 |
 |
|
 |
||
|
||
|
|
Newsletters The Monthly Blend November / December 2006
Why Private Companies and Not-for-Profits Can't Ignore Sarbanes-OxleySpirit of legislation shapes best practices for all organizations The Sarbanes-Oxley Act of 2002, passed in response to highly publicized corporate wrongdoings, seeks to ensure accurate and transparent financial reporting by public companies through a number of means, including increased management accountability. The effects of these accounting and audit requirements extend far beyond publicly owned companies, however. Although private organizations are not subject to Sarbanes-Oxley provisions, the spirit of the law is having a profound impact on many of these entities, particularly those with plans to become public. There are other compelling reasons, as well, for organizations to self-comply. Controls mandated for public companies, such as auditor independence, protection for whistleblowers, and increased financial checks and balances, are also becoming best practices for not-for-profits and private firms. Some states are even considering legislation to make Sarbanes-Oxley provisions mandatory for a variety of organizations. Sarbanes-Oxley has essentially raised the best-practices bar. And organizations that don’t champion the spirit of this legislation risk looking like less-than-desirable business partners and recipients for donations. Sarbanes-Oxley for private companies and not-for-profits
Why doing more pays off Because Sarbanes-Oxley compliance efforts involve revisiting old processes, policies and ways of thinking, organizations often identify opportunities to make improvements. Sarbanes-Oxley compliance can help organizations achieve the following:
Framework for compliance: COSO standards The Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued a definitive report on internal control in 1992. Internal Control — Integrated Framework, typically referred to as “COSO,” provides the widely accepted standard for establishing internal control systems and determining their effectiveness. According to COSO, the three primary objectives of an internal control system are to ensure:
The report also outlines five key components of an effective internal control system: Control environment. The control environment sets the tone of an organization. Factors that influence the control environment include integrity, ethical values and competence of management; management’s philosophy and operating style; manner in which management assigns authority and responsibility; and the attention and direction provided by the board of directors. Risk assessment. This involves identification and analysis of threats and obstacles to achievement of the organization’s objectives and determinations about how these risks should be managed. Control activities. These are policies, procedures, and practices that ensure management directives are carried out. These include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Information and communication. Organization leaders must communicate with personnel to ensure employees understand their roles in the internal control system and how control components work together. Employees must have a means of communicating significant information upstream. Monitoring. Monitoring assesses the quality of the system’s performance over time. It can be conducted in the course of regular management and supervisory activities, through separate evaluations or a combination of the two. Section 404 and beyond Since fraud can be devastating to private companies and not-for-profits as well, these organizations can benefit from taking similar measures. Adopting these provisions also demonstrates to financial partners and donors that the company is doing all it can to ensure funds are not misused or mishandled. Section 404 requires management do the following:
After these requirements are complete, an independent audit firm must give its opinion of management’s assessment of the internal control over financial reporting, as well as the effectiveness of the internal control. Any weakness detected in the process must be evaluated to determine whether it could materially affect the financial statements. Beginning the compliance initiative Begin at the top. External auditors and regulators are looking closely at public companies’ “tone at the top.” Other organizations are also well served when the highest levels of management embrace a culture of integrity. This is not a shift that can be achieved by mechanical means. It is a transformation that takes place when company decision makers adopt and uphold a company-wide policy of transparency in financial reporting, effective processes and effective internal control over those processes. Allocate enough resources. Scope the project and make a realistic estimate of the resources, both financial and human, that will be needed to get the work done within the established timeframe. Organizations may have employees with the skills and experience to complete some or all of the required tasks. Personnel with strong accounting, systems and computer skills can be valuable assets in this initiative. If adequate internal resources are not available, organizations may need to seek assistance from an outside firm. Firms that take an integrated approach can help organizations identify opportunities to improve processes and increase efficiency. Outside firms with experience in the organization’s industry will require less time to become familiar with operations and systems, which can help reduce costs. Follow a work plan. Outside firms can help organizations develop work plans. Internal personnel may be also capable of executing this task. A work plan should map out the following stages of the compliance initiative with deadlines and deliverables for each:
Adding value to your organization Becoming compliant with Sarbanes-Oxley, or adopting some of its provisions, helps align operations with best-practice standards and adds value to the organization. Promote a culture of integrity The Sarbanes-Oxley Act directs companies to make sure adequate checks and balances are in place in critical areas. In summation, the message of the legislation is “Do the right thing.” A culture of integrity begins with organization management and its policies, both formal and as understood by employees. The Sarbanes-Oxley Act says companies must have an anonymous whistleblower policy in place. Under the act, employees who report problems — both real and perceived — cannot be punished. Organizations that champion the spirit of Sarbanes-Oxley have a control environment that promotes a culture of openness and integrity. They allow employees to report financial problems and fraud without fear of retaliation or ostracism. These companies’ policies reflect a management commitment to seeking out and listening to concerns about the financial statements. Maintain a high level of accuracy and transparency in financial reporting Contrary to some perceptions, the Sarbanes-Oxley Act did not establish new accounting or disclosure rules. It did, however, direct the Securities and Exchange Commission to study the implications of principles-based, as opposed to rules-based, accounting standards. The study is ongoing, but the message to companies is clear: “When it comes to accounting transactions, don’t push it.” The following guidelines may be useful to private firms and not-for-profits:
Improve obsolete and inefficient processes Most organizations operate with at least some outdated and less-than-optimal processes in place. Employees and management usually realize these inefficiencies exist, but they may not know how to correct them. They may not even believe such an undertaking is worthwhile in some cases. Sarbanes-Oxley, primarily section 404, requires public companies to document and test critical processes that affect the financial statement. These initiatives are often ideal opportunities for organizations to streamline processes and eliminate redundancies and waste. Processes rarely begin through systematic design. They tend to evolve as a means of responding to problems and are subject to modification as need arises. Some processes take on a life of their own — affecting multiple departments and ingraining themselves in the organization. Documenting and testing unwieldy processes in the interest of Sarbanes-Oxley compliance, while concurrently looking for opportunities to improve design, may exceed the scope of employees’ skills and experience. Companies that outsource this initiative should look for a firm with Sarbanes-Oxley compliance and process improvement experience. Process improvement consultants will work with the Sarbanes-Oxley team to thoroughly examine processes identified in the work plan, evaluate factors such as systems integration, identify problem areas and recommend long-term solutions. Enhance risk management The term “risk management,” as it applies to companies and other organizations, is generally defined as a process by which the entity identifies, controls and minimizes the impact of uncertain events. Because it is simply not feasible for a controller or chief financial officer to ensure compliance with every aspect of Sarbanes-Oxley, almost everyone in the organization now has a stake in risk management and ensuring compliance. Many processes can affect an organization’s financial statements directly and indirectly. Human resources, for example, has a stake in hiring people who will support maintaining internal control over financial reporting. Personnel in departments such as payroll, purchasing, inventory, cash management and sales must not only understand how the processes they own affect the financial statements, they must understand the impact of processes in other departments as well. A company that begins to address Sarbanes-Oxley requirements will likely find a number of risk areas that need remediation. Certain processes, such as financial close and revenue, may lack adequate segregation. Or there may be little control or oversight of the company’s bonus structure. One corrective approach is to establish committees in key areas, including information technology, payroll, and any department with fiscal impact, to make sure their area is compliant. Once this team approach is in place and understood, organizations can ask employees to participate in other risk management activities, including safeguarding company assets, fraud prevention, revenue recognition and even responding to emerging public relations issues. Increase the value of the audit committee To comply with Sarbanes-Oxley, publicly owned companies are required to create an audit and oversight committee. These provisions, which give the audit committee a direct impact on an organization’s control environment and the “tone at the top,” can be beneficial to private firms and not-for-profits as well. Characteristics of the audit committee should include:
An emerging standard Sarbanes-Oxley compliance alone will not insulate companies and other organizations from culpability for wrongdoing. But this legislation puts a heavy onus on public companies to do the right thing — a standard that will profoundly affect private entities as well. The value of provisions such as strengthening internal controls, improving processes and promoting a culture of doing the right thing should not be underemphasized. And their potential impact on all organizations cannot be ignored. For more information, contact us. ___________________________________________ Fraud: A Big Threat to Midsized BusinessesSubmitted by: Jennifer Taylor, CPA, Macc A recent study by the Association of Certified Fraud Examiners (ACFE) underscores what many business owners know all too well: Job-related fraud imposes enormous costs on employers. Small to midsized businesses — those with fewer than 100 employees — suffer a dramatically disproportionate number of fraud-related losses, the study says. Why midsized businesses? Occupational fraud causes a median loss per incident of $159,000 — but for small to midsized businesses, the median loss is $190,000, according to the ACFE. The most common occupational frauds in these organizations involve employees writing fraudulent company checks, skimming revenue and processing bogus invoices. Many small to midsized businesses suffer high fraud losses because they fail to proactively detect wrongdoing. Less than 10 percent of those studied have anonymous fraud-reporting systems, the ACFE says. And less than 20 percent have internal audit departments, conduct surprise audits or provide fraud-detection training for their employees. Not surprisingly, then, small to midsized businesses more often uncover fraud accidentally than by any other means, according to the study. Several other factors contribute to the disproportionate rate of fraud among small to midsized businesses, says Andi McNeal, an editor on the ACFE research team. "First, the familiarity and level of trust between employees in [small to midsized] organizations frequently results in fewer questions from other employees and managers," McNeal says. "In an atmosphere where employees and management know each other well, they tend to be less alert to the possibility of fraud." Further, McNeal says, many small to midsized business owners hold the attitude that "it can't happen to me" — that fraud is a problem only big companies face. This attitude, combined with a lack of awareness and education, often leads to a decreased emphasis on preventing fraud in an organization. Those factors may not directly cause a greater rate of fraud in small to midsized companies. But they certainly make such organizations more susceptible to being defrauded and allow greater opportunity for potential wrongdoers, McNeal says. In addition, she says, the inherent lack of segregation of duties in some businesses means an individual may have the ability to perpetrate and conceal a fraudulent act more easily than in a larger organization that divides responsibilities and provides greater oversight. Who's committing fraud? The size of losses from fraud closely corresponds to the position of the perpetrator. According to the ACFE study, business owners and executives who committed fraud caused a median loss of $1 million. That is nearly five times the median loss managers caused and almost 13 times as large as the median loss employees generated. The majority of occupational fraud incidents in the study involved either the accounting department or upper management. Employees in the accounting department committed more than 30 percent of the frauds, and upper managers or executive-level employees committed slightly more than 20 percent. High-level executives who commit fraud are not immune from detection and punishment. High-profile corporate scandals in publicly held companies, such as those involving Arthur Andersen and Enron, have emboldened federal, state and local prosecutors, and given law-enforcement officials more far-reaching powers. Since the adoption of the Sarbanes-Oxley Act of 2002 (SOX), the U.S. Department of Justice Corporate Fraud Task Force has secured more than 1,000 convictions or guilty pleas, including cases against more than 200 corporate chief executives, presidents and chief financial officers. And judges aren't going easy on corporate crooks. Witness the lengthy sentences handed down in some highly publicized cases: Adelphia Communications Corp. founder John Rigas was sentenced to 15 years in prison; Tyco's chairman and CEO Dennis Kozlowski, 25 years; and WorldCom Inc. CEO Bernard Ebbers, 25 years. Tips for stopping fraud Detecting occupational fraud can be very difficult, even though fraud incidents often occur over many months. In the ACFE study, fraud incidents lasted a median of 18 months from inception to detection. How can a small to midsized business uncover fraud? Confidential hotlines and other reporting mechanisms are the most effective fraud-detection tools. Tips are more likely to uncover fraud than other means, such as audits or internal controls. The importance of tips is especially evident in cases involving losses of $1 million or more. Tips exposed 44 percent of the million-dollar frauds in the ACFE study. That's more than twice the rate of detection by internal audits and three times the rate of detection by external audits. Certain anti-fraud procedures can measurably effect an organization's bottom line. In the ACFE study, organizations with anonymous fraud hotlines suffered a median loss per fraud incident of $100,000, while organizations without hotlines lost a median of $200,000. Similar reductions in fraud losses occurred in organizations that had internal audit departments, regularly performed surprise audits and conducted anti-fraud training for employees. A different study, conducted by research firm Lord & Benoit LLC, surveyed the share-price performance of nearly 2,500 companies that follow the internal-controls rules contained in SOX. During the course of the two-year study, companies that employed the best fraud-control practices outperformed those with weak internal controls in terms of earnings. Additionally, the process of evaluating internal controls promoted earnings growth when the companies acted on any problems found, according to the study. Fraud likely worse than numbers show "Fraud, by its nature, is hidden, and so the true amount of fraud taking place in U.S. businesses at any one time cannot be calculated," says John Warren, ACFE general counsel. "Even attempts to measure the amount of fraud that has already been detected will lead to incomplete results." Many fraud cases go unreported because the victim organizations do not recognize that they have been defrauded, choose not to report the crimes for fear of bad publicity or simply do not want to deal with the repercussions, Warren says. "The one thing we do know for certain is that occupational fraud imposes tremendous costs on U.S. organizations," he says. For more information, contact Beason & Nalley. ___________________________________________ Coffee Talk
|
|
___________
|
