Introduction
In response to the recent spate of corporate financial scandals,
the US Congress has stepped up efforts to rein in corporate malfeasance
and restore faith in financial reporting. The Sarbanes-Oxley
Act of 2002 is landmark legislation designed to make public companies
more transparent in their financial reporting and more proactive
in sharing material information with other participants in the
financial reporting chain, which includes auditors, audit committees,
analysts and investors.
A new compliance regime is swiftly falling into place that will
hold public corporations and other participants in the financial
reporting chain to significantly higher standards of corporate
governance. For CEOs and CFOs, complying with these new, strict
standards is not a matter of choice -- it is the cost of doing
business in the new compliance age.
The penalties for non-compliance will be heavy. While the prospect
of personal criminal liability looms for executives, there are
even steeper penalties for corporations to consider, including
a tarnished corporate brand image, heavy fines and lower shareholder
confidence. These penalties result in reduced sales and lower
stock prices from which it takes years and millions of dollars
to recover.
Compliance is not easy. For many organizations, first-time compliance
with Sarbanes-Oxley
will consume a great deal of time and budget. Corporations that
fail to develop a comprehensive strategy for ongoing compliance
- quarter over quarter and year over year - will continually incur
these high costs. Furthermore, legislation will continue to evolve
over time, creating new compliance requirements that demand constant
corporate attention and draw on additional resources.
With the "reprieve" rulings of May 2003 and February
2004, the SEC has given many public and private corporations time
to step back and take a strategic approach to corporate compliance,
rather than making rash tactical decisions that, in the long run,
will incur higher costs and greater resource drain. Many forward-looking
organizations understand the benefits of strategic, proactive
compliance. Their approach to compliance has transformed Sarbanes-Oxley
compliance from a painful, "have-to-do" process to an
opportunity for continual business improvement.
The Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley
Act is a complex act with many provisions. The two sections most
relevant to public corporations are Sections 302 and 404. Section
302 pertains to disclosure controls and procedures; Section 404
to internal controls and procedures for financial reporting.
Section 302 of the Sarbanes-Oxley
Act mandates that CEOs and CFOs personally certify financial statements
and filings, as well as affirm that they are responsible for establishing
and enforcing disclosure controls and procedures at all levels
of their corporation. With each quarterly filing, they must certify
that they have evaluated the effectiveness of these controls.
In addition, they must disclose to their audit committee all significant
deficiencies, material weaknesses, and acts of fraud.
Section 404 of the Sarbanes-Oxley
Act requires an annual evaluation of internal controls and procedures
for financial reporting. Under this section, a corporation must
document its existing controls that have a bearing on financial
reporting, test them for efficacy, and report on gaps and deficiencies.
Furthermore, the company's independent auditor must issue a report,
to be included in the company's annual report, that attests to
management's assertion on the effectiveness of internal controls
and procedures and financial reporting.
The Sarbanes-Oxley
Act also describes other responsibilities. For example, it informs
company boards of their responsibilities with respect to the institution
of audit committees. It instructs the SEC to create an independent
public accounting oversight board (PCAOB) with the express mandate
to regulate the conduct of audit firms. Furthermore, it lays down
guidelines for conduct of attorneys that represent public corporations
before the SEC.
Responding to the Act
In order to be in compliance with the Sarbanes-Oxley
Act, CEOs, CFOs, independent auditors and audit committees will
need to:
- Certify the accuracy of financial statements and disclosures
- Indicate in each periodic report whether or not there were
significant changes in internal controls or related factors
since their most recent evaluation, and disclose all deficiencies
in the design or operation of internal controls
- Provide auditor's attestation to, and report on, management's
assessment of the internal controls and procedures for financial
reporting
- Report that controls and procedures for financial reporting
and disclosure have been evaluated for effectiveness within
the past 90 days
The various components of corporate governance legislation will
be enacted over time. For example, Section 302 is already in effect
and Section 404 will begin to take effect in November of 2004.
But while legislators have taken a piecemeal approach to enforcing
regulations, companies that take the same approach and attempt
to solve each requirement individually will spend a great deal
of time and money to get into and stay in compliance.
For most corporations, the most challenging aspect of complying
with the Sarbanes-Oxley
Act is finding a prescriptive method that describes a sequence
of steps that can be followed. This section outlines an initial
methodology to develop Sarbanes-Oxley
compliance initiatives.
Planning and Preparation
In planning for Sarbanes-Oxley,
corporations may choose to work with an audit firm and adopt their
prescribed internal controls framework for compliance. Leading
firms such as PricewaterhouseCoopers, Ernst & Young, Deloitte,
and others have developed programs that can help corporations
with their compliance initiatives. Most leading audit firms use
methods that are derivatives of COSO - a well-known framework
recommended by the SEC for internal controls. It is possible for
corporations to adopt other proprietary controls frameworks as
well, but COSO has the benefit of being widely accepted and understood.
Most corporations form a project team that is dedicated to the
establishment of an internal controls program. Typically, the
project manager would be a member of the CFO's organization, and
individual team members would represent the various lines of business
in the organization that are subject to internal controls. An
important early step is the assessment of the control environment,
including cultural elements such as integrity, ethics, competence,
management philosophy and style, delegation of responsibility
and accountability, and involvement of the board of directors.
Another key early step is the identification of significant accounts
that have high financial reporting and disclosure risks.
Understand and Document Controls
A critical facet of implementing an internal controls
framework is developing a repository of documented controls. Internal
controls, according to COSO, may relate to different aspects of
running the business, particularly financial reporting, operations,
and compliance. COSO defines three key concepts - business objectives,
risks and controls. An objective represents a business goal. For
example, a cash account must be reconciled at all times. Objectives
are subject to risks. In this case, it may be the person in charge
of balancing the account may be engaging in unethical conduct.
Risks must be mitigated via controls; in this case it could be
every cash account must be reconciled and approved by another
person.
Every audit firm wraps its methodology around COSO. For example,
the Ernst & Young methodology identifies four key concepts
- accounts, processes, risks and controls. Accounts represent
specific significant line items that belong in the financial statements
of the company. Processes represent actions undertaken to achieve
business objectives. The meaning of risks and controls become
relevant once associated with a business entity and its key processes.
Much of the effort in complying with Section 404 of the Sarbanes-Oxley
Act involves developing and fine-tuning an internal controls repository,
and in articulating these relationships.
Test and Evaluate Internal Control Effectiveness
Once controls have been documented, they have to be tested
for effectiveness by various parties. Initially, testing is manual
and is performed by members of the documentation team responsible
for designing controls. Following the initial tests, the internal
audit team performs an evaluation of the tested controls.
During the testing and evaluation process, controls are checked
to determine whether they would be likely to prevent and/or detect
a material error in financial statement assertions. If controls
are deemed ineffective, the company may need to update existing
and/or create additional controls.
Establish Ongoing Monitoring of Controls
Key to ensuring ongoing compliance is establishing effective
monitoring of internal controls. Corporations need to institute
a monitoring system to automatically test controls for effectiveness
over time, so that, if necessary, corrective action can be taken.
Many companies will turn to robust software applications with
powerful compliance automation capabilities that facilitate the
ongoing monitoring of controls. Predefined workflows can be set
up to model testing procedures, and can be scheduled to run on
a periodic basis. Additionally, dashboard reports provide management
with real-time views of key compliance data.
Attestation by External Auditor
Once management has asserted that controls are in place
and has documented their effectiveness, it falls to the external
auditor to complete the last phase of Section 404 -- testing management's
assertions that internal controls for financial reporting are
in place and effective. Based on the results of these tests, the
external auditor will provide an independent attestation based
on management's assertions that will be included in the company's
annual report. If the company has a mature internal controls framework,
supported by a robust enterprise compliance management system,
management will be far more confident in its certifications, and
the task of the external auditors will be significantly eased.
The Sarbanes-Oxley
Act of 2002 is the most sweeping legislation affecting corporate
governance in over a generation. And, it is not going away. In
fact, it will only get worse. Over time, regulations associated
with the Act will continue to evolve, and new requirements will
be introduced.
As companies develop their corporate compliance strategies, it
is important to look beyond today and develop an integrated compliance
strategy that considers the ongoing time and resource costs associated
with the continual test and evaluation of internal controls. Many
companies will rely on software solutions that drive efficiencies
into compliance processes.
OpenPages FCM
OpenPages FCM
is an enterprise compliance management software solution that
reduces the time and resource costs associated with ongoing compliance
for Sections 302 and 404 of the Sarbanes-Oxley
Act.
An application focused exclusively on Sarbanes-Oxley
compliance, OpenPages FCM combines powerful document and business
process management with flexible reporting capabilities in an
extremely easy-to-use environment that enables CEOs, CFOs and
financial management officers to enforce internal controls.
OpenPages FCM helps corporations automate significant aspects of
their internal controls framework to significantly reduce the
overall cost of compliance. Its dashboards can be used by project
managers, documentation team members and internal auditors to
plan, document and test the internal controls of the company,
and eventually to attest to the financial statements.
For Section 404,
OpenPages FCM automates the planning, documentation, test, review,
approval and ongoing monitoring of a company's internal controls
framework. OpenPages FCM provides a COSO-based internal control
framework and a built-in controls library to shorten time-to-compliance
and to accelerate compliance audits.
For Section 302,
OpenPages FCM creates a process for report certification in which
individual process owners first provide sub-certification for
their areas of jurisdiction. Sub-certifications are then "rolled-up"
throughout the company and approved by managers at each business
level. OpenPages FCM then presents a final certification report
in preparation of the company's Section 302 representation letter
from corporate officers.
With a browser-based interface and a standards-based architecture,
OpenPages FCM is rapidly installed and easily integrated into existing
IT environments. Built on a Java-based web-services architecture,
IT organizations will appreciate OpenPages FCM' minimal impact on
existing infrastructure and resources. Because of its intuitive
interface, consistent navigation and format, OpenPages FCM is extremely easy to use. Personalized, user-specific
home pages make the user experience extremely efficient and ensure
rapid end-user adoption and productivity.
OpenPages FCM and Section 404
OpenPages FCM allows a company to automate the quarterly test
and review of internal controls to lower the costs associated
with quarter over quarter compliance. With user-specific home
pages, email integration, easy-to-use navigation and interactive
reporting capabilities, OpenPages FCM creates a highly productive
compliance environment with five key areas of functionality -
project management, documentation, compliance automation, issues
management and monitoring.
Project Management
In most companies, a cross-functional project team drawn from
different operational areas of the business is set up to document
internal controls under the leadership of a project manager, who
is usually a CFO delegate. OpenPages FCM assists the project manager by starting new controls documentation
"projects" and capturing information about the project
(for example, project name, reporting period, start date, due
date, assigned team members, etc.). Project plans can be developed
with milestones and user task assignments. Users can define specific
attributes for each task (such as name, description, owner, assignee,
business unit/location, start date, due date, percent complete,
completion date, notes, preceding task, related documents, etc.).
OpenPages FCM controls access to project information. The project
manager has unrestricted access to all information at all times,
while individual team members have a read-only view of the entire
project, and write access to items assigned to them. Additionally,
OpenPages FCM monitors the progress of a controls documentation
project. Project plans are dynamically updated with the latest
information (such as percent complete for each task, comments
added by task assignees, etc.)
Documentation
OpenPages FCM enables members of the project team to document details
of their internal controls by adding information about business
entities, accounts, processes, risks, controls, tests and test
results. Entities can be used to model business units such as
divisions, plants, locations, etc. and can nest within other entities
to create a hierarchy of business units. OpenPages FCM provides
support for automatic import of account information from external
general ledger and other systems. Project team members can attach
related documents (e.g. policy manuals, pre-existing corporate
guidelines, etc.) to all accounts, processes, risks, controls,
tests and test results. Additionally, they can select only those
documents relevant to the business at hand, using a pre-loaded,
custom library of controls and a guided-action interface. The
library can be customized to support specific industries, such
as retail, healthcare, telecommunications and financial services.
Compliance Automation
OpenPages FCM provides mechanisms for intelligent task management and
routing between project team members. For example, upon logging
into the system, a team member sees her "My Tasks" list
on her home page, which is a personalized list of all of the tasks
in the project plan that are assigned to her. (Typical examples
of tasks on the My Task list are "document control X"
or "test control Y.") At any time, the team member can
update information about a task (such as percent complete or comments),
which then updates the underlying project plan. Team members can
apply various criteria to filter and sort their individual tasks,
while the project manager can do the same for all of the tasks
related to the project. Team members can take advantage of ad-hoc
workflow to forward tasks to other users for further action, such
as submitting a documentation task to a reviewer for review and
approval.
In order to enforce the standardization of formerly ad hoc or
informally documented processes, OpenPages FCM provides business
process integration that enables users to automate such key processes
as effectiveness reviews, approvals and tests. The system provides
custom workflows for each internal control document type to intelligently
route tasks based on status or other data associated with internal
controls. Assigned tasks are indicated on each user's Home Page.
Task details provide each user with links to work that must be
performed and actions they must take to complete their tasks.
Issues Management
As controls are documented, exceptions can occur and issues will
arise. OpenPages FCM provides a way for the project team to resolve these issues
efficiently. Issues can be created as standalone items or within
the context of specific entities, accounts, processes, risks,
controls and tests. Issues can have multiple attributes (such
as name, description, status and/or severity) and can be viewed
with selectable filter criteria (such as status and severity).
Action Plans can also be developed in the context of an issue,
such as, Please update this document. These plans can be delegated
to other team members to complete. Issues are thus resolved collaboratively.
Interactive and Dynamic Monitoring
OpenPages FCM provides facilities for compliance monitoring. Interactive
and dynamic reports enhance management's access to critical decision
points, enabling issue identification and resolution in real time.
The following reports are available in online dashboard and printable
formats:
- Report of all accounts
- Report of all processes
- Report of all risks
- Report of all controls, including ineffective controls
- Report of incomplete documentation
- Reports on poor segregation of responsibilities
- Reports on at-risk action items in project plans
- Reports on issues
- Custom reports can be created using the OpenPages FCM reporting
framework
Interactive and dynamic report templates are parameterized and
new reports based on different criteria are easily created via
dashboard support and via links to the control repository. A graphical
report template builder facilitates generation of new report types
that may then be deployed to authorized users.
In addition, OpenPages is integrated with leading third-party
reporting applications, such as those from Cognos, Hyperion and
Business Objects, to provide customers with additional reporting
options that leverage their existing technology investments.
OpenPages FCM and Section 302
For compliance with Section 302, OpenPages FCM provides fully
articulated survey capabilities that automate the quarterly representation
letter certification process. Configurable to match the organizational
structure of any company, OpenPages FCM' survey automation creates
a process for report certification in which individual process
owners first provide sub-certification for their areas of jurisdiction.
Upon their approvals, surveys are "rolled-up" into
summary surveys for business unit executives to provide their
attestation. Once approved, a final survey is presented to corporate
management for final review and certification. OpenPages FCM tracks
each step of the process, notifying employees as to their specific
tasks via email.
With configurable, interactive reporting, OpenPages FCM automatically
generates executive dashboards based on the results of the surveys.
Stoplight-style, color-coded charts alert executives as to the
state of information for each division, with dynamic drill-down
capabilities that enable issues to be identified and remediated
quickly and easily.
Specific certification functionality in OpenPages FCM includes:
- Full configurability of any survey form, empowered with full
change control, audit trails and monitoring
- Version control over each respondent state/instance of every
survey
- Workflow-driven processing from assessor to certifier to
survey administration to managerial oversight via monitorable,
email notifications
- A highly flexible hierarchical survey deployment model, where
surveys may be executed for any object level, including entity-specific,
process-specific and/or control-specific views
- Full certification and sub-certification support including
standard templates to help ensure the rapid deployment and consistent
support of executive reporting obligations
OpenPages FCM complements a company's Section 302 work-to-date via its
data import facility, which automatically includes all currently
captured internal controls work within its scalable and secure
repository. As a result, the company is assured it is operating
within a standard COSO-based framework for ongoing controls self-assessment.
In addition, OpenPages FCM facilitates the future assimilation of
acquired or restructured entities, subject to the same suite of
services including interactive dashboards and multi-format reporting.
Sarbanes Oxley Compliance Solutions from OpenPages
Openpages is a leader in Sarbanes Oxley Compliance. Founded in 1996, OpenPages develops Sarbanes Oxley, enterprise governance, risk and compliance management solutions that streamline knowledge-intensive processes to improve corporate accountability, reduce disclosure process cost, enhance internal controls management productivity, and increase investor confidence. The company's portfolio includes the premier Sarbanes Oxley software solution, OpenPages FCM, the market-leading enterprise application for automating the corporate financial reporting and disclosure compliance requirements of Sections 404 and 302 of the 2002 Sarbanes Oxley Act.
Reynolds American Selects OpenPages FCM for Sarbanes-Oxley Compliance.
Sarbanes Oxley Compliance Solutions
from OpenPages
Openpages is a leader in Sarbanes
Oxley Compliance. Founded in 1996, OpenPages develops Sarbanes
Oxley, enterprise governance, risk and compliance management solutions that
streamline knowledge-intensive processes to improve corporate accountability,
reduce disclosure process cost, enhance internal controls management productivity,
and increase investor confidence. The company's portfolio includes the premier
Sarbanes Oxley software
solution, OpenPages FCM, the market-leading enterprise application for automating the corporate financial reporting and disclosure compliance requirements of Sections 404 and 302 of the 2002 Sarbanes Oxley Act.
About OpenPages
OpenPages is the leading provider of Governance, Compliance and Risk
Management solutions
for Sarbanes-Oxley Compliance, Financial Controls Management, General
Compliance Management, Operational
Risk Management and IT
Governance.
The company’s solutions provide the visibility, decision support and
control to improve accountability, better manage risk, achieve compliance
with numerous regulations, improve operational performance and align strategies
to ensure better results.
Market-leading corporations in financial services, manufacturing, telecommunications,
media/entertainment, retail/consumer, energy, high technology, health services
and life sciences rely on OpenPages to help them achieve sustainable governance,
risk and compliance management -- enabling them to become well-governed businesses.
Founded in 1996, the company is headquartered in Waltham, Massachusetts, with
regional offices throughout North America and international offices in London, Munich, Paris, Tokyo and Hong Kong.
For more information on OpenPages' suite of business governance software solutions
or to register for an online demonstration, please call 781-693-5999 or visit
www.openpages.com.
|
