|
|
|
Features
< Back
Compliance : Sarbanes Oxley : Governance : Thought Leader
How to Establish a Financial Compliance Office
By
Jerry Walsh
|
|
Jerry Walsh
Director of Service Strategy
Parson Consulting
|
?Some have greatness thrust upon them.? That?s Shakespeare, but American business is no exception to the Bard?s rule. Many companies view the Sarbanes-Oxley Act as no more than an unwelcome event -- intrusive, expensive, and unnecessary. Farsighted companies see SOX not only as a regulatory requirement, but also as an opportunity to improve competitiveness and profits. Companies that do not embrace this concept may find themselves at a competitive disadvantage.
A challenge in realizing greatness is the creation and implementation of a mechanism to not only manage the total cost of compliance but also harvest benefits. This article proposes an approach to create a financial compliance office to address the challenge.
Compliance Office
The successful design and implementation of a financial compliance function entails the following broad steps:
? Develop the compliance framework, mission and objectives, roles, responsibilities, and activities of cross-functional constituents
? Define organizational model for compliance
? Develop four important capabilities (program management, monitoring, testing and reporting) within the compliance function
? Identify, select, and implement technology to support compliance
Framework
The most challenging task in establishing the compliance office is to determine its scope and responsibilities. Questions to be discussed with top management and all key constituents include:
? Start small or go all the way? That is, should controls be restricted to SOX alone or be extended to all financial matters, or even to non-financial operations?
? How should the office?s mission be defined? Will it be a setter of standards and policy, an enforcer, or both?
Further, the depth and breadth of its responsibilities and relationships with constituents should be defined. Keep in mind that the greater the complexity of compliance issues, the greater the responsibilities and authority that the office must undertake. Whom will the office report to? The compliance officer should report to the highest autonomous body in the company. It could be the Audit Committee of the Board or the head of internal audit or some independent party, outside the area of monitoring, who is in a position to remain objective. The compliance officer will play an active part on the board?s Governance Committee, reporting regularly on how the system is working and suggesting improvements.
Organizational structure
A financial compliance operation should be large enough to get the job done and small enough to run efficiently. A small company might get along with one person. The size and structure of the compliance office depends on the organizational complexity of the company and the office?s mission. Here are two models of how to organize in a complex enterprise. In a ?capabilities focused? model, each person performs specialist activity across the enterprise. In a ?division focused? model, each person executes all compliance capabilities for assigned business units. Some companies may require a hybrid.
In any case, for companies of scale, the compliance office must be full-time. Part-time is unlikely to secure the attention and respect required for effective operation.
Building key capabilities
Once the framework and infrastructure of the financial compliance function is established, the function needs to develop the capability to perform four key activities as shown in Figure 1.
Compliance program management
The financial compliance office will typically manage four dimensions of the compliance program as follows:
? Communication and training
? Documentation and testing
? Remediation efforts
? Process improvement
Of the four dimensions listed above, the communication and process improvement will have the greatest impact on the effectiveness and total cost of the overall program.
Communication and training are vital in maintaining ?control consciousness? throughout the company. The office should communicate and train employees in the company?s ethical standards. With tact and firmness, it should make sure that ethical commitments are reinforced continuously by top management. Compliance officers must update employees about the latest changes in requirements and solicit help in solving current problems. Across all enterprise constituents, they should encourage and reinforce an attitude of ownership and accountability for controls, and the positive impact a strong control environment can have on the overall success of the company. A compliance officer must agree with key stakeholders on how and when successes or setbacks should be communicated to what levels of the organization.
Process improvement identification and realization can have a tremendous impact on the total cost of compliance. Whereas the benefit of compliance program efficiency tactics can be measured in terms of percentage of cost, process improvement benefits can often be measured in terms of multiples of cost. The SOX compliance process has forced a detail examination of enterprise processes and exposed redundancies and inefficiencies. The financial compliance function is perfectly positioned to catalog and evaluate improvement opportunities and to campaign for change.
Monitoring
While compliance program management allows the financial compliance function to implement change, the monitoring capability identifies change. Specifically, the function surveys for process changes, appropriate process and policy application, and process exceptions (reported by the process owners or detected through testing). Additionally, the function should be on watch for significant events such as acquisitions, major technology initiatives and management reorganizations. The challenge for the compliance officer is selecting and establishing the right kind of mechanisms to gain visibility to change. Many companies are choosing Control Self Assessments (CSA) as a component of their monitoring program. Clients should recognize that the CSA methodology has limitations and therefore should not rely on it exclusively. Many companies are now considering technologies that can support the monitoring process.
Testing
In addition to the frequency and methods of testing, the compliance office should consider whether testing should be performed in-house. Many companies that outsourced testing for initial compliance with SOX must now decide whether to build testing capability in-house or to continue to outsource. The decision is usually based on weighing long-term cost and risk. Internal testing saves money, while outsourced parties may be more objective and thorough. To achieve efficiency, the office should coordinate all internal testing schedules. This entails determining the timing of re-testing after control deficiencies have been discovered, and should reviewing their current closing and financial reporting procedures against those meeting quarterly SOX 302 and annual SOX 404 certifications.
Reporting
The compliance officer should report regularly to a governing body within the company regarding both the status and effectiveness of its financial compliance program. A responsible management team will want to know what?s going badly along with what?s going well. Issues include what types of reports should go to whom, and how effectiveness should be measured. For example, Key Performance Indicators or a ?dashboard,? specific to corporate governance, can be developed with input from owners of the measures.
Technology enabler
Over the past two years, the landscape of compliance-oriented software has undergone a sea change. By now, many fringe players have left the market, and a few strong players have continued to enhance their products. These include document management, repository, automated survey and risk assessment, dashboards, ERP, and middleware workflow applications. With its thorough understanding of business requirements across functions and divisions, the compliance office should be able to provide objective assessment of the best tools and how they should be applied to the organization. Selection factors to be balanced include manual vs. automation of tasks, level of customization, data quality and data governance.
The compliance office plays a critical role in managing the total cost of compliance and in building a culture of strong corporate governance. Speculation of the cost of continued compliance abounds, and some organizations have perceived the cost as a heavy liability. Over the longer run, however, a well controlled and better-managed enterprise should be able to leverage the financial compliance investment to gain competitive advantage.
Along with SOX, greatness has been thrust upon American business. Take it, and run with it.
Jerry Walsh
Director of Service Strategy
Parson Consulting
|
|
|
|
|
