|
|
|
|
 |
|
Home |  |
Contacts | |
Editorial | |
Advertising | |
Subscribe | |
Archives | |
Search | |
CMA Canada |
|
|
|
|
Features
Table of Contents
Printer Friendly
Despite challenging timelines and the introduction of new processes, the exercise of implementing Sarbanes-Oxley mandated controls was a useful one for many CMAs and their organizations. The lessons they learned can benefit others in the process of preparing for new Canadian regulations By Robert Colman
Pushing ahead with change Brad Witt, CMA, joined Dow Chemical’s Corporate Treasury department in Midland, Michigan in 2004. He joined a department that, as he describes it, was in the process of, “synchronizing its efforts with the rest of the organization regarding SOX requirements. My role was created to ensure that Dow Treasury was practising state-of-the-art internal controls globally, and at the same time, have a representative at the table to support the larger Dow SOX team.” While Corporate Treasury was making progress, the whole company was working to keep up with SOX demands that remained poorly defined. “The SOX process demands a lot of documentation, but initially there wasn’t a lot of direction given from legislators or auditors, who were learning at the same time — they didn’t have enough information either,” says Witt. “As the auditors learned more, the rules kept changing. “Dow’s approach was to push ahead based on what made sense and then adjust as we learned more from the auditors,” he continues. “We used software provided to us by the auditors to perform self-assessments within different work processes across the corporation. In Treasury, we initially took a shot gun approach, documenting all controls and testing everything globally, down to a very specific level. We started documenting all work processes such as risk management, funding activities, financial operations and planning (cash flow, coordinating risk units, etc.). Everything had to be analyzed and we had to define what controls were there, and test those controls to demonstrate that they were truly in place and working. The software we used helped us manage that process.” While all of this was effective, it meant testing in countries all over the world. “Now, we have worked the process down so that we have four central locations in the world that we can test from, and that gives us the information we really require,” says Witt. “Even that should eventually become more finely tuned. For Treasury and the rest of the organization, we want to fine-tune the process and focus on the key controls versus trying to test everything.” All of these efforts resulted in a 2004 favourable audit opinion from the external auditors on the effectiveness of the company’s internal controls. Witt hopes that, with this effort on internal control, Treasury’s global work processes will continue to evolve and become as efficient and effective as possible. “This is a great time for change because even people at the work process level have come to understand the changes required by SOX legislation,” explains Witt. “It’s easier to get people to buy into the process changes in this SOX environment.” Now that all of the systems are operational, and the department is transitioning to a new and more effective externally purchased IT set up, it’s possible to take the assertions further. “Regarding control activities, we have to ask ourselves, does what we do make sense? The knowledge we’ve gathered from the process allows us to leverage our new IT system’s value.” Not only has the company benefited from the process, but Witt has too. “I learned all about the COSO framework, something I had no direct knowledge of before,” he says. “And I’ve come to understand better how treasury work processes operate globally — there were many opportunities to standardize across geographies and to gain efficiencies. There’s also an added benefit down the road as Dow moves people among geographies — people can easily transition into new roles as they recognize the same processes wherever they are.” Witt has just left the company and is returning to Canada to take advantage of a new opportunity near Toronto. Key controls at Inco Dorothy Cayen, CMA, vice-president, finance, is responsible for financial operations at Inco’s Canadian & U.K. Operations. Inco completed its first year of SOX implementation in February 2005. “The workload was tremendous,” she notes. “It involved a lot of overtime but it paid off. We were successful early adopters.” Cayen notes that she, and the whole company, learned a lot from the process. “We found that our documentation on procedures wasn’t everything it could be,” she says. “We documented and flow-charted our major financial processes. Now, all of that information is in one location and all of our key controls have been identified. “We had a lot of long-standing employees, and a fair amount of information was residing with them. We had many of our work practices in place but didn’t have the same rigour around the review confirmation process. For example, account reconciliations were reviewed by our supervisors but some weren’t officially signed off — as part of the SOX requirements, they now are.” Cayen stressed the importance of adopting the COSO framework for the company’s SOX implementation, to get a sense of “who we were in the organization, and how we were seen by our employees. It made it possible for the auditors to survey many employees throughout the organization and get a sense of the tone at the top. Other areas covered by this survey included commitment to employee performance, management philosophy and operating style, and attitude towards reliability of financial reporting. Because of regular changes in our industry, every time someone retired, work was streamlined but job descriptions weren’t necessarily altered. COSO helped us to refocus this aspect of the business whereby role descriptions were refreshed and accountabilities were clearly identified.” The work wasn’t without hurdles. Timelines were aggressive, and communication among managers was critical. “We had SOX representatives in every department, making sure that everyone knew what was expected of implementation. It was a challenge to dedicate individuals full-time to the SOX work when our employees were already fully engaged in their normal duties and our organization was already fairly streamlined.” The company understood from an early stage that some external support would be necessary. “We brought KPMG in, and they were able to dedicate a good-sized team to working with us. They helped us examine best practices, understand the requirements and what key controls we should be looking at. We targeted seven of our major financial processes, which essentially covered the scope of our SOX work. We reviewed and documented all of these processes and tested all of our key internal controls. A number of recommendations were made that added value and that we are still working through.” When asked what was most important in the implementation, Cayen stressed senior level support, a dedicated central team, and effective software support. “Scott Hand, our chairman and CEO, really championed the cause right from the get-go. He launched a steering committee, and insisted we’d be successful. Throughout the process, our dedicated central team was essential. Communication was also critical on an international level — we used conference calls to share and learn from one another. “The software we used is called CARD, and it helped us monitor our list of outstanding work to achieve our SOX pass — this documentation was critical,” says Cayen. Inco is currently working on growing SOX specialists internally, creating experts focused in functional rather than geographic areas. The company is looking towards greater standardization and streamlining worldwide. “We have more than 10,000 employees worldwide. We don’t want to re-invent the wheel at every location.” Celebrating the success of the first SOX implementation was also critical for the company. When Inco got its first pass, there were celebrations at every location worldwide to recognize the work everyone had done. “We want to make sure our SOX pass is sustainable year on year and that everyone understands the importance of key controls. Everyone worked very hard to see that this became a reality and we wanted to acknowledge that.” Team buy-in Joey Rogers, CMA, SOX certification manager for Tembec Inc., of North Bay, Ont., is managing the SOX compliance effort. “As a fully integrated forest products company with 10,000 employees and 58 sites worldwide, it has been a complex and intense process to manage,” he notes. “We’ve done the scoping phase, documentation phase and identified key processes and controls. We’re now gearing up for testing, which will involve remediation and fine tuning of our controls. We are also in the midst of implementing a new SOX compliance system called Apian to manage the documentation, testing and eventually workflow, and want to make sure we get it right.” As many other companies have found, Tembec felt it necessary to call in external support. “The sheer magnitude of the work requires full-time dedicated resources, especially for documentation and testing,” says Rogers. “As an insider, it’s easy to miss control weaknesses as you have close ties with the environment and at the same time are trying to clearly understand the SOX requirements — while also balancing the operational issues and the necessity for SOX compliance.” This has been a give-and-take, of course, as auditors are just getting a handle on the processes as well. “Our audit firm has come to us in the past, asking us about how we’re handling certain issues, so it’s a learning process for all of us.” Finding effective external resources has been a challenge for this reason. Tembec actually hired U.S. consultants for some of its work. The company has also used the COSO framework as a basis for its implementation, and is already seeing potential benefits. “Because we’ve grown so much through acquisitions, seeing similarities across business units isn’t always easy, but we’re starting to see how some of our mills are similar, and through this are finding better practices and controls for certain mills — ultimately were establishing more efficient processes. We estimate that it will take us about 30,000 hours to be fully compliant with SOX — over the next six months as many as 30 external people will be working with us conducting SOX testing. Others, of course, are using even more resources, internally and externally.” Rogers believes one of the biggest challenges is aligning the organization to meeting the goals of SOX. “It’s very important to communicate with everyone and make sure that SOX is embraced and understood as an operational issue, not strictly a financial issue. In order for the program to be successful they need to be managed together.” In terms of managing the project, “it’s a challenge making sure that everything is being addressed, completed and at the same time ensuring compliance with SOX requirements. We have as many as 20,000 key controls across our company, and each of these has to be carefully documented, validated and tested.” Clear purpose Lynda Kitamura, CMA, VP of finance and administration, and CFO of HP Canada, stresses her organization’s global approach to SOX implementation, and the importance of focused leadership. “As a multinational based in California, HP has to make sure that all of its business interests are SOX compliant,” she says. “For an $86 billion company with representation in 170 countries, there has to be an efficient coordination of any new program, and effective leadership throughout the process.” The process is really all about focus, says Kitamura. “You have to think, ‘what do we have to deliver, what are our core processes, what needs to be validated?’ For instance, the financial close process is standard right across the board but order management systems may vary from country to country. Any process that has a financial impact has to be assessed — all business controls and processes that have a financial impact on the firm. “SOX is just a basically good thing to do when you think about it — you ensure you understand your core processes, your key controls and whether those controls stand up to rigorous testing.” Kitamura believes that any department that is relatively well managed shouldn’t have a difficult time with the process. “Departments that struggle are probably not run the best... or run more on reactive gut-feel rather than proactive methodology,” she notes. “If you have 57 key control points for a function, you don’t know what your key control points are. Complying with SOX can also be painful if you don’t know what your core processes are. In our case, SOX activity helped to crystallize and articulate what we already had in place. Preparing for our year-end was a lot of work but it wasn’t painful.” The biggest challenge was getting the priority commitment from non-financial departments, notes Kitamura. “There are a lot of different groups involved. All impacting functions need SOX compliance as part of their plans and metrics. Not satisfying the standards of SOX can affect a company’s position in the market; it’s essential that the buy-in is there.” IT support is an important piece of the puzzle for any organization but the challenge of managing reports from around the globe makes it particularly critical for multinationals. The process controls at HP are based on the COSO framework and use a globally-led program and system. “HP leveraged data warehouse capability to have a single tracking repository worldwide which was essential for the coordination of our processes,” she notes. “It gives us a standard format around the globe. The system is linked to approval authorization protocols. A process is approved first at the country level, the regional level and also the corporate level. An important part of coordinating this implementation was having a program office with a communications structure that allows us to flow information quickly and effectively, so that we can go through iterations with audit and cascade up or down through the system real time. The process can be pretty dynamic.” Kitamura is blunt when asked for recommendations for others implementing control architectures. “If you’ve got a great blueprint, it’s going to go well. If you only have a couple of people working on the project and they’re the only ones measured on the project, they’ll have a tough time succeeding. You have to find a framework that works for you. Step back, look at the total picture — what, as an organization, are you trying to accomplish? When you distill your focus in that way and pull together an operating plan based on clear business principles, you can implement business controls effectively and efficiently.” Time to act Darren Jones, CMA, associate director of technology risk at Protiviti, believes that Canadian companies can learn a lot from SOX implementations here and abroad. “I have a couple of clients who don’t even have to comply to Canadian initiatives until 2009 but they are looking at the U.S. picture, taking it under advisement and being proactive,” he notes. But he has also talked to companies that need to comply to SOX by June 2006 and are just getting their documentation together now. “That’s a fundamental error in project management,” he says. “You must try to avoid having anything on a critical path for too long, so that you can build contingencies into your plans. This company basically has to just hope that nothing goes wrong.” Jones insists that it just makes sense to start working on these initiatives now. “We’re looking at 2007 compliance right now, and those who need to comply in 2007 should be looking at overall internal controls over financial planning. Companies must be able to evaluate those financial controls — they must have that level of understanding, and some documentation outlining key and secondary controls. Companies want to be able to complete Instrument 52-109 with a higher degree of comfort, really understand the level of design effectiveness of their controls because this will be necessary for the auditor in complying with Instrument 52-111. An organization that goes into 2006 with some degree of clarity of internal controls will be in good shape for the testing phase of 52-111.” Design effectiveness simply means determining whether the control is appropriate for the risk — it’s necessary to understand which risks could affect the completeness and accuracy of financial information, and whether the controls applied are appropriate. From there, the next step in assessing controls related to their operating effectiveness — seeing if the control under examination is actually being applied as intended. It’s not as straightforward as it might look, insists Jones. “A lot of times, organizations will get into something, think they understand the environment, and will then see that there are things that trouble them. Often enough, they believe that a Band-Aid solution will solve the problem. This can lead to further troubles.” One of the positive lessons that Jones has seen from working with clients is that IT expenses aren’t as high as companies initially believe they will be. With some fine tuning, existing enterprise resource planning (ERP) systems can assist in the management of controls and the enforcement of duties. “Many companies are not using automated controls as much as they should, which means that unnecessary manual work is being carried out,” he notes. “Automated controls can take as much as 75% to operate as manual processes.” Robert Colman is editor-in-chief of CMA Management.
Top 5 tips for managing regulatory change
|
Over the past year, many
Canadian and U.S. firms completed their first year of compliance under the Sarbanes-Oxley Act
(SOX). One of the greatest challenges was the implementation of internal control reporting provisions
outlined in Section 404 of the act. As many Canadian companies prepare for compliance under Multilateral
Instrument 52-111 Reporting on Internal Control over Financial Reporting, it seemed an ideal time to
speak with a number of individuals who were involved in the SOX process first-hand. The lessons these
individuals, and their companies, came away with should offer others a guide to what to expect from the
implementation process.