Originally Published - February 21, 2007
Most enterprises have to compete globally and thus adhere to largely nonnegotiable legal and regulatory requirements in almost every region or vertical sector they are targeting. Thus, regulatory compliance and the management of a multiplicity of prospective risks have lately pervaded the minds of most executives and upper managers.
Indeed, no single chief executive officer (CEO) would—with a sound mind—like to be apprehended for embezzlement and placed in handcuffs in front of sensation-hungry TV cameras. Neither is any manager eager to face the severe consequences (penalties, lawsuits, brand erosion, tainted reputation, etc.) of a major product recall that is brought to the public's attention because of some extremely unlucky consumer's death or serious illness. Some such recent occurrences include the recall of a major sport utility vehicle's (SUV's) track tires; contamination due to a dangerous chemical leak, causing fatalities; and an E. coli outbreak caused by a contaminated food product. Further, no company is willing to have its imported goods kept at the ports indefinitely, let alone pay severe penalties for (knowingly or not) trading with rogue countries and blacklisted parties, or for having dangerous goods or contraband in its shipments.
Sure, regulated environments have been around a long time, as exemplified by the existence of the US's Robinson-Patman Anti-Price Discrimination Act of 1936 and Hart-Scott-Rodino Antitrust Improvements Act of 1976. More recently, in 1991, US President Bush signed into law the Telephone Consumer Protection Act of 1991 (TCPA), which amended Title II of the Communications Act of 1934. Also known as the "Do Not Call" program, the United States Congress enacted this law to reduce the nuisance and invasion of privacy to the public caused by telemarketing and prerecorded calls.
However, a number of recent events that have negatively affected consumers and damaged public trust has led to the awareness of and the insistence on corporate social responsibility and accountability. Possibly the greatest attention so far has been given to ensuring compliance to the US Sarbanes-Oxley Act (SOX). Namely, the now proverbial Enron, Tyco, and MCI/Worldcom scandals of a few years ago, in which these companies were proven to have falsified their financial statements, have cost billions of dollars and devastated public trust in financial markets (see Claudia Delto's 2005 article Checking It Twice—Basel II, Sarbanes-Oxley Act, International Financial Reporting Standards).
These companies have especially hurt several million small investors by nearly wiping out the investors' pension plans. Much of the abuse that occurred at that time simply came down to either the failure to remember or a deliberate disregard for basic ethics and common sense. The US government reacted in July of 2002 by instating a law that defines how corporate reporting must be performed—the law that was deemed instrumental to restoring investor confidence by providing transparency in corporate financial reporting. Even more recent (albeit much less grave), the disclosure of financial results restatements and of shady executives' backdated compensations at some renowned corporations (Apple, for example) might be showing us that one can never be too careful and work merely on an honor system.
SOX "Preying" on (Almost) Everyone's Mind
To put it into context, SOX was passed by the US Congress in response to the high-profile financial scandals involving companies like Enron, Tyco, and others. The idea was to make corporate accounting procedures more transparent to investors and regulators.
Even before these scandals ever took place, the raft of missed earnings announcements that had for some time occupied headlines in the business press during the 1990s exhibited one common thread—time and again, chief financial officers (CFOs) would moan that they had failed to meet expectations due to a "lack of visibility." These executives would frequently blame major events that they could not have predicted as the cause of poor quarterly performance. Either a key customer cancelled a major order unexpectedly; major product lines were becoming obsolete (and non-marketable); or suppliers were ramping up prices due to a shortage of raw materials.
Increasingly, however, CFOs are being called upon to give more accurate estimates of their earnings potential, and if the company fails to meet these estimates, then they should at least be able to give a detailed explanation as to why.
SOX sets new standards with regards to responsibility, accountability, transparency, and correct behavior in companies. The act also sets requirements for the effectiveness of internal monitoring of companies' financial reporting (see Checking It Twice).The US Securities and Exchange Commission (SEC), established by the Securities Exchange Act of 1934, is responsible for the law and for corporate compliance with it. SOX applies to both US and multinational companies that are listed on the US stock exchanges, such as NASDAQ, while foreign companies that are listed on US stock exchanges are subject to SOX for all fiscal years that ended after July 15, 2006 (see Checking It Twice).To be more accurate, it is applicable to all companies whose securities are registered and that are required to file reports under 15(d) of the Securities Exchange Act.
The motivation behind SOX was to restore investors' trust in the reliability of financial data that companies publish about themselves, and to mitigate the risk of false financial statements. The act also set up a supervisory committee for auditing companies (see Checking It Twice). Specifically, each affected company has to establish fully independent audit committees (that are responsible for oversight of the auditor); must wait at least one year before hiring an audit management team member to be a CEO, CFO, or the equivalent; cannot extend loans to directors or corporate officers; has to make annual internal control reports; must disclose information about material changes on a real-time basis (initially in two business days, but now in four); and must establish "whistle-blower" (informant) protection for employees (who are typically subordinates).
Moreover, as the act creates severe criminal penalties (fines or imprisonment up to twenty-five years) for defrauding shareholders, a publicly traded company's top managers have been made personally accountable for their company's actions, especially for the accuracy of their companies' financial statements and the effectiveness of their internal auditing. Indeed, CFOs and CEOs of publicly traded companies are nowadays very much aware of SOX and its impact on their firms, since even an honest but disengaged or naïve executive may face a career-ending and disgraceful fate. Also, the whistle-blower protections and prosecutions of lower-level managers too will make subordinates unlikely to remain silent or cover up any wrongdoings.
CEOs and CFOs have to certify financial reports quarterly, since Section 302 of SOX requires certification to the accuracy and fairness of the financial statements, and to the adequacy of the internal control framework around the financial statements. Officers, directors, and others are hereby prohibited from fraudulently misleading their auditors, while executives have to disgorge (give back) bonuses and profits after restatements due to misconduct. This point, however, can still cause conflicts with regulations in other countries. In Germany, for example, executive board members are currently not held personally responsible by law for their companies. While solutions to such conflicts are still yet to be found , some regional SOX variants have emerged, such as Japan's version of the law—"J-SOX" (see Checking It Twice).
Oversight Board Established
SOX implementations within public companies have been overseen by the Public Company Accounting Oversight Board (PCAOB), which consists of five full-time members that are appointed and overseen by SEC. Two of those five members must be or must have been certified public accountants (CPAs), while the remaining three must not be and cannot have been CPAs (so as to bring alternative perspectives). The board, which is funded by public companies via mandatory fees (while accounting firms that audit companies must register and pay fees too), is responsible for overseeing and investigating the audits and auditors of public companies, and has the authority to sanction both enterprises and individuals for violations. PCAOB is authorized to regularly inspect the operations of registered accounting firms, and also has international authority over foreign accounting firms that prepare or furnish audit reports involving US registrants.
The tricky thing is that while the PCAOB standard does not require a single form of report documentation per se, each company must still report and provide reasonable support that includes, according to Resources Global Professionals (the operating subsidiary of Resources Connection, Inc. [NASDAQ: RECN], a multinational professional services firm that helps business leaders execute internal initiatives), the following elements:
Design of controls over relevant financial statement assertions
Information about how significant transactions are initiated, recorded, processed, and reported
Sufficient information to identify where material misstatements due to error or fraud could occur
Identification of controls designed to prevent or detect fraud, including who performs them and the relegated segregation of duties (SODs)
Controls over period-end financial reporting processes
Controls over safeguarding of assets
Results of management's testing and evaluation
SOX has included a number of new mandates, with two sections having clear implications for corporate information systems, and some that are especially relevant to supply chain management (SCM). In their efforts to comply with these new and stringent regulations, companies have adopted a variety of methods to handle the technical challenges that SOX has created for them, which will be explored in subsequent parts of this series.
This is part one of the series Thou Shalt Comply (and More, or Else). To read subsequent parts, please click here: part two, part three, part four, part five, part six, and part seven.