I recently held a workshop at The GRC Summit (produced by the Global Strategic Management Institute an event where executives from across the world gathered to collaborate and get the latest education on governance, risk and compliance (GRC). In the workshop and in a later breakout session I covered the relationship been Sarbanes-Oxley and financial governance generally.
The main objective of the Sarbanes-Oxley act of 2002 was to reduce the risk of financial misstatements in public company’s financial statements. While most of the other sections of the bill were specific (or became so in short order) Section 404, which covers the internal control over financial reporting, was specific at a high level about what public companies had to include in the way of an assessment of their controls but necessarily vague about how to go about doing it. From my perspective, the core problem with the initial application of Section 404 was that many auditors who were interpreting section 404 were confusing general financial governance with the real objective of the Act – substantially reducing the risk of financial fraud in external financial statements. So, although control of travel and entertainment expense and business credit are important financial governance issues, they are rarely material to the controlling financial statement fraud. Unfortunately, many of the external and internal auditors spent a great deal of time obsessing about details on the theory that somewhere down the line there was a remote possibility of fraud. Worse, they often did this rather than finding ways to implement high-level controls or focusing only on aspects that posed a significant level of risk.
Ultimately, in 2007 the Public Company Accounting Oversight Board (PCAOB – “peek-a-boo”) addressed the misalignment of focus, relevance and materiality was addressed (albeit after way too much money had been thrown at compliance efforts) with Accounting Standard (AS) 2 with AS 5 and the SEC offering guidance to management about implementing, monitoring and reporting on controls. Both of these amounted to a big “never mind.”
But hold that thought! Although implementing, testing and reporting on financial controls across the board to reduce external reporting risk doesn’t make sense, there are plenty of ways finance departments can use more formal controls, automated monitoring and reporting to improve their governance function in ways that that will optimize risk and cut costs. “Optimize” means making the appropriate trade-offs between a company’s risk appetite and costs. For external reporting purposes, it doesn’t make sense to automate the oversight of T&E spending or investing in a system to spot payroll fraud but it probably makes a lot of sense to do this to cut costs and reduce the chance of a damaged reputation if a store manager is stiffing employees on overtime to meet their profit objectives.
Meanwhile, Sarbanes-Oxley did increase awareness on the part of some in the finance function of the opportunity to use controls, monitoring, measuring and reporting for productive business purposes. This, in turn, has boosted attention to the topic of governance, risk and compliance in the finance function. Software vendors, too, see an opportunity to help companies do a better job of controlling cost and risk. However, since “governance,” “risk” and “compliance” exist across and enterprise and there are a myriad ways to deal with them, the term “GRC software” can be very misleading. (See “IT Analyst Firms Continue Confusion on GRC” and “Does GRC Software Exist? Should It?”) Many existing categories of software are an integral part of GRC processes, such as document management, BI and analytics, process management and so forth. Some GRC functions already are an integral part of enterprise systems companies already own but they don’t realize it because they leave it to IT to manage these implementations (and IT doesn’t know that it could be useful). And some GRC software is relatively new and addresses specific elements that weren’t handled particularly well at all in the past (such as complex event monitoring).
Companies can and should the effectiveness and efficiency of their financial governance and extending what might have been initial Sarbanes-Oxley compliance efforts is a good place to start.
Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.
Robert D. Kugel - SVP Research