So there we all were on Monday, several hundred of us, warming up for Workiva’s 2017 Wdesk user conference by attending the SOX & Internal Controls Professionals Group Summit to talk all things internal control.
On stage was Jeremy Sucharski, GRC, SOX, and internal audit partner at Armanino. He was sharing thoughts on good and bad practices for SOX compliance, and he mentioned one phrase he has heard many times from CFOs.
“I just want to get a ‘C’ on SOX. I just want to do the bare minimum and be done.”
That’s not a surprising attitude, especially if your company is new to compliance and perhaps a bit bewildered at all the time, energy, and investment required in those early years. Still, it’s an unwise attitude to have—one that suggests your CFO doesn’t really get what SOX compliance about
SOX compliance is about strengthening business and financial processes to make them more reliable. That means you have to understand how those processes work and where the risks to those reliable business processes are.
Hence, for example, audit firms pester you for flowcharts rather than narratives. Flowcharts force you to distill a financial process down to its bare essentials, including the risks and controls you have in place. Sucharski encouraged SOX summit attendees to perceive compliance in terms of business or process cycles rather than accounting controls, and he’s entirely right.
CFOs who only want to get a ‘C’ on SOX can’t see the forest of good business process through the trees of Section 302 disclosures and Section 404 audits. To them, SOX compliance is an accounting exercise to meet regulatory requirements.
They don’t grasp that the minutiae of internal control testing is part of a larger effort to improve corporate accountability for financial statements—or that companies that take financial reporting seriously get rewards.
The Rewards of SOX Compliance
During a later session at the SOX summit, I hosted a fireside chat with Greg Wilson, former Deputy Director of the PCAOB’s Division of Inspections and Registrations. We talked about the challenges of articulating that cost-benefit analysis of SOX. Namely, the costs are precise and quantifiable (you do pay fees for consulting, auditors, or software, after all), but the benefits are diffuse.
For example, companies with strong SOX compliance programs, including Section 404(b)’s annual audit of ICFR, experience fewer financial restatements than companies that don’t comply with Section 404(b). Academic studies show that companies with fewer material weaknesses in financial reporting are at less risk for financial statement fraud and are more likely to get better valuations and credit ratings from Wall Street banks. You might also file earnings releases more quickly, since you’re more confident in the numbers that eventually will be filed in the 10-Q later.
Do all those benefits exceed the dollars spent on compliance? That’s hard to tell, and for inexperienced companies, the answer might be no. But in that case, the question is more about how the company can improve financial processes and rationalize controls to gain those advantages—not whether we should weaken the rules, so companies can go public more cheaply, in every sense of the word.
I was pleased to see that attendees at the SOX summit seemed to perceive the issue the same way. Wilson and I polled the crowd, “Should SOX 404(b) be repealed?” and nearly 75 percent said no.
Now, if we could only the CFOs of Corporate America to feel the same way.
(Today’s item is cross-posted from the Workiva blog. You can view the original post there. Look for more dispatches from the 2017 Wdesk user conference all week!)