If you qualify as a non-accelerated filer (i.e., your company’s public float is under $75 million), you’ll have to start complying with Section 404(b) of SOX, which requires company management and independent auditors to sign off on, or attest to, the effectiveness of your risk control framework or accounting policies and procedures for internal control.  Are your processes protecting you from the risk of material misstatements (RMM)?

Sarbanes Oxley Compliance Costs Too High?

When it was first enacted, the Sarbanes-Oxley Act (SOX) did not apply to non-accelerated filers because it was believed SOX compliance costs would be too high.  Several delays and extensions have been given to non-accelerated filers because the Office of Economic Analysis (OEA), which advises the SEC, needed to complete a study on SOX compliance costs. The study was completed in September, 2009, and was quickly followed by the announcement (on October 2) of the June 15th compliance deadline.

It didn’t surprise anyone when the OEA study showed that SOX compliance costs increase with company size; the study also confirmed that annual compliance costs decrease over time and that, overall, compliance costs have decreased since 2007.  In other words, while larger companies achieving SOX compliance had higher costs overall, there are fixed SOX compliance costs that impact all organizations, regardless of size, and companies have gotten smarter on how to implement Sarbanes-Oxley.

How Do You Control Sarbanes-Oxley Compliance Costs?

There are three major factors that drive up the cost of complying with SOX: cost of scale; cost of review; and cost of improvement.  The more control you have over all three of these, the lower your costs to implement Sarbanes-Oxley compliance will be.

Sarbanes-Oxley Cost of Scale

Why do larger companies incur higher overall compliance costs?  Because of the sheer size — scale – of their operations!  More operating locations, more employees, and more processes means more time and people needed to review accounting policies, procedures, and internal controls.  There is no easy answer to the question of scale: larger size translates into more risk management, internal controls, and accounting processes.

You can reduce the scope of SOX compliance by addressing the greatest risks first (note that PCAOB Auditing Standard #5 was developed for this purpose).  Don’t try to address all risks at once — this is what drives up compliance costs.  But, which risks do you address first?  Determine a threshold, or cutoff, for risk materiality, then decide which risks are most material to your company.

Remember — this is an ongoing process of improving your SOX compliance, not a one-time SOX compliance event.  Next year, you can (and probably should) lower the threshold and address your “second-tier” risks, and continue to annually adjust your threshold until you are comfortable.  Management decides on the internal controls needed to cover the identified risks.

Also, if you decide wrong and set your risk threshold too low or too high, you’ve identified a material weakness in your risk control framework.  You think you’ve exposed a flaw in your system, but consider that your system is also about continual improvement.  The only flaw is failing to improve: work on improving your internal controls – adjust your risk threshold – and you can demonstrate that you have a SOX-compliant system.

Sarbanes-Oxley Cost of Review

The cost of review represents the Check and Act phases of the Plan-Do-Check-Act (PDCA) process approach.  All companies needing to comply with SOX have to have some form of review process that tests accounting’s internal controls and gives management the confidence to attest to the validity of the company’s financial statements.

Internal audits, management reviews, management and auditor attestation, and board oversight are fixed costs of Sarbanes-Oxley compliance.  Every company has to operationally demonstrate to top management that internal controls are in place and are working.  Larger companies have to spend more, of course, but every company must spend a minimum amount for basic compliance.

As with the cost of scale, you can reduce the scope of SOX compliance by addressing the largest risks first in your audit plan.  You don’t have to audit every accounting process every year.  Start with the accounting processes that have the greatest impact — those that pose the greatest risk of material misstatement if they don’t work.  Review past audit opinions, your compliance plan, and your definition of materiality and adjust your audit plan to deal with the greatest risks.

Management decides on the internal controls and testing needed to ensure that the identified risks are controlled.  If you find that your audit plan hasn’t addressed the right risks, you adjust the plan.  Again, lessons learned — and implemented — show that your system is driving improvement and is, therefore, Sarbanes-Oxley-compliant.

Sarbanes-Oxley Cost of Improvement

The cost of improvement comes under the “Plan” and “Do” phases of the PDCA process.  Sarbanes-Oxley compliance starts with a compliance plan, one that identifies the risks you need to control.  Your compliance plan is the foundation of your risk control framework.  With a sound compliance plan in place, management can make better decisions regarding internal controls, such as implementing accounting policies and procedures that reduce or eliminate the risk of material financial misstatement.

Developing accounting policies and procedures is the “Do” in “Plan-Do-Check-Act”.  Your risk control framework identifies individual risks (e.g., the chance a receivable is not collected on time). Your accounting policies (e.g., collect accounts receivable within 30 days) and procedures (daily A/R aging reports, phone calls, collection letters, etc.) are forms of internal control that demonstrate your compliance with Section 404 of SOX.

Are your accounting policies and procedures for compliance, or control?  Well, control comes before compliance, but many companies have confused the two and wasted a lot of time and money.  You can reduce the scope of SOX compliance by controlling your greatest risks first with your accounting policies and procedures.

You don’t have to write a policy or procedure for every accounting process at once.  Once again, start with the accounting processes that, if they don’t work, pose the greatest risk of material financial misstatement.  Review audit opinions, your compliance plan, and your definition of materiality, then develop and implement the accounting policies and procedures that address your greatest risks first.

Management makes the final determination of which accounting policies and procedures are needed.  If you develop cash policies and procedures that do not (adequately) control the identified risks, you have a material weakness.  Improve your accounting procedures for internal control and you demonstrate Sarbanes-Oxley compliance.

Bizmanualz Accounting Policies and Procedures Reduce Sarbanes-Oxley Compliance Costs

Sample accounting policies and procedures serve as a model, or framework, for your own accounting policies and procedures.  The CFO Accounting Policies and Procedures Manuals set contains 239 procedures you can use to address the ten accounting cycles.

SEC Chief Mary Schapiro recently stated that “there will be no further Commission extensions.  It is important for all public companies – and their auditors – to act with deliberate speed to move toward full Section 404 compliance.”  Although legislation has recently been introduced to permanently exempt non-accelerated filers from Sarbanes-Oxley Section 404(b) compliance, there’s no guarantee that Congress will act or that the public won’t demand better information and you won’t need to comply with 404.  Besides, having an effective system of internal controls makes good business sense.

Using prewritten procedures will save you hundreds — possibly thousands — of hours in researching, writing, and implementing accounting policies, procedures, and internal control for Section 404 compliance.  Save even more time implementing additional internal controls for sales and marketing, security, disaster recovery, and ISO 9001 compliance using the CEO Company Policies and Procedures Manuals.  Download free samples of our procedures and judge for yourself.

Static versus Dynamic Systems

When I was studying engineering in college we had to take many different classes in control.  The simplest ones to talk about are the mechanical versions of static systems and dynamic systems.  Static systems are those that don’t change over time like a bridge or a flag pole.  You had to figure the forces on these systems and calculate the stress, tension, torque, etc.  I found statics pretty straightforward.

Next came dynamic systems, which are static systems that can (as a result of other forces) change over time like a suspension bridge that sways in the wind.  Things got tricky, fast.  We had to use fancy calculus like differential equations to solve the problem.  Why (you might ask)?

The thing about static systems is that you have no feedback.  So the static equation is drawn with the forces in balance and feedback set to zero.  With no feedback the problem is easy or relatively easy using basic calculus.  In contrast, dynamic systems have feedback.  The wind pushes on the bridge and the bridge pushes back (basic physics: a force is met with an equal but opposite force).  This “pushing back” starts the feedback, but feedback can also produce feedback loops, which means the bridge begins to oscillate as it rocks back and forth in the wind.

You see the wind is not a constant force, its velocity changes over time.  So this is a complex situation that becomes difficult to solve.  If we fail to produce the right answer, the bridge could fall apart in the wind (it has happened).  Positive feedback loops amplify the signal and can cause such destruction (i.e. a vicious cycle) whereas negative feedback loops reduce the signal and result in… control.

So when you design your procedures, are you designing in positive feedback loops that amplify your output and lead to the destruction of your process or are you designing in negative feedback loops that result in the control you are looking for?

Static versus Dynamic Control

Funny, we have to take into account the dynamic nature of a bridge before we built it but do you take into account the dynamics of a business process when you capture it in your knowledge management system?

Business policies and procedures are not static.  They involve people that provide feedback; they involve customers, suppliers, and management that all provide feedback. So how do you integrate this natural feedback into your procedure?  Start by planning for it.  Plan for both positive and negative feedback but most importantly harvest the negative feedback.

Planning for feedback means data, scoreboards, process reviews, process audits, management reviews, customer and supplier surveys, discussions, interviews, comments, and most of all collaboration.  We need to design collaboration into business procedures to allow for the natural feedback process to occur.  Just like building a bridge requires us to understand the forces at work BEFORE we build the bridge, so it is with building business policies and procedures.

Compliance and Control

Can you really have compliance without control?  You can check the box that a business procedures exists but a procedure requirement is not about existence it is about deployment and usage.  There is a reason for every requirement.  The standards we talk about (ISO 9000, Sarbanes Oxley, GMPs) are all about reducing risks or reducing risks using negative feedback right?  The next time you have to write business procedures think about how you can introduce negative feedback to obtain the control that the standards are really asking for.

The Accounting Department is an area where policies and procedures are usually a requirement, because they are considered part of the internal controls noted in Sarbanes-Oxley. The real question is: What approach are you taking to developing accounting policies and procedures? Are you just doing the minimum, or are you developing accounting policies and procedures in a way that will truly help your organization?

What Should be in Your Accounting Manual?

Most accounting manuals are just a set of procedures. But an accounting manual can play a bigger role in defining the operations of the accounting department. For example, the accounting manual should list responsibilities and describe accounting processes.

Read more about what your Accounting Manual should include…

Are Your Accounting Policies Providing Internal Control?

What is the difference between a well-conceived and well-written accounting policy and a poorly conceived and poorly written accounting policy? Of course, the needs of every organization are different, and the most important element of an accounting policy is that it helps the organization.

Read more about Accounting Policies and Internal Control…

Are Your Accounting Procedures Driving Improvement and Internal Control?

We know from COSO and Sarbanes Oxley compliance that accounting procedures are an important element of internal control. Organizations spend a lot of effort to produce an accounting manual containing accounting policies and procedures. So, if you are going to produce an accounting manual with accounting policies and accounting procedures, how can you make the most of the effort you put into them?

Read more about how Accounting Procedures drive improvement and Internal Control

On That Note:

Answer to this month’s question:

Rule-based “ballistic” procedures may meet the basic requirements for internal control. However, if you must take the time and effort to develop and maintain accounting policies and accounting procedures, why not make the small additional effort to build continual improvement into your accounting processes. Incorporate measurement and review into the accounting processes in order to see if important organization goals are being met. While some might see internal control as a set of rules, real control is awareness of how well accounting processes are operating and what improvements need to be made to meet goals and objectives.

Please feel free to contact us with any questions or comments. Also, please let us know if you’d like any specific topic addressed in our future articles.

Regards,

Chris

Bizmanualz

The Typical Accounting Manual

When exploring accounting manuals on-line you can see the table of contents and perhaps samples from accounting manuals available for purchase, and you can also see actual accounting manuals developed by public entities like universities and state/local governments. No matter where you find a sample accounting manual, they seem to have a lot in common.

Almost all of these accounting manuals are a set of accounting procedures that provide rules and guidance for various accounting functions and operations like petty cash. They typically employ what we could call the “Thou Shalt” approach. Sometimes they provide particular information like cost center account codes. At times these accounting procedures do an adequate job of describing the accounting process, and other times they read more like a list of accounting rules.

In almost every case, the accounting procedures have a ballistic approach, meaning that the accounting procedures may list the accounting steps to be carried out in the process, but rarely are any criteria established that would indicate whether the process is being carried out effectively and fulfilling organizational goals.

A Managerial Accounting Approach

Does an accounting manual that just consists of a set of accounting policies meet your needs as the accounting manager? What information do you need to establish and convey in your accounting department? If one reason you need an accounting manual is Sarbanes-Oxley compliance, then it is hard to see how a set of ballistic accounting procedures provides the internal control required by SOX Section 404. Plus, it is particularly difficult to see how a set of ballistic procedures can help management assess the effectiveness of the internal control system as required by SOX Section 302.

A different approach would be to include additional materials besides accounting procedures in the accounting manual. As an accounting manager you may want the level of consistency that “Thou Shalt” style accounting procedures provide, but that doesn’t need to be the entire content of the accounting manual.

Selecting an Accounting Manual Approach

In a recent article we talked about using risk management to create internal control systems. An accounting manual is one place you could begin to assess accounting risks by defining core accounting processes and the interaction between processes (i.e. inputs and outputs). With core processes identified, risk assessment can be applied by addressing what could go wrong, along with the likelihood and materiality of these risks.

Another approach to creating an accounting manual is to follow an ISO 9001 approach. While often associated with manufacturing and production, ISO 9001 is really an approach to creating effective management systems that can be universally applied. Using an ISO process approach, the accounting manual would include information on organization structure (your org chart), designated responsibilities of management and staff members, as well as identifying core accounting processes and their interaction. Also, following the ISO example, accounting procedures would employ the PLAN-DO-CHECK-ACT approach to processes (as opposed to the ballistic process approach of simply writing down the rules).

A Different Approach to Accounting Manuals

The Bizmanualz Accounting Policies, Procedures & Forms takes a hybrid approach that combines elements of risk management along with elements of an ISO style quality management system. The Accounting Manual section is completely separate from the included accounting procedures. The Accounting Manual includes information such as the following:

• Detailed descriptions of scope and purpose
• Typical accounting organization structures
• Establishes core accounting processes and the interaction of sub-processes (that constitute the core processes)
• A list of accounting policies
• The accounting resources required

Listing all accounting policies in one place (as well as in applicable accounting procedures) allows accounting managers, controllers and department leaders to recognize where policies align and where there are inconsistencies and conflicts between policies that require resolution.

The procedure sections in Bizmanualz Accounting Policies, Procedures & Forms are divided into the core accounting cycles (processes):

• General and Administrative cycle
• Cash cycle
• Inventory and Asset cycle
• Revenue cycle
• Purchasing cycle

Each section includes 5-10 procedures documenting in detail the sub-processes that constitute these core accounting cycles.

A set of ballistic accounting procedures may not meet your long term organizational needs for an accounting manual. There are alternatives to the ballistic approach but before you decide what goes into your accounting manual, decide why you need an accounting manual in the first place. Then deciding what goes in your accounting manual becomes much easier. Let us know your thoughts and comments about what you need or would like to see in your accounting manual.

To learn more about Bizmanualz Accounting Procedures go to http://www.bizmanualz.com/accounting/ and check out the Accounting Policies and Procedures Manual or sign up for the Bizmanualz Newsletter and download a free sample accounting procedure right now.

The internal controls requirement in Sarbanes-Oxley Section 404 has created the most uncertainty and distress in businesses. Frequently those of us involved in office processes are not accustomed to having our work planned and verified to the degree that is common on most factory floors. Creating and implementing an internal control system does not have to be a daunting task. Start small and build it slowly – layer by layer.

How Demanding Is Sarbanes-Oxley (SOX) Compliance?

To a degree, the confusion over SOX seems inordinate in relation to the complexity of the regulation. Actually, compared to the intricacy of other regulations enforced by the Securities and Exchange Commission (SEC), Sarbanes-Oxley compliance is relatively straightforward. It is somewhat hard to understand why there is so much misunderstanding about Sarbanes-Oxley, so let’s review the basics.

Read more about Sarbanes-Oxley Compliance…

Can Risk Management Build Internal Controls?

Using risk management techniques is an important component in creating the internal controls required for compliance with Sarbanes-Oxley (SOX) Section 404.  Risk management includes all the activities associated with identifying and reducing risk, as well as coping with negative events should they occur.  Identifying risks and creating systems and safeguards to ameliorate them is one way to create a basic internal control system.

Read more about risk management and internal controls…

How to Develop Accounting Procedures for Internal Control

When you hear the phrase “internal control system required by Sarbanes-Oxley (SOX) Section 404,” do you automatically think of policies and procedures?  Simply having Accounting policies and procedures does not indicate an internal control system.  Well-written procedures that document well-defined processes, however, are an important component of the internal control system you are building.

Read more about the role of accounting procedures…

On That Note;

Answer to this month’s question:  While internal controls is a rich topic with several levels of meaning and connotation, the most important premise behind internal controls is understanding your processes and knowing if they are effective (achieving what they should achieve).  This can apply to the office (accounting, sales & marketing) as well as the factory floor.  Frequently, internal processes run continually without check and metrics that provide information on effectiveness.  Processes that are not monitored and adjusted to ensure effectiveness are not in control.

Please feel free to contact us with any questions or comments. Also, please let us know if you’d like any specific topic addressed in our future articles.

Regards,

Chris

Bizmanualz

In recent weeks we have covered general Sarbanes-Oxley compliance as well as how using risk management techniques can provide a baseline for starting an internal control system required by SOX Section 404.  This week let’s continue the discussion by talking about writing accounting procedures.

Accounting Procedures Should Document Important Processes

The decision to write an accounting procedure to document a process should not be taken lightly.  Once your accounting processes are documented in an accounting procedure there is a commitment by the organization, the accounting department, and its members to execute the process in a consistent manner each and every time.

In many cases, however, this is exactly what the organization wants and needs – a high level of consistency in key financial processes, as well as a certain level of planning in how accounting processes should work.  When written and implemented correctly, your accounting procedures should provide this level of internal control.  While creating the accounting procedure each accounting process should be reviewed reflectively.  Decisions can be made by accounting managers and process-owners about how key financial activities should be carried out, and what goals, checks, and measures should be part of the accounting process.

When it comes to internal controls required for Sarbanes-Oxley compliance, accounting procedures that meet these criteria (documenting key process steps and checks/metrics) are an important part of your accounting internal control system.  Creating the accounting procedure, however, is only the beginning. 

The accounting process and its associated procedure must be communicated to all affected parties through training, meetings or other types of communication or events.  Then, regular internal audits are needed to ensure that personnel are aware of the accounting procedure and the process requirements that it documents. Writing accounting procedures without the necessary awareness and follow-up is counter productive.

This is why the decision to write an accounting procedure is an important one.  Hastily cranking out accounting procedures without properly defining and understanding your accounting processes or without the proper follow-up (training, audits) is actually a detriment to your accounting internal control system.  Using a casual approach to creating accounting  process documents increases the chance of not capturing key aspects of the process, associated financial risks, or needed internal controls/metrics.  That is the opposite of the control that SOX intended to encourage.

Writing Accounting Internal Control Procedures for Compliance

There are several important keys to writing useful accounting internal control procedures for the Accounting Department or any department.  We have already talked about one: take time to do the necessary research and gather the appropriate information to ensure that your accounting procedure properly captures the goals and key attributes of the accounting process.  Other important elements to keep in mind include:

Keep It Simple – Accounting procedures should document the overall process being executed.  It is not necessary to document every single detail of every single action.  That information belongs in accounting work instructions or training materials.  Including minutia and too many details leads to an overly long and confusing accounting document, which ensures that your accounting procedure will be neither used nor followed.

Use More Than Text - Why create accounting procedures that rely solely on text?  Graphics can illustrate accounting process flow, inputs/outputs, and important relationships or risks.  We all know that a picture can be worth a thousand words; using graphics can improve simplicity and usability, which can lead to better internal control.  Take advantage of how easy it is to integrate graphics (including photos) into your accounting procedures.

Be Consistent – accounting procedures should be consistent in format and design, and in the use of language and terms.  They should be highly recognizable and familiar in an organization.  To a degree, they should even be similar in length.  That is to say there is a consistency problem if one accounting procedure is four pages long and another procedure is 25 pages. (Refer to “Keep It Simple” above.)

Maintain Them – Keeping accounting procedures up to date means you are properly maintaining the internal control system.  A change in the process means a change in the accounting procedure.  This aligns with the first point as well.  The more basic and simple you keep an accounting  procedure then the easier it is to maintain.  Checks and metrics should also be evaluated regularly and modified if they do not truly monitor the effectiveness of the accounting process or provide the needed internal controls.

Which Accounting Policies and Procedures to Develop for SOX Compliance?

As discussed last week, developing accounting procedures to document processes as part of an internal control system that meets the Sarbanes-Oxley Section 404 requirement should be done in iterations according to the risks that your accounting operations face.  For the purpose of SOX compliance, the mission is financial statements without material errors.  What are the most important accounting processes that need to execute properly to complete the mission, and what business processes contain the most financial risks to the mission?

For each iteration, focus only on the number of accounting processes (selected by priority of importance and risk) that your organization has the resources to develop, deploy and maintain properly.  Don’t try to develop/integrate accounting procedures for 15 processes if your organization can only handle five at a time.  Over reaching is a sure path to failure.  Generally, a system with five functioning, well-controlled processes provides more accounting internal control than a system with 15 poorly controlled accounting processes.  Once the organization has defined and created accounting documentation for five processes, then identify the next five accounting process.

Remember, useful accounting procedures should be simple and clear, as well as known and maintained.  Otherwise, they are a detriment to the required SOX internal controls.

We would like to hear from you about accounting policies and procedures required by SOX.  Our mission is to help companies improve through improved accounting processes and training and developing accounting policies and procedures in a way that enhances that goal.  One way to be successful in that mission is to know what you think.

To learn more about Bizmanualz Accounting Procedures go to http://www.bizmanualz.com/accounting/ and check out the Accounting Policies and Procedures Manual or sign up for the Bizmanualz Newsletter and download a free sample accounting procedure right now.

The Stages of Effective Risk Management

Risk management can seem like an overwhelming and daunting task – but only if you try to envision, predict, and prevent every imaginable risk all in one swipe.  The trick to successful risk management is to break it down into manageable stages and tasks.  Using a continual improvement method, identify and mitigate high priority risks first, and then continually improve your risk management by regularly reviewing and prioritizing risks and addressing them according to your organizational needs.

The basic steps of risk management include:

1. Understand the Mission
2. Perform risk assessment to identify and categorize risks
3. Prioritize risks and activities
4. Design processes, training, and checks/metrics (controls) for top level risks
5. Monitor internal control effectiveness and improve as required
6. Repeat steps 2-5

Methodical Risk Assessment Leads to Proper Internal Controls

The first step in conducting effective risk management is understanding the mission.  Clearly identifying and articulating the mission makes recognizing the risks to mission success much easier and much more effective.  In terms of Sarbanes-Oxley and SOX Section 404 – understanding the mission is easy.  The SOX mission is to create accurate financial statements and avoid a material misstatement.

Once you identify the mission, begin risk assessment by listing the possible risks to accurate financial statements (i.e. improperly listing assets).  There are several approaches to listing possible risks, but the most effective ones employ a methodical technique.  For example, for financial statements a methodical risk assessment approach could be to identify inputs to your financial statements, and then work backwards to consider input sources, processes, etc;, listing possible reasons for incorrect information.  It also might be useful to consider typical categories of risk such as system/process problems or weaknesses, human error, and fraud.

Prioritize Risks to Determine Internal Control Activities

When trying to assess possible risks the goal is to be exhaustive.  You may end up with a sizable list, but that is an expected risk assessment outcome – don’t let it intimidate you.  Think of it as useful information.  It is unlikely that you will be able to address all the listed risks from your risk assessment at once.  The goal should be to identify high priority risks and focus on those first.   Now you are creating an internal control system that complies with Section 404 Sarbanes Oxley.

Fig. 1: List risks, and then plot them according to impact and likelihood

Creating a matrix or graph of risks by likelihood versus impact is a great tool in finishing the risk assessment task and moving toward risk management.  For example, you could have the risk/internal control committee rank every risk item on the list for probability and impact.  Then average them and plot them as R1, R2, R3, etc;, as they are plotted on Figure 1.   Obviously, after plotting risks, those with highest probability of occurrence and the highest potential impact (or in terms of financial statements – materiality) should be addressed first.

How many risks are addressed at one time depends on the size and capability of the organization.  A large organization with lots of resources might focus risk management on the top 12 or 15.  A small organization might only be able to set a goal of attending to the top three or top six risks in the first pass.

Managing Risk with Internal Controls

Now that you have identified the most important risks to manage, the next step is to identify the best way to mitigate them. A typical method is to create well-defined processes that help minimize the risk.  The process should account for the inputs, outputs, as well as process activities, but the process should also incorporate metrics and check-steps.  This builds in the capacity to monitor the process’ effectiveness right into the process itself.  Once your process is defined, then it is communicated through policies and procedures, training, and work instructions.  We will go into more detail about the role of policies and procedures for a SOX Section 404 internal control system in next week’s article.

Continually Improving Risk Management and Internal Controls

Once in place, processes should be monitored by regularly verifying that process checks are functional and that process metrics demonstrate effectiveness.  Corrections are made as required. Once these processes are fully operational and demonstrated effective, it is time for Step 6: repeat the risk assessment / risk management process in order to address the next level of risks. Be sure to begin with listing and plotting risks at the start of every iteration. (It will be easier each time through.)  Internal situations and operational environments change over time, so risks and their priorities change as well.

If you are having trouble envisioning your internal control system, risk management techniques can get the ball rolling.  These risk management activities also improves other components of an internal control system as listed by COSO:  the Control Environment, Control Activities, Information and Communication, and Monitoring.  Congratulations, you are slowly and surely building an effective internal control system by prioritizing and addressing your risks.

To a degree, the confusion over SOX seems inordinate in relation to the complexity of the regulation. Actually, compared to the intricacy of other regulations enforced by the Securities and Exchange Commission (SEC), Sarbanes-Oxley compliance is relatively straightforward. It is somewhat hard to understand why there is so much misunderstanding about Sarbanes-Oxley, so let’s review the basics.

SOX Compliance Basics

As noted, for the most part the efforts required to comply with SOX should not be difficult. In fact, the most arcane sections of the law require no effort by publicly traded companies whatsoever. These Sarbanes-Oxley sections deal with topics such as:

• Authorization and establishment of the Public Company Accounting Oversight Board (PCAOB)
• Funding and reviewing studies on corporate accountability and fraud
• Increasing punishment for white collar crime

As a brief overview shows, most sections of the SOX regulation that do require action by publicly traded companies are not that demanding:

• Creating an Audit Committee from the Board of Directors to oversee independent financial auditing activities, directly receive audit reports, and develop a process for receiving and investigating anonymous complaints about unethical accounting practices. The committee must be chaired by someone with accounting or finance experience.

• Using auditors that are independent from other company relationships, are registered with the PCAOB and comply with its requirements, and lead auditors that are rotated at least every five years.

• Avoiding improper relationships and creating transparency through implementing policies such as restricting employee movement between auditors and the organization; disclosing financial transactions (i.e. loans) with executives and officers; disclosing major stockholders; restricting officer and executive trading of company stocks when other employees are restricted from doing so; and prohibiting retaliation on whistleblowers.

• Management establishing an internal control system that ensures proper accounting practices and safeguards, produces accurate financial statements, as well as annually verifying the control system’s effectiveness.

Sarbanes-Oxley Section 404 Internal Control Compliance

It is that last item listed, management establishing and verifying an effective internal control system listed in SOX Section 404, that causes the most problems for publicly traded companies. Between Sarbanes-Oxley passage and its implementation, the SEC was inundated with questions and inquiries about how to comply with this internal control requirement.

In response to these concerns the SEC pointed to a 1992 report from The Committee of Sponsoring Organizations of the Treadway Commission (known as COSO) called “Internal Control – Integrated Framework.” The SEC cited this COSO report as one example of internal control, but also indicated that this was by no means the only method of effective internal controls.

The Role of Procedures in SOX Section 404 Compliance

It is somewhat unclear how well the SEC’s reference to the COSO report helped in clearing up confusion over internal controls. In response to the requirement, some companies began to “procedure-ize” all of their activities in finance and accounting, mistaking mounds and mounds of procedures for an internal control system.

While procedures are an important component of internal control, creating stacks of paper really only exacerbates the problem. By writing everything down in great detail and putting it in procedures you are setting your internal control system up for failure. Now anytime you do something somewhat differently than what is minutely documented in your procedures – you are not in compliance because you are not following your control system procedures.

In the next article in this series we will further consider the more (or only?) complicated aspect of Sarbanes-Oxley compliance: creating an internal control system and the role of accounting procedures, and the important role of using internal controls to address risk. In the meantime, feel free to browse sample procedures from our CFO-Controller Series and review the selection of accounting procedures for an accounting or finance control system. Our pre-written, editable accounting procedures in MS Word format are based on established best practices, and can provide an important head-start for developing key procedures as part of internal control.

To learn more about Bizmanualz Accounting Procedures go to http://www.bizmanualz.com/accounting/ and check out the Accounting Policies and Procedures Manual or sign up for the Bizmanualz Newsletter and download a free sample accounting procedure right now.

Due diligence means you are collecting the proper information and ensuring you are aware of all the relevant facts. As the term transparency implies, it means there is a degree of openness and honesty. The recurring theme of October’s articles illustrate how important due diligence and transparency can be to business success.

Manage Your Business Banking Relationship

Part of financial due diligence in operating a business is having a financial representative (i.e. Owner, CFO, Controller, Business Manager) meet regularly with a bank representative. Prior to the meeting, create an agenda of topic areas. These should include things like:

• Future financial needs for expansions or acquisitions, like lines of credit or loans
• Best use of cash accounts like sweep accounts to maximize return and minimize expense
• Short and long term investment options for a practical liquidity tree
• Use of merchant accounts

Plus, in these times it may not be a bad idea to discuss the bank’s liquidity and financial stability, especially if you have money in non-insured accounts. Be prepared to ask questions that require details, not unresponsive platitudes. The bank sure doesn’t hesitate to grill you about your business when the money flows the other way.

Read more about managing business banking relationships;

Is Sarbanes-Oxley Improving Corporate Governance?

Again we find ourselves in middle of economic turbulence due in a large part to a lack of business ethics and sound business practices. Without the necessary transparency and due diligence, lies and deception can go unchallenged, particularly when people are being dishonest with themselves.

But wait a minute! Wasn’t Sarbanes-Oxley (SOX) supposed to put an end to all that? Aren’t public companies, financial or otherwise, supposed to have internal control systems in place as well as checks and balances to prevent unrealistic, overly optimistic projections and reporting? Obviously, though well-intentioned, SOX has not been as effective as it should be in preventing fraud, abuse, and intentional ignorance. Also, it apparently has not been successful at encouraging organizations to implement effective financial internal control systems and improve corporate governance.

Read more about whether SOX is improving corporate governance;

Managing Financial Strategy Means Business Success

A clear strategy and plan not only incorporates goals and the activities needed to reach these goals, but it also addresses risks. Obviously, the risk of handing out loans for hundreds of thousands of dollars without the proper due diligence and transparency was not accounted for in managing the financial strategies of those lending/financial organizations now failing or on the brink of failure.

Read more about Managing Financial Strategy;

On That Note;

Answer to this month’s question: Due diligence and transparency are important because being aware of the facts and avoiding deception (including deceiving yourself) can mean the difference between success and failure; between staying in business and going out of business. As the theme of this month’s articles point out, the current state of financial crises may have been avoided if those in charge of banks, lending institutions, regulatory offices, and even elected officials would have exercised appropriate due diligence and transparency.

Please feel free to contact us with any questions or comments. Also, please let us know if you’d like any specific topic addressed in our future articles.

Regards,
Chris
Bizmanualz

No Financial Strategy Means a Strategy for Failure

We have covered how important it is to create clear financial strategies several times in past articles. Do you think the organizations handing out bad loans, buying securities of bundled bad loans, and selling credit default swaps had a well-thought out financial strategy for business success?

If the financial strategy was expressed at a now defunct mortgage lender, what would it have sounded like?

Mortgage Lender CEO to Board of Directors and Executive Staff:

Okay – here is the plan folks. We are going to give people mortgage loans for hundreds of thousands of dollars. Before we write the checks let’s not do any due diligence by verifying their financial information like income and credit background, or even by making sure we have accurate information about what the home is worth. Just to keep it interesting, let’s throw in some curveballs like unrealistic low beginning payments followed by crippling rate increases and ballooning payments, no matter what the prime rate is doing. Then, when our lendees can’t make payments and foreclosures start skyrocketing, the bottom will fall out of the housing market. Once that happens hardly anyone will be buying and selling houses, no one will be getting loans, our cash flow completely dries up, and we will be out of business in no time.

Does that sound good to everyone??

Board of Directors and Executive Staff: Hear Hear!! Bravo!!

Mortgage Lender CEO: Alright! Let’s get out there and make it happen!!

It sounds kind of ridiculous when you say it out loud, doesn’t it? But what did they THINK would happen? Did these organizations not have any strategy at all?? Apparently they were thinking: let’s just keep writing loans and charging fees as long as there are people who want them. There was apparently no clear plan or vision regarding what these activities meant for the future of the organization. No strategy is a strategy for failure.

Strategy Management Incorporate Goals, Environment, and Risks

A clear strategy and plan not only incorporates goals and the activities needed to reach these goals, but it also addresses risks. Obviously, the risk of handing out loans for hundreds of thousands of dollars without the proper due diligence and transparency was not accounted for in managing the financial strategies of these organizations.

Of course the above scenario of formulating a horrible strategy never really happened, but that is the point. Having no strategy is really the equivalent of having the worst possible strategy. The same concept moves right up the chain from the mortgage sellers to the investment banks who were buying and selling credit default swaps that they couldn’t cover, and to investors who were buying bundled securities that turned out to be virtually worthless because the real value was indeterminable.

Business Success Takes Planning

Conversely, you can find examples of businesses in the financial industry where a well-thought out strategy prevented them from being another victim of the financial crises. Perhaps the most visible is Bank of America. Executives at this institution say that they made a conscious decision about eight years ago not to get involved with the sub-prime loan market. They just didn’t see how lots of risky loans fit their long term financial strategy. Now, while so many other financial businesses are facing catastrophe, Bank of America is strong enough financially to grow by snapping up bargains. Recent acquisitions include well-known organizations like Merrill-Lynch, MBNA, and Countrywide Mortgage.

Anyone who has ever watched It’s a Wonderful Life knows that the best time to buy is when others are panicking and selling. But, of course, you have to be in a position to buy; and that is usually the result of a well-thought out and managed financial strategy.

How important is a clear financial strategy? Apparently it can mean the difference between growing your business and going out of business.

Financial Strategies are the Starting Point of Internal Control

For strategies to be effective, however, they have to be communicated and implemented throughout the organization. That means operations in various departments at various levels have to create their own strategies and plans that align with, and execute, top level strategies. This is accomplished though training, policies, procedures, and implementing best practices – an excellent starting point for internal control.

One final point. Most businesses cannot survive on a good financial strategy alone. A good financial strategy, for example, doesn’t mean much to a business without customers. So thoughtful strategies must be created and implemented across the balanced scorecard: finance, customers, internal processes, and learning and growth.

There are never any guarantees for business success, but creating financial strategies gives your business direction and guidance. Without that, there is no telling where you will end up. Perhaps owned by Bank of America.