Technology helps but the best way to reduce Sarbox cost is with people

The heartbeat of strong controls is clearly in the hands of people. While the movement to automate controls has appropriately gained momentum in an effort to reduce testing efforts and maximize operating effectiveness, the majority of entity-wide controls rely upon people.

Investing in your people and culture, which is the essence of entity-wide controls, is a company's safest bet to avoid material weaknesses and gain cost efficiencies. Competent people working within a healthy control environment will do more to reassure your external auditors than anything you can provide on the costly documentation front.

Controls are simply policies, procedures, and activities within a process to reach operating, compliance, or financial reporting objectives.

Entity-wide controls include: promoting ethical values, a commitment to competence, the board's influence on “tone-at-the-top,” plus organizational structure, assignment of authority, and human resource practices. People ultimately establish and oversee company objectives and the underlying controls to reach them. Unfortunately, the reality is that many companies continue to struggle on this front.

According to a Compliance Week analysis of internal control weakness disclosures (Sept. 6, 2006), internal controls over financial reporting at approximately 400 public companies revealed that personnel was by far the most common source of problems. Causes of personnel weaknesses include: • Shortage of skilled people.

• Disgruntled employees.

• Wrong skill sets for position.

• Poor training.

• Overwhelming workloads.

• Excessive staff turnover.

• Poor accountability.

• Weak segregation of duties.

• Poor supervision.

Floored by 404

These challenges are nothing new. However, they are coming to the forefront largely due to section 404 of Sarbanes-Oxley (SOX), which requires public companies to evaluate and report on ICFR in their annual report to the Securities and Exchange Commission. Still, many managers and internal auditors continue to miss opportunities to adequately address personnel risks.

Part of the challenge rests with understanding the top-down, risk-based approach in conducting control assessments as suggested by the SEC and the Public Company Accounting Oversight Board. A top-down approach means evaluating controls in a sequential manner starting with entity-wide controls, while a risk-based effort simply directs resources to the highest risk areas relative to financial misstatement.

Understanding your people and the associated risks are critical in rolling out a top-down and risk-based approach. Here are some suggestions in addressing people related risks through control assessments:

• Begin with entity-wide controls, especially the company's attitude toward ensuring an appropriate level of management and staff competency. Companies don't necessarily need to be hiring the most expensive staff on the market, but they do need to hire the right caliber of people for positions.

• Be diligent with your risk assessment process. Commit to a schedule of periodic risk assessment sessions that include robust brainstorming among a diverse range of managers and process owners.

• Take an inventory of key personnel involved with entity-wide and application-level controls over financial reporting. Identify and quantify a series of metrics pertaining to skill sets, workloads, competency levels, training needs, incentives, accountabilities, and performance levels.

• Be on the lookout for warning signs such as: disgruntled employees, missed deadlines, concerns of overwhelming workloads, confusion over roles, high staff turnover, and excessive absences.

• Invest in monitoring activities since controls tend to deteriorate over time when there is little or no monitoring. Objective supervisors can and should play a key role.

Candid look

In conclusion, companies can greatly benefit by investing in their managers and staff to help reach corporate objectives. This is especially true for public companies attempting to maximize cost efficiencies and benefits through their SOX-404 process.

By taking a candid look at their people and related risks early in the annual assessment process, companies can be well on their way to a successful control evaluation. Good luck, and remember that your company is only as good as its people.

Related articles

• Jerry Norton: Why IT change management is more important than ever

• Denis Collins: Enron's dilemma: A corporate governance nightmare

• Jerry Norton: Auditors paying more attention to IT woes

• Directors more assertive in corporate governance

• Online service makes board connections

• Ron Kral: The Big Picture of SOX 404

• Financial executives to launch Madison chapter