Fear can be a powerful generator of upstanding conduct, say Stephen Wagner and Lee Dittmar. But business runs on discovering and creating value. In this month's Harvard Business Review, the co-authors discuss how smart companies are finding unexpected benefits in Sarbanes-Oxley compliance. Wagner, who is the managing partner of the U.S. Center for Corporate Governance at Deloitte & Touche, and Dittmar, who leads the enterprise governance consulting practice at Deloitte Consulting and co-leads its Sarbanes-Oxley practice, talked with Kathleen Melymuka about how your company can use compliance requirements to its advantage.
What were some of the big control gaps that early Sarbanes-Oxley compliance efforts uncovered?
WAGNER: One of requirements of internal controls is maintenance of records in reasonable detail that reflect transactions. We found [that] in many instances, control documentation was way behind or didn't exist. A second issue was "tone at the top" -- the communication that comes out of the boardroom and the CEO suite that sets the stage for the organization, including how it deals with ethical standards. We found that there was often very little communication across organizations around the importance of maintaining good controls. In some cases we found duplication of control activities that created inefficiency and less-than-effective controls. Lastly, we ran into the notion of unnecessary complexity in the extreme. Many companies are far more complicated than they need to be. In the IT area in particular, there was duplication of systems, multiple instances of ERP -- one division of a company had 200 financial accounting systems.
DITTMAR: And organizations didn't know what their control programs consisted of. They knew they had them, but as one told me, it was "kind of tribal." There was no consistency in how they did it. We found uncontrolled access to systems that are important to maintaining the integrity of financial reporting. I got a call from a CIO who said, "I've got hundreds of systems and 700 to 800 people who have access all the way to the database level. How can I control that?" This is an extreme example, but it was pervasive. Systems were designed for speed, not for controls. There were also a lot of challenges around security and change management. When we asked about change management processes, many companies said, "Which ones? For this system or this system?"
You make a distinction between strengthening the "control environment" and strengthening "controls." Can you explain that difference and why it's important?
WAGNER: The control environment is the foundational platform on which control activities take place. It deals with more illusive, less tangible things: structure, ethics and basic training on responsibilities, documentation processes, that "tone at the top" element. It's largely driven by senior execs and the board. It has a lot to do with the integrity of the organization and what it stands for and the commitments it has made to ethical behavior. It doesn't get down to the level of individual controls; those are the specific activities meant to address specific control objectives.
How have Sarbanes-Oxley compliance efforts yielded dividends at some companies?
WAGNER: We look at the documentation of systems and policies and how things are done at companies, and the documentation serves as a baseline -- a framework. In its absence, it's hard to know what's going on and hard for employees to know what their responsibilities are. At many companies, the documentation -- job descriptions, responsibilities -- wasn't up to date, so it was hard to hold people accountable for specific standards of performance. By getting that up to date, they were able to execute basic business activities better, because while documentation serves a purpose in control, its primary purpose is as a written guide for people to follow. Without it, people are ad-libbing.
DITTMAR: Documentation requires a company to take a hard look at their end-to-end data, processes and systems. People get in silos and they don't know what happens in the next step. They do their job and throw it over the wall. Sarbanes-Oxley forced companies to look at business processes and say. "I wonder why I do that," or "I didn't know you did that two steps down the line."
You also mention a new mind-set among boards of directors, particularly audit committees.
WAGNER: Having been an audit partner all my life, I can say that while I always dealt with audit committees that took their responsibilities seriously, the extent of effort and digging prior to Sarbanes was substantially less than after. We use the term "engaged." Previously, they were paying attention, but they were not nearly as engaged as they are today. They ask different questions and bring a higher level of expertise than they used to. They ask how things will be resolved more than ever before. They want to understand all manner of material risk and what remedial actions are going to be undertaken. There's a keener interest in IT activity, which they shied away from in the past.
DITTMAR: Boards don't have enough insight into the importance of IT. Many don't have the resources on them to know which question to ask. For example, in mergers people talk about synergy or rationalizing IT systems, but few boards follow through on that.
Tell about how some companies have leveraged Sarbanes-Oxley activities to facilitate other compliance tasks.
DITTMAR: This is a huge issue, because compliance initiatives are silos unto themselves. There are a lot of discreet compliance-management processes, and if there's an IT component, it's also stand-alone. People are now realizing that there's some commonality of good compliance programs regardless of whether they're in the environmental, financial or employment domain. There's a workflow, setting up expectations, communication, monitoring that have a lot of commonality. If you can get to more commonality about how you structure compliance management and look at governance, risk management and compliance as related, you can better leverage IT assets to meet those needs. CIOs would love to have a comprehensive view of how IT can better support governance, risk and compliance and how to run IT to meet the business needs and compliance requirements. There was no one place to go but to the Open Compliance and Ethics Group. [OCEG.org] is creating a source for people to get basic information on leading practices to deal with this. Companies are just scratching the surface now about how to bring a more comprehensive approach so compliance becomes a byproduct of what they do.
Talk about how Sarbanes-Oxley efforts helped Manpower standardize its software development process.
WAGNER: Manpower's issue related specifically to change management processes for software development. A company like Manpower with an enormous payroll is vulnerable. Even the smallest of errors can have dramatic impact on the financial statement. But every piece of software was being dealt with in a unique fashion. By deploying a consistent way of addressing change management activity, they gain assurance they won't have problems in the future because something went wrong without a standardized process.
DITTMAR: Manpower is the example we quote, but you can plug in any large-company name. How often do companies make changes in systems? Every day. And many companies lack consistent policies procedures and controls related to making changes in systems. Some of best-known companies built on technology have this challenge.
Sarbanes-Oxley compliance can also help reduce post-M&A complexity. Tell me about that.
WAGNER: Over 10 years, Iron Mountain had acquired more than 150 companies. It had to digest 150-plus separate systems. That's not atypical of what happened during the go-go years. By doing that, you inherit a variety of different platforms that aren't necessarily complementary, so there's a high degree of risk of problems and high costs of operating separate systems. Sarbanes-Oxley has served as a catalyst to enable many companies to address this problem.
DITTMAR: We recently asked 385 large companies about the biggest barriers to turning data into information, and the number one answer was complexity of processes and systems.
You also write that Sarbanes-Oxley has helped companies better understand the risks and complexity that arise from outsourcing and other partnerships.
WAGNER: We live in a world of the extended enterprise. Companies have created a chain of dependencies where they may rely on an outsourced service provider to manage payroll, warehousing or other critical activities, and those third parties are also providing financial information. Where those situations arise, a company's internal controls extend to those third parties. Therefore they have a responsibility not only to evaluate the controls under their own roof but also to assess the controls of that third party. There are several ways to accomplish this. One is to go and evaluate those controls. Another is to use an SAS 70 [statement on auditing standards], by which the third party can contract an auditing firm to evaluate its controls, and that can be relied upon. Sarbanes-Oxley shined a bright light on these relationships and found many companies misunderstood the extent to which they are responsible for these extended controls. They were exposing themselves to risks they didn't fully understand.
DITTMAR: In IT outsourcing, Sarbanes-Oxley and the need for controls is a game-changer. It has to be explicitly addressed in service-level agreements. It affects all new deals, and many companies are reviewing their agreements to make sure this is adequately addressed. It's leading to pressure, because if you ask an outsourcer to do more, they want to charge you for it. The book is far from closed on this.
You write that Sarbanes-Oxley compliance has led to processes to minimize human error. How so?
WAGNER: In most companies, the preponderance of controls is performed manually. If you are able to take the human factor out, the risk of problems with controls greatly decreases. Automated controls are not subject to fatigue, absenteeism or distraction. But opportunities exist in many ERP systems for many automated controls that were never activated. Many organizations are having a second look at that and looking at the whole internal control program to see where they can automate.
DITTMAR There's also a cost element. Probably only about 10% to 20% of controls are currently automated. By automating, companies can reduce the amount of testing, increase reliability, improve information so they can identify problems before they become crises. We recently asked 2000 people whether automation of controls was a part of their current efforts and plans, and 90% said yes.
It seems that a lot of these Sarbanes-Oxley benefits are the kinds of things that CIOs have been advocating for years, with mixed results.
DITTMAR: I agree. CIOs say, "Things would be better if we standardized on a particular application," and the business units say, "Sure, as long as everybody moves to mine." So this is an opportunity not just for CIOs to step up but to get various CXO stakeholders to understand all the elements -- people, process and technology -- because they all have to go together. The president of a very large technology company recently told me that compliance will be the single largest driver of IT priorities over the next decade. CIOs have a very important role to play, and even though they've been frustrated over the last decade, the impacts of IT are pervasive, and companies can't do this efficiently and effectively without properly leveraging technology. It's not enough to just write good policies and processes; you have to have technology to support it, or it won't be sustainable.