When the initial wave of public companies faced their first Sarbanes-Oxley (SOX) compliance deadlines, many were still scrambling to decipher the legislation. Soon compliance costs exceeded expectations, and everyone ranging from management to public company auditors felt the time, knowledge and monetary pressures as filing deadlines loomed.
SOX continues to pose challenges, but the outlook appears more positive these days, reports Davide di Gennaro, a Senior Manager with Ernst & Young’s Global Treasury Advisory Services. Many public companies have overcome the initial hurdles and are beginning to realize SOX’s intended benefits of reduced operational risk and enhanced control over financial reporting processes.
This is particularly true regarding SOX Section 404, which requires senior management to document, test and monitor the effectiveness of the company’s internal controls. A company’s auditor must also attest to, or report on, management’s assessment of the effectiveness of the company’s internal controls.
“Treasury typically had fairly good policies and procedures within a controlled environment before Sarbanes-Oxley,” di Gennaro notes. “The Section 404 exercise simply forced companies to dig deeper with a more explicit focus on ensuring solid management over each process and documenting it. Companies gained the opportunity to really review and rethink everything they do that affects financial reporting.”
Document, Then Re-document
Now, each process evolution, technology implementation, bank relationship change, etc., forces companies to amend their documentation if it could impact their financial statements, di Gennaro says. “As a result, treasuries are more specific with proposed project plans on the front end, as they take into account the documentation and testing steps necessary to establish and maintain proper internal controls.”
This also means implementing big changes takes more time.
Increased Visibility
Section 404 has increased the treasury department’s visibility within a company, because many transactions and activities that flow through the department—including debt issuance, cash management and foreign exchange/interest rate risk management—materially impact financial statements.
Lean treasury departments have even used their increased visibility to bargain for more staff. “With their function so visibly and materially connected to the overall organization, some departments have won additional, full-time employees as a result,” di Gennaro says.
Where staff sizes have not increased, some companies have used the 404 exercise to identify the value-added functions that treasury performs, thereby creating opportunities for outsourcing high-volume, low-value tasks.
“Relieving itself of manual burdens, employing outsourcing strategies and focusing on technology is the path many strategic treasuries have taken to elicit added value from the bottom line and shore up defenses,” di Gennaro says. “We’ve seen a lot of automation in an attempt to eliminate the potential for financial misstatements and reduce operational risks.”
Another positive outcome of 404 is that the silos which can separate business functions continue to crumble.
“Connectivity throughout the organization seems to be improving now that clearly documented controls exist for end-to-end operations,” di Gennaro says. “Employees were forced to examine the interconnectivity of their day-to-day activities and how their decisions impact the data that’s fed into financial statements, so they now better understand how other business units operate.”
Not only is internal communication improving—but so too is communication with a company’s auditors. “We’re seeing more open, ongoing dialogue between public companies and their auditors,” di Gennaro says.
Greener Pastures Ahead
Many companies appear to have welcomed the opportunities that SOX has afforded them for process and control improvements. The knowledge gap is decreasing, and there are now more resources available—both in terms of people and technology—to help design, evaluate, test and monitor controls.
“Compliance will remain an ongoing effort for public companies,” di Gennaro concludes. “The learning curve will continue as better tools and control techniques are discovered and shared.”