The Sarbanes-Oxley Act May Be Just the Tip of a Compliance Iceberg

More Financial Reporting Compliance

The Sarbanes-Oxley Act (SOX) might be only a tip of a "compliance iceberg" for many enterprises. Namely, International Financial Reporting Standards (IFRS) is another set of guidelines governing the financial statements of listed companies in Europe and other regions, which was introduced on January 1, 2005 (see Claudia Delto's 2005 article Checking It Twice—Basel II, Sarbanes-Oxley Act, International Financial Reporting Standards). IFRS and International Accounting Standards (IAS) were created by the International Accounting Standards Board (IASB) to promote internationally comparable financial statements. Regulation 2002/3626 requires that some 7,000 listed companies in the European Union (EU) prepare their consolidated financial statements in accordance with IFRS and IAS (see mySAP ERP Financials: IFRS Compliance).

Somewhat similar to SOX, the IAS framework was adopted by the European Commission to increase transparency among companies operating in the EU, with the goal to promote investor confidence and optimize working capital and risk management (see SAP for Banking: Regulatory Compliance). Moreover, IFRS requires companies to provide additional information and contains new standards for valuation, as well as clearer procedures for determining risks and company performance. The most substantial changes affect fixed assets and financial assets, whereby intangible assets such as the value of shares or investments in other companies count toward the total assets. Depreciations that are permissible by tax law but are higher than, for example, German Generally Accepted Accounting Principles (GAAP) depreciation disappear and have no negative effect on the total liabilities. In other words, under IFRS, different life and depreciation periods of assets apply than under any national GAAP (see Checking It Twice).

Also, under old accounting rules, a company could value its inventories at historic cost (original cost at the time of purchase or payment) so that, for example, an electronics goods vendor might value unsold, several-month-old DVDs at the amount they could have been sold several months ago. But, under IAS-2, when a company files its financial report, it has to give an up-to-date net realizable value (NRV). NRV is an accurate estimate of the products' market values at the time the report is published, with the idea that all corporate assets must be valued at "fair value", rather than at the possibly problematic historic cost. Companies will also need to account for the cost of all employee compensation plans, meaning that the cost of stock option plans must be reflected in company accounts, and any shortfall in company pension funds must be recorded in the accounts.

Companies in the US are not directly affected by these regulations, because they have to comply with the US GAAP financial reporting regulations instead. However, because these financial statements alone do not fulfill the legal requirements for local financial statements, financial accounting books will have to be kept in parallel so that they can be assessed both in terms of IFRS and local law (see Checking It Twice).

This requirement has far-reaching implications for companies of all sizes, since publicly traded companies need to adhere to IFRS while still complying with local tax, dividend, and other regulations, and therefore require at least two sets of financial statements. Further, because capital markets demand comparable numbers for investment decisions, even non-listed companies will be forced to issue IFRS-compliant financial statements (see mySAP ERP Financials: IFRS Compliance). This requires the use of enterprise systems that can maintain several parallel ledgers in general ledger (GL) accounting, and carry out parallel evaluations so that companies can adhere to complex accounting standards, meet capital and financial market requirements, and ensure the reliability and transparency of their financial reporting.

In this way, companies should be able to meet the different requirements of IFRS and local GAAP, as well as address such issues as business combinations, financial instruments, and share-based payments. Last but not least, a well-devised enterprise solution should not allow anyone reconfigure a workflow if a number of the SOX or IFRS compliance steps would be disregarded. Likewise, a compliance-aware enterprise system would not permit someone to move (drag-and-drop) a specific field to a different screen if that information is required for some other critical processing.

For additional information see Thou Shalt Comply (and More), or Else: Looking at Sarbanes-Oxley and Important Sarbanes-Oxley Act Mandates and What They Mean for Supply Chain Management.

Horizontal Versus Vertical Regulatory Requirements

Apparently, many human resources (HR)-related regulations, in addition to the above mentioned financial reporting directives, are applicable across numerous industries, and most enterprises must abide by them. Included in the long list of such regulations are Equal Employee Opportunity (EEO); the patient privacy Health Insurance Portability and Accountability Act ([HIPAA], see HIPAA-Watch for Security Speeds Up Compliance); Consolidated Omnibus Budget Reconciliation Act (COBRA); Occupational Safety and Health Administration (OSHA); Employee Retirement Income Security Act (ERISA); discrimination and harassment regulations; union agreements (where applicable); and those of the Financial Accounting Standards Board (FASB).

Given that we live in a litigation-happy society, where a company is more likely to be sued by an employee than to be audited by the US Internal Revenue Services (IRS), it is no surprise that regulatory requirements and corporate governance issues account for the modest increase in demand for transactional HR systems. These HR systems provide tools to produce the W-2 and 1099-R forms, the maintenance of data in compliance with immigration laws, and the Americans with Disabilities Act (ADA) disability information. For more information, see Thou Shalt Manage Human Capital Better.

Banks and Financial Organizations' Liquidity Issues

However, to further complicate things, many industries have their own inherent regulatory requirements. For instance, banks and financial institutions must comply with a growing array of national and international legislation and recommendations. For example, the Gramm-Leach-Bliley Act (GLBA), signed into law by former US President Clinton, has drastically changed the way financial institutions conduct business. With this law, many responsibilities have been placed upon banks and financial institutions to protect the customers' nonpublic, personal information. The GLBA governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies that receive such information, whether or not they are financial institutions. Namely, the GLBA Safeguards Rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information, and the rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions that receive customer information from other financial institutions, such as credit reporting agencies.

Recently and frequently publicized has been the New Basel Capital Accord, or Basel II, which establishes requirements for banks to manage the risks of issuing loans. As discussed in Checking It Twice, the regulation, whose implementation was completed at the end of 2006, increases both the level of risk management and the required level of disclosure, and consequently requires significant changes in financial institutions' policies, processes, and systems. A recommendation issued by the Basel Committee on Banking Supervision, Basel II is a recommendation to help credit institutions protect themselves against the risk of credit loss and increase the overall transparency of their business in their daily work with market, liquidity, and general risks. To that end, banks must identify potential risks and set aside capital to compensate for potential losses. Furthermore, Basel II calls on the banking supervision authorities to conduct regular inspections of credit institutions to jointly monitor and analyze risks. Finally, the banks are committed to publishing their equity capital structure and their own risk situation.

Accordingly, as noted in Checking It Twice, before granting credit in the future, banks will have to assess the recipient's credit risk using an internal or external rating. As a result, the conditions under which the credit is granted will be tied more closely to the liquidity of the borrowing company, which will in turn affect the duration, interest rate, and the collateral of the credit agreement. To receive a good Basel II rating, reliable financial figures and well-documented planning are essential. A sound financial management system has to provide the necessary transactional data for this purpose, as well as the range of functions for supporting Basel II as part of the extended portfolio of analytical applications that have to be especially developed for carrying out financial and profitability analyses and risk management.

If one thinks about this a bit more, Basel II affects not just banks, but all organizations. In particular, it effectively requires organizations to demonstrate their ability to meet their payment obligations—a process called rating—which typically involves a comparison of planned versus actual financial values covering a multiyear period. Strategic planning, risk management, and internal control processes all have an impact on rating results, which is a key concern especially for small and midsize businesses, many of which lack thorough planning and control processes. Basel II is expected to have a global impact, because members of the Basel Committee include the Group of Ten (G10) countries, most of which intend to transform Basel II regulations into local law. Thus, some well-attuned software applications will be needed to help these companies meet Basel II requirements for risk exposure and capital adequacy, and implement risk-mitigating supervisory review and disclosure processes. See mySAP ERP Financials: Basel II Support for more information.

Insurance Industry Solvency Issues

The EU Single Market's web site dedicates an entire section to Solvency. When it comes to the banks' "cousins"—insurance firms—the solvency margin is the amount of regulatory capital an insurance undertaking is obliged to hold against unforeseen events. Solvency margin requirements have been in place since the 1970s and have been amended by the Solvency I Directives in 2002. However, Solvency II is a fundamental review of the capital adequacy regime for the European insurance industry that aims to establish a revised set of EU-wide capital requirements. These requirements should help supervisors protect policyholders' interests more effectively by making prudential failure less likely—reducing the probability of consumer loss or market disruption. Namely, while the Solvency I Directives aimed at revising and updating the current EU solvency regime, the Solvency II project has a much wider scope, since it includes a review of the overall financial position of an insurance undertaking—not just limited to the solvency margin requirement.

Its aim is to ensure adequate policyholder protection in all EU member states, and it will take into account current developments in insurance, risk management, finance techniques, international financial reporting and prudential standards, etc. One key objective is that the requirements better reflect the true risks of an insurance undertaking, as there is widespread recognition that this is not the case in the current system. Another important feature of the new system will be the increased focus on the supervisory review process, with the idea to increase the level of harmonization in general, including that of supervisory methods, tools, and powers. As explained in Solvency 2 on the Financial Services Authority's (FSA's) web site, the framework under development consists of three "pillars," whereby pillar 1 sets out the minimum capital requirements firms will be required to meet for insurance, credit, market and operational risk. Pillar 2 will be the supervisory review process $ because of this, supervisors may decide that a firm should hold additional capital against risks not covered in pillar 1. The aim of pillar 3 disclosures is to harness market discipline by requiring firms to publish certain details of their risks, capital and risk management.

The European Insurance and Occupational Pensions Committee (EIOPC) has approved the new Solvency II regime's basic architecture. It is based on the same three pillar approach as it is for insurance (quantitative requirements; supervisory activities; and reporting and disclosure) and the banking sector. If it is of any consolation, Solvency II is still at an early stage. As discussed in FSA's Solvency 2, before it develops the level 1 framework directive, the European Commission is consolidating the existing solvency regulations and getting technical advice. The Commission expects to publish its formal proposal for a Framework Directive by July 2007, and based on this, one should expect Solvency II to be implemented by 2009/10.

Further on banking and financial institutions regulations, and coming back to the IAS framework, IAS 32 and IAS 39 in particular establish rules for the valuation of financial instruments. Again, in tune with the spirit of IFRS and IAS, accounting systems for financial instruments should enable banks to prepare IAS-compliant financial reports and create parallel financial statements based on a central data pool fed by the existing system landscape.

Thus, appropriate enterprise resource planning (ERP) and financial management systems must provide a comprehensive set of financials and analytics capabilities to meet the requirements of the rating process. Namely, transactional financials capabilities should enable banks to accelerate the preparation and processing of financial information, capture and organize relevant financial data more rapidly, and achieve tighter corporate governance and control. Analytics capabilities should allow banks (and related financial institutions) to automate and optimize corporate planning, analyze internal and external risk factors, integrate business strategy and risk management, and improve transparency and trust. With such sound systems in place, financial institutions should have the tools they need to streamline the company-wide planning and budgeting processes; increase transparency (and thereby avoid planned-versus-actual deviations, and mitigate the changes of uncertain events); get the most out of capital allocations (that is, make smarter investment decisions and improve results through risk-based management); comply with laws and regulations; and implement measures for damage prevention.

Just as with banking, insurance, and other financial institutions, the automotive and the food and drug industries are two areas of business where a growing number of government legislations and safety initiatives require organizations to implement industry-oriented ERP systems in order to ensure compliance. The specifics on how these industries address compliance issues will be looked at in the next installment of this series.

Part Three of the series Thou Shalt Comply (and More), or Else

comments powered by Disqus