New Horizons: Enterprise-Wide Compliance

et’s face it. Compliance with the Sarbanes-Oxley Act isn’t a one-shot deal. With companies expected to spend $80 billion on compliance initiatives in the next five years, CPAs and other financial executives face ongoing regulatory pressure. Some days it must seem they are navigating a strange sort of alphabet soup thanks to rules from the SEC, the IRS, NYSE and FASB, not to mention laws and standards popularly know as Basel II, HIPAA and SOX. Because so many of these regulations involve a company’s financial activities, CPAs are uniquely positioned to take a lead role in developing a comprehensive approach to complying with them.

It is the latest of these laws—Sarbanes-Oxley—that has been a catalyst for many companies to search for a better way to manage these demands. Some entities have begun doing so on an enterprise-wide basis by coordinating and integrating compliance into all facets of the business, not only to streamline the process but also to improve operational efficiency and manage the company better. In many cases it is the sheer scope and breadth of Sarbanes-Oxley that is driving the effort.

Because Sarbanes-Oxley compliance usually centers on accounting and finance, CPAs are critical to a company’s development of an enterprise-wide compliance approach. This article explains how this strategy works and what forms it can take, the role CPAs can play in implementing it and what goals it can help companies achieve.

COMPLYING COMPANY-WIDE
Enterprise-wide compliance requires an overarching framework for managing efforts to comply with the laws, regulations and industry standards that apply to a company. Some companies use frameworks developed by groups formed specifically for this purpose while others rely on existing frameworks, such as the one the International Organization for Standardization (ISO) developed for continuous process improvement or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) frameworks. (See “Resources .”) The exact approach a company takes to enterprise-wide compliance will vary according to its needs and the rules it must follow. CPAs interested in taking a lead role in enterprise-wide compliance can begin by studying these frameworks to see whether their company can adapt one of them to meet its needs or whether the entity should develop its own framework.

From there, CPAs should identify the compliance areas a more consistent enterprise-wide approach can satisfy and what that approach should look like. CPAs can help companies refine the experience of complying with section 404 of Sarbanes-Oxley as the foundation of an enterprise-wide framework. “Companies must have a process and infrastructure in place or they won’t be able to meet section 404’s ongoing requirements,” says Bill Henderson, CPA, investigative and forensic accounting practice leader for the risk consulting practice at Marsh Inc., New York. “The question is: What role will various functions play in that framework? There is no one-size-fits-all.”

Simply developing a framework to manage Sarbanes-Oxley isn’t enough. “Companies tend to begin with one area, such as Sarbanes-Oxley, because it’s the most pressing,” says Ted Frank, CEO of Cleveland-based Axentis Corp. and chairman of the Open Compliance and Ethics Group’s Technology Council. However, the increasingly complex legal and regulatory environment requires a more strategic look at the process of complying with a variety of laws and regulations.

This enterprise-wide approach requires an infrastructure, including a code of conduct, a process to regularly assess compliance status as it relates to risk management, regular compliance reports and a curriculum for ongoing employee education. “The key is to build structures that allow a company to adapt through different business cycles,” says Dan Langer, CPA, solutions director for internal audit and controls at Jefferson Wells International in Brookfield, Wis. This type of structure already exists in many companies that operate in heavily regulated industries such as financial services or pharmaceuticals.

It’s also a good idea to understand how much a company is spending on compliance and where the money is going. According to the Small Business Administration’s Office of Advocacy, U.S. companies spend $850 billion a year on regulatory compliance. Sarbanes-Oxley is likely to increase that amount. However, individual companies often don’t know how much their own compliance efforts cost. “Spending is very diffuse, but some companies are trying to capture the costs,” says Frank. Any cost reduction effort will be hampered if a company doesn’t fully understand what those expenses are. Only with a full picture can companies begin to eliminate inconsistency and fragmentation to make compliance more efficient, not to mention less expensive.

COMPLIANCE STRUCTURE
For some companies, enterprise-wide compliance is built around committees and other working groups that deal with compliance issues and challenges throughout the company. A committee with a diverse membership and strong leadership can aid enterprise-wide compliance efforts by starting a dialogue among different functions and departments that otherwise would not have an opportunity to meet and work together. These committees also help managers and process owners integrate compliance into their day-to-day work.

Committee membership should include individuals from all areas of the company, including human resources, corporate communications, sales and marketing and IT, as well as the accounting, finance and legal departments. A 2004 survey of 165 executives conducted by Jefferson Wells International found companies used compliance committees to handle a variety of issues such as whistleblower cases, code-of-conduct oversight and recurring regulatory compliance.

One such company is Charlotte, N.C.-based Wachovia Corp., which formed an enterprise-wide compliance committee following its merger with First Union Corp. The committee’s mandate was to anticipate, track and plan compliance with all present and future regulations affecting the company and to determine how those developments might affect the company and its operations. “If we see a regulation coming right away, we might call an emergency meeting to discuss the impact it will have on the company and the procedures and policies we need to support compliance,” says Bill Langley, the Wachovia executive vice-president and chief compliance officer who heads the committee. In some cases the committee organizes company-wide training to ensure proper compliance and to foster an understanding of the policies designed to support compliance, such as the company’s code of conduct.

The company formed the committee, which meets quarterly, as part of a broader effort to more effectively manage Wachovia’s total risk profile, including operations, credit and compliance. Membership includes senior compliance leaders from the company’s four major lines of business, as well as representatives from staff areas including finance, audit, human resources, IT, legal and corporate communications. These employees were chosen because there is a clear link between the work of their department or function and the company’s compliance efforts. Most important, the committee structure and membership encourage better compliance-related communication among functional areas and the company’s lines of business.

Past and present committee members include CPAs who represent the finance and audit functions, as well as those who are CPAs by training but work in unrelated fields such as legal. Langley sees a significant advantage to including CPAs on the committee. “Much of what we discuss is related to understanding risks and the controls needed to mitigate those risks,” he says. “Because CPAs are so well-grounded in those areas, they are able to contribute considerably to developing solutions.”

ACCOUNTING PARALLELS
When developing an enterprise-wide approach to compliance, CPAs can draw on their strong grounding in accounting and finance processes. In many ways an enterprise-wide approach mirrors accounting and finance activities such as sending out invoices or closing the books each period. “There are certain activities associated with strong compliance that occur daily, monthly, quarterly or annually, just like the tasks associated with the financial close,” Langer says. “They should be ingrained in the organization and made part of individuals’ job responsibilities.” When new employees join the company, they automatically should be introduced to compliance processes, with the amount of information provided depending on their roles. Employees working in finance, accounting, IT or directly with internal controls would get more education than others.

This enterprise-wide approach also can help entities manage compliance issues related to a merger or acquisition. “Ideally, the compliance office should be involved in the transaction and necessary due diligence,” says Henderson. For example, Iron Mountain Inc., a $1.7 billion Boston-based provider of data and information management systems and services, completed about 20 acquisitions in 2004. The company coordinated its Sarbanes-Oxley deadlines with the compliance issues associated with each acquisition. Any acquisition in the company’s medical records line of business also had to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other health-care-industry regulations. “We have to understand the quality of the acquisition and make sure compliance is consistent in all locations,” says Jean Bua, CPA, Iron Mountain’s vice-president and chief accounting officer.

One of the key challenges companies face when developing an enterprise-wide approach is getting the attention of the company’s leaders. “Compliance has always been in the background,” says Bua. “We have to fight for leaders’ time as we integrate compliance activities globally, while also keeping an eye on cultural and regulatory differences among our global operations.” Many entities bring compliance issues to the fore with company leaders through training and education in which CPAs can play a key role. In some cases companies are incorporating compliance-related measures into performance goals for certain executives.

Increasing the prominence of compliance activities also means tying those efforts to improved operational and business performance. It’s up to CPAs to “educate people throughout the business about the need to be compliance partners by showing them what they get for their efforts,” says Bua. For example, documenting and testing internal controls as Sarbanes-Oxley section 404 requires can help promote more efficient and effective operations and information flows. For Iron Mountain this process led to better records management and helped the company comply with HIPAA regulations more effectively. “That, in turn, helps protect the company brand and reputation,” says Bua—a message senior management understands.

FROM COMPLIANCE TO PROCESS IMPROVEMENT
Ideally, an enterprise-wide compliance approach will yield benefits beyond just preventing regulatory and legal problems. “If companies are smart, they are taking enterprise-wide compliance beyond Sarbanes-Oxley and internal controls to identify operational efficiencies,” says Langer. Indeed, enterprise-wide compliance—particularly the process mapping, documentation and internal controls testing required by Sarbanes-Oxley—have drawn so-called process owners throughout the company into an overarching compliance effort. This can be a chance for CPAs to expand the conversation into areas such as process and operational improvement.

Such is the case with Suntron Corp., a $400 million electronics manufacturer based in Phoenix. With nine facilities in the United States and one in Mexico, the company has decentralized its operations and centralized the finance function. However, Suntron is bridging the gap between operations and finance by using the process mapping and documentation required by section 404 to support its Six Sigma activities and to drive continuous process improvements. (Six Sigma is a data-driven methodology for eliminating process defects.) “The first step is understanding where the process is today,” says Peter Harper, Suntron’s CFO and treasurer. “Documenting a process can improve its efficiency up to 20% by eliminating redundant activity and identifying and fixing problems.”
Moreover, addressing any process weaknesses will strengthen financial reporting. For example, if an entity’s inventory control or materials purchasing processes are weak, the resulting problems are likely to lead to incorrect financial reporting. The same is true for contracts and customer pricing. “If a salesperson or a customer business manager makes a deal that isn’t properly communicated or documented,” Harper says, “that could have negative financial reporting repercussions.”

Suntron plans to leverage the ISO framework, using the information gleaned during Sarbanes-Oxley compliance efforts. “That way, we’re not reinventing the wheel, and finance can be the conduit that provides a different perspective on process quality in financial reporting,” says Harper.

ISO 9000 requires companies to meet certain requirements with their management processes and activities, including those related to production, service delivery, purchasing and a commitment to monitoring customer perceptions about product quality. Because many of the internal controls that must be documented and tested under section 404 relate to the same processes and activities ISO 9000 covers, CPAs who work in organizations interested in becoming ISO-9000-compliant can use the section 404 documentation as a starting point for those efforts.

WEIGHING THE PROS AND CONS
Whether enterprise-wide compliance is the best approach depends on the individual company and its circumstances. In 2005 the strategy will compete for the time and attention of overburdened finance personnel and won’t work for every company. Allied Defense Group, a $163 million defense and security company based in Vienna, Va., has all it can do to keep up with current compliance demands. “Undertaking a project like enterprise-wide compliance is a challenge due to our staffing constraints,” says Chuck Hasper, CPA, Allied Defense CFO and treasurer. “As a multinational company we have to explain and translate internal controls so people can understand them, and our staffing constraints compound the problem.”

For CPAs with the necessary resources, enterprise-wide compliance presents important opportunities to add more value to the organization. “This is a chance for accounting and finance to move away from speaking about the company in technical terms and instead communicate in terms of success by emphasizing the role business unit leaders and geographic regions can play in compliance,” says Bua. Iron Mountain’s finance organization already has benefited. “These efforts have helped create a more knowledgeable finance organization worldwide and foster more teamwork within that organization. People are working next to each other and cross-pollinating ideas.”

Many companies report this type of collaboration occurs naturally as individuals from different parts of the company work together for the first time. In some cases a more efficient process one person has developed for his or her own department can be modified and applied to other areas. In other instances it will be up to CPAs to foster these types of working relationships. To help with this, some companies have developed databases of best practices, process improvements and other information gleaned during compliance efforts, with the names and contact information of the people involved. CPAs can use that information to start a dialogue with them and others in the company.

Suntron’s Harper believes this enterprise-wide approach will lead to enhanced productivity, more efficient and effective processes, lower transaction costs and better controls. “One of the biggest benefits to mapping out all of these processes is it makes the company more process-reliant and less dependent on individuals’ tribal knowledge,” he says. “If people are promoted or leave the company, it will be less cause for concern because the process will be documented well enough for the next person to come in and handle things efficiently.”