overtime to get compliant and then make the annual SOX project an easily repeatable process. Unfortunately, much of this effort was not really necessary as the initial interpretation of the act by the PCAOB (Public Company Accounting Oversight Board) confused the stated objective of SOX of applying due diligence to ensure there would be no meaningful risk of fraud or misstatement in external financial statements with corporate financial controls generally. What’s the difference? About a gazillion people-hours spent with no meaningful decrease in risk to investors. (Also see “Sarbanes Oxley, Risk Management and Internal Audit”.) For this reason, the PCAOB issued Accounting Statement 5 in 2007, which clarified the objective of SOX 404 and amounted to a big “never mind” to the earlier approach of mapping, monitoring and alerting on every financial process and any related operational process regardless of their relevance. Instead, companies are now supposed to focus only on the proximate risks to financial statements and do so on a tops-down basis. (Incidentally, a lawsuit is under consideration by the Supreme Court on the constitutionality of the PCAOB itself and, perhaps by extension, section 404 the Sarbanes-Oxley Act, will be decided in the current session. If nothing else SOX confirmed the adage “Act in haste, repent at leisure.”)
While SOX compliance investments were a bust, confusing the lack of value in all-encompassing financial controls with those that provide a positive return on investment would also be a mistake. Financial controls go back millennia because they’re good for business. One of the few benefits of Sarbanes-Oxley has been to spur the creation of IT-based monitoring and control systems that replace a hodgepodge of inefficient and ineffective manual systems with sleeker ones that do the job better.
“GRC” has been very much in evidence at Oracle World, in part because having developed (or purchased companies that developed) product for SOX they (and other vendors) need to spur demand. I try to look past the claims for GRC (some of which are useful and clear; most others that are less so) and focus on the business value the vendors are trying to provide. Unfortunately, although people thing they know what GRC is, there’s still an awful lot of confusion. (As my colleague Mark Smith noted in “IT Analyst Firms Continue Confusion on GRC”).
Given Oracle’s focus on the IT department, it’s not surprising that there’s less focus on the business side. On the other hand, there was one session that nicely illustrated the value of taking the work originally done for SOX compliance that was repurposed for more effective – and less expensive – financial controls. Unfortunately, you could count the session’s attendees on the fingers of both hands with a few to spare. I think that’s more of a comment on the demographics of the attendees than on the importance of the use case.
The company, a class one railroad, has assembled its set of financial controls, monitoring and reporting capabilities using the piece parts offered under the “Oracle GRC” nameplate (LogicalApps, Stellent, etc.). More importantly, the company’s CFO and Controller were committed to changing how they managed financial controls to eliminate as many manual ones as they could, to shift the focus from after-the-fact investigation to real-time alerts, to have more effective controls and to automate reports. The payback from these efforts was that their internal audit consultant saved more billable hours in the first year than it took to put the system in place (that is, there was less than a year’s payback). My guess is that most companies with 2,500 or more employees probably would achieve a similarly fast payback from more effective financial control systems, even after going through the SOX paper chase. Too much of what they are still doing now is performed manually, using processes and technology that waste time and bog down internal and external audits.
I think “GRC” (at least the governance and risk part) is slowly moving to an enterprise level on the business side as I recently covered in “Does GRC Software Exist? Should It?”. (The IT “GRC” already has to be, almost by definition.) Today the piece parts are adequate to get the job done and provide most companies with solid business value – if only because most are so inefficient at handling this part of their business. You can’t buy a “GRC solution” today, but you can buy a bunch of software from one or more vendors (Oracle or SAP, to name two of the bigger ones) that will provide finance department with a solid return on investment. That is, provided that the effort is being led by the CFO and Controller who understand (and are willing to do something about) just how backward their internal controls really are.
Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.
Robert D. Kugel CFA - SVP Research