With the last of the requirements of the Sarbanes-Oxley Act finally taking effect, it would have been easy to suspect that corporate America’s drive to comply with corporate governance rules would be nearing completion. Yet finance executives who are leading the compliance charge say they do not expect to complete this work any time soon.
More than 60 percent of respondents to a recent survey by CFO Research Services and Capgemini identify regulatory compliance as a long-term rather than a short-term issue. True, many companies are wrapping up their initial efforts to meet the requirements of Section 404 of Sarbanes-Oxley, which requires that companies document and attest to the effectiveness of their internal financial controls. But many CFOs are still looking for long-term solutions to ensure that their control structure remains effective, recognizing that compliance promises to be an ever-evolving process as their organizations grow and change over time.
“Even if a business is relatively static, you have to guard against complacency to make sure your talent and your skills are sharp, to make sure that you are alert to possible breakdowns in controls, and to ensure that you pursue continuous improvement in controls and documentation,” says Dan Farell, senior vice president for energy company TXU Corp., who is overseeing a broad-based business process outsourcing contract the utility recently entered into with an outside vendor. “We look at it as a continuous process,” concurs Brendan Condon, senior vice president of finance and operations for America Online Media Networks (a unit of Time Warner). “Our view is to never assume that what you’re doing is the best you can do.”
Investments Lead to Compliance —
and to Improved Performance
As part of this effort, it is not surprising that CFOs plan continued steady investments
in people, systems, process improvements, and organizational redesign to reach acceptable levels of regulatory compliance and lower G&A costs. Here, too, leading CFOs appear to have intuitively understood the relationship between regulatory compliance and G&A performance opportunities.
For example, nearly 80 percent of survey respondents say that enhancing the security and integrity of corporate data — a critical component of any internal control system — is a high priority within their organization. But more than 70 percent also give a high priority to reducing IT infrastructure costs and more than 60 percent accord the same priority to reducing IT headcount.
This concern with IT security is dead-on; Chrisan Herrod, chief security officer for the Securities and Exchange Commission, announced in September that, while Sarbanes-Oxley does not specifically address the reliability of a company’s information systems, the SEC is now encouraging public accounting firms to look closely at the information security controls of its audit clients.
While it is safe to assume that ongoing investment in compliance initiatives may be
costly and may even exceed budget allowances at some organizations, finance may
be able to justify compliance initiatives by arguing that current resource levels are
simply not adequate to meet the unique and unrelenting challenges companies face.
It is not, after all, just Sarbanes-Oxley that is weighing on public companies. Many
firms also labor under increased regulatory legislation aimed at specific industries.