Sarbanes-Oxley highlights risk management

Banking consultant examines the repercussions of last year’s far-reaching accounting law

As each week goes by, one of the newest federal laws affecting business continues to raise questions.

Born from the accounting scandals of 2001, Congress passed the far-reaching Sarbanes-Oxley Act (SOA) of 2002 in an attempt to regulate public companies and clean up messy accounting practices of the late 1990s.

In the true entrepreneurial spirit of the Silicon Valley, a group of consulting firms have sprung up to help companies address SOA, including BankVision Inc. of San Jose, which was founded this year and already has 45 clients.

BankVision managing director Chris McCulloch talked with Biz Ink reporter David Speakman about issues he faces with companies grappling with the new law.

When SOA was passed, do you think people were fully aware of its implications?
It is difficult to imagine that people understood the complete ramifications and implications of the Sarbanes-Oxley Act when it was signed into law in July 2002. The Act is so broad reaching that I think most corporate managers are still trying to digest its full impact. The topics addressed by SOA range across the corporate spectrum from governance standards to disclosure procedures.

What are some of the most common SOA issues you are seeing with your clients?
Our clients are financial institutions and, in many respects, they had a head start with respect to SOA. Even before SOA, they were operating in a heavily regulated, control-oriented environment, so SOA was not as traumatic as it might have been otherwise. For most financial institutions, compliance with SOA is really about formalizing and documenting many of the control processes and practices that already existed. In fact, our larger clients (banks with assets over $500 million) have been familiar with annually assessing the effectiveness of their internal control structure under Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) since the early 1990s. Proposed Section 404 of SOA regarding management’s assessment of internal controls looks very similar to FDICIA Section 112.
Ironically, in both cases, these regulations were direct responses to the well-published business challenges of their times. For instance, FDICIA was enacted in response to the savings and loan crisis of the 1980s, while SOA was a reaction to the corporate malfeasance and governance failures two decades later.
While financial institutions may have had a head start, compliance with SOA may be a real challenge for small manufacturing and service businesses that have not traditionally operated in heavily regulated environments.

What is the most important thing you tell companies to do because of this new regulation?
Develop a culture within the organization that fosters control awareness. An awareness of controls and risks will allow the organization to optimize the balance between risk and return. Business decisions can then be made with an understanding of the associated risks and thus minimize the type of corporate governance failures that plagued companies like Enron and WorldCom. This doesn’t mean that an organization should move to eliminate risk, because it would control itself out of business. Rather it should position itself to identify, measure and respond to risks that exist, as well as those that develop, as a function of environmental changes.
Once a general control awareness has been infused in the organization, it becomes a process of documenting the most significant risks, key controls and means by which these controls are periodically evaluated and validated by the organization. Risk-management professionals can help facilitate this process.
What are the benefits of risk management in regard to SOA?
The first has been a general increase in awareness regarding the importance of controls and risk-management processes. Another positive aspect of SOA has been the enhanced communication between senior managers and mid-level managers or supervisors regarding the control environment and financial reporting controls of their organization.
Section 302 of the act requires the written affirmation of the principal executive and financial officer (usually the CEO and CFO) that effective disclosure controls and procedures exist each time a periodic report is filed with the [Securities and Exchange Commission]. Well, these senior mangers are now asking very pointed questions about the control and disclosure procedures of the managers that report to them. This has improved communication between senior managers and mid-level managers regarding the controls and risk management processes of their business.

Have you noticed companies not originally targeted by SOA changing business practices because of it?
SOA was originally designed to address corporate governance responsibilities and transparency in financial reporting and disclosure at public companies. Any company that was an SEC reporter was covered by the act.
However, we have seen private companies take a keen interest in the act. Many of these companies have moved to comply with SOA even though they are not technically covered by it. The feeling is that there may come a day in the not-so-distant future when all companies will be covered by SOA or similar standards. These private companies are oftentimes enhancing their risk-management processes and control expectations in this context.

What ramifications of SOA did you find surprising?
That such sweeping change in U.S. securities laws could be precipitated by a few very large, visible companies such as Enron, WorldCom and Arthur Anderson. Unfortunately, the corporate malfeasance and fraud associated with these companies cast a shadow over the entire corporate world and undermined the public trust between companies and their stakeholders.
While we needed improvements in corporate governance and financial reporting transparency, SOA has been a significant burden for many companies that were already acting as responsible corporate citizens.