Archive for the ‘Q & A’ Category
Posted on July 27th, 2007 by Audit Trail »Permalink
Audit Trail recently had another chance to catch up with Phil Livingston, vice chairman of the board of directors of Approva, to find out his perspective on what can be expected in the future with SOX.
Audit Trail: In the last year we’ve seen significant clarifications with regard to Sarbanes-Oxley. Do you see more changes coming?
Phil Livingston: The area most ripe for change continues to be Section 404. While the SEC and PCAOB have addressed some of the provision’s earlier shortcomings, there’s still a good amount of concern out there about 404. Some voices, including many smaller public companies, are calling for an outright repeal of 404 because they feel it goes too far and is simply not practical. Others, and I’d put myself in this camp, believe it can be implemented cost-effectively. Time will tell, but if you’re watching for change, that’s a likely place to look. Even retired U.S. Senator Paul Sarbanes, in a recent CFO magazine piece, commented on how Section 404’s mere 172 words (out of SOX’s roughly 30,000) took on a surprising scope for regulators and companies.
AT: How will Sarbanes-Oxley influence international business in the coming years? Are there any particulars that international players would be well advised to follow?
PL: There’s still some question as to the impact SOX will have on the global capital markets and the other exchanges around the world.
In general, SOX-like laws have been enacted or are emerging in most of the major financial capitals, though without provisions that mirror our Section 404. So there’s a real movement to bring reform and established reporting and accounting standards to what’s effectively become a global capital market. Auditors and auditing standards are becoming more tightly regulated globally, so investors can enjoy a reasonable level of consistency from market to market.
One notable exception is the UK where SOX-like provisions have not been implemented. This is making it easier for companies to list outside the United States, and on an exchange that is reasonably convenient to the rapidly expanding economies of Eastern Europe and Asia. But one could make the case that, for investors, this convenience may be offset by a higher degree of risk.
AT: Can you imagine a scandal the likes of Enron happening again, or is Sarbanes-Oxley doing its job?
PL: It’s truly hard to imagine collapses of that magnitude happening under the current paradigm. Can SOX guarantee that in 30 years or so someone won’t figure out a way to game the system? No. But it’s really hard to see how that could happen given the breadth and scope of SOX and the way American companies have embraced and operationalized its tenets.
AT: Do you have any predictions for the future related to SOX and its impact on the American financial markets?
PL: One element of this whole SOX phenomenon that I find very encouraging is the move by companies to automate their controls in pursuit of accurate efficiency. The philosophy seems to be to explore automation first then supplement it with manual processes where appropriate. This tells me that companies want to do things right, efficiently, and ensure that they remain accurate and sustainable for the long-term. Whether there’s a prediction in there, I’ll leave to your readers.
AT: Phil Livingston, thank you for your time.
PL: You’re welcome.
Phil Livingston is vice chairman of the board of directors of Approva Corporation. He is also a director and audit committee chair of Cott Corporation (NYSE: COT, former CEO of Financial Executives International (FEI), as well as a former CFO of several companies. Livingston earned his CPA while working in financial management and auditing with Genentech and Ernst & Young. He testified before the U.S. House of Representatives Financial Services Committee during the formulation of Sarbanes-Oxley and directly authored two sections of the legislation.
Tags: Approva, Phil Livingston, SOX, Automated Controls
Posted on July 24th, 2007 by Audit Trail »Permalink
Audit Trail recently caught up with Harvey Pitt, independent board member of Approva, to get his perspective on what the environment was like that generated SOX and how things have changed over the last five years.
Audit Trail: Do you think SOX has been successful in restoring investor confidence?
Harvey Pitt: Yes. I think Sarbanes-Oxley has significantly increased investor confidence. Just take a look at the Dow Jones average. It continues to set record after record. This is the best indication, in my view, that SOX is contributing to increased investor confidence and that markets are functioning as well as and even better than before the scandals that led to SOX. Since its October 9. 2002 nadir of 7,286 , shortly after SOX was passed, the Dow has exceeded its previous all-time high, closing at 11,727 less than four years later on October 3, 2006. The markets continue to rise and the Dow has reached multiple new all-time highs throughout 2007 along with the NYSE and NASDAQ indexes.
AT: What has surprised you most over the past five years as you have watched companies and regulators implement SOX?
HP: The road to implementing SOX has not been an easy one. Looking at how companies and regulators have implemented SOX I have to say that I am impressed with the demonstrated corporate desire to get it right and do the right thing.
The original intent that drove SOX was clearly stated and remains a sound rationale: “to protect investors by improving the accuracy and reliability of corporate disclosures and financial reporting.”
The original law had some shortcomings – a byproduct of its hasty passage. To their credit, the SEC and PCAOB have subsequently focused on fine-tuning their implementation of the statute.
Overall, public corporations have shown a consistent desire to adhere to both the letter and the spirit of SOX. They’re looking beyond mere compliance to focus on good governance. I believe that what we’re seeing today represents a significantly higher level of corporate accountability than we’ve seen in the past. SOX is definitely a major part of the move to good governance and the increased veracity of the financial statements that corporations file with the SEC each quarter.
AT: You are credited with coining the term “Corporate Darwinism”. Where do you see it in play today?
HP: Some people have taken great interest in the fact that I coined the phrase “Corporate Darwinism” What I meant by that term is that we have a global economy where people and corporations compete for finite amounts of capital. In an increasingly global economy that relies on a finite amount of capital, only the fittest public corporations will survive and thrive. Fitness is increasingly defined in terms of transparency, good governance, and, here in the United States, compliance with SOX.
I see that very much in evidence today. Companies that have embraced stronger audit processes, governance policies, and that place a high value on transparency are prospering. Those that have paid lip service are floundering. It really is survival of the fittest. At the end of the day it’s helping investors.
AT: Five years later do you still believe in Sarbanes-Oxley?
HP: As we approach the five year anniversary of Sarbanes-Oxley I believe in the principles that SOX attempted to instill in corporate America and in the accounting profession. Looking back, I would have preferred if the statute had been drafted differently, but I believe that its essential purpose and mandate were sound and – five years after its passage – we are reaping the benefits. While the road has not been easy, both the public and commercial sectors are working hard to fill the holes and smooth out the rough spots. The roles and responsibilities of corporate executives and external auditors are being clarified and the SEC, under Chairman Christopher Cox, and the PCAOB are taking a principles-based approach to securing and strengthening SOX’s positive contributions while mitigating the unintended negative byproducts.
AT: What are you up to these days?
HP: I’m the CEO of Kalorama Partners, a global strategic consulting firm. We’re working with corporations, financial services firms, board, audit committees, compensation committees and others to help them get ahead of the curve and excel in three areas: (1) governance, (2) transparency, and (3) compliance. It’s a very rewarding way to spend my time.
AT: Harvey Pitt, thank you for spending this time with us.
HP: It’s been my pleasure.
Harvey L. Pitt, CEO of the global business consulting firm Kalorama Partners, is a former SEC chairman and a current independent board member of Approva Corporation. As SEC chairman from 2001 to 2003, Pitt led the commission’s response to the market disruptions resulting from the terrorist attacks of 9/11 and led the commission’s adoption of dozens of rules in response to the corporate and accounting crises generated by the excesses of the 1990s.
Tags: Harvey Pitt, SOX, SEC, PCAOB, Corporate Darwinism, Sarbanes-Oxley, Governance, Transparency, Compliance
Posted on July 20th, 2007 by Audit Trail »Permalink
Audit Trail recently caught up with Phil Livingston, vice chairman of the board of directors of Approva, to find out his perspective on the formation of SOX legislation, as well as his views on the past five years.
Audit Trail: After five years, are you still a supporter of Sarbanes-Oxley?
Phil Livingston: Yes, I am. The circumstances leading up to the bill’s formulation and the law’s implementation caused some unforeseen complications, but even with those complications—which are being thoughtfully addressed—SOX has delivered a number of substantive, long-lasting benefits to investors, corporations, and the audit profession.
Corporations that have embraced the tenets of SOX to strengthen their auditing, controls, and reporting processes and systems, and also to bolster the independence and overall effectiveness of their boards. Auditors now have regulations and standards in place that solidify the accountability they deliver to client companies.
AT: What were the biggest challenges of getting Sarbanes-Oxley passed?
PL: The single biggest challenge for SOX was the circumstances that compelled its formulation and passage. While Congress had been considering a variety of draft bills related to corporate financial reporting, nothing moves legislators and legislatures to bold action like a crisis. And unfortunately, the Enron and Tyco collapses constituted a crisis. Then, when Worldcom followed suit and the president called for legislation, things heated up more and began moving fast.
I was the CEO of Financial Executives International (FEI) at the time, an organization that became integrally involved in the process. We submitted two proposals, dealing with executives’ ethical codes of conduct and the need for financial experts on corporate audit committees, which eventually became Sections 406 and 407, respectively, of the law. When the bill was passed and the president signed it into law, it wasn’t perfect, but it was solid. The SEC began its painstaking work of implementing the law, which included forming and launching the PCAOB. Companies and auditors began gearing up to understand, prepare for, and comply with the new regulations and standards.
As compliance deadlines approached, some issues became apparent. Section 404 in particular, which mandated the auditing of controls systems, became a major revolution itself, requiring unexpected time and resource investments. Looking back, a more realistic implementation schedule and some objective field testing would have been a more practical approach. But those issues are being addressed, and I’m optimistic that the costs of 404 compliance will become more manageable in the future.
All things considered, and though passed in response to an unprecedented crisis, SOX has had a very positive impact.
AT: How did your role with FEI prepare you for Sarbanes-Oxley?
PL: As I said, FEI had been involved in some of the earlier drafts circulating on the Hill. When things heated up, I found myself testifying before Congressman Oxley’s subcommittee and drafting proposals that were eventually incorporated in his legislation. And certainly working with so many amazing CFOs gave me a perspective that helped others more clearly understand how to effectively respond to the crisis.
AT: How do you think the evolution of Sarbanes-Oxley has benefited American business?
PL: Aside from the macro-level benefits that are reflected in the current strong markets, SOX has delivered some solid operations- and governance-level benefits as well. Before SOX, corporate finance teams were getting pretty thin due to general cost-cutting trends. That phenomenon seems to have reversed a bit and corporate finance organizations have gotten stronger along with their controls systems. Boards have also become more independent and thus able to provide more effective oversight. Finally, with the auditing industry now regulated and working under institutionalized standards, external auditors can now deliver even more accountability to their corporate clients.
AT: What was the most memorable aspect of your participation in the Sarbanes-Oxley formulation?
PL: Testifying before the Oxley subcommittee and attending the White House signing ceremony were high points for me. Having the chance to witness some impressive institutional and individual contributions was also really memorable. Then-SEC Commissioner Harvey Pitt did an exemplary job of implementing an unprecedented number of new regulations in a very short time period against a backdrop of massive political pressure. The New York Stock Exchange demonstrated substantial leadership. And a number of corporate CFOs, in particular Phil Ameen at GE, Steve Patrick at Colgate, Frank Borelli at Marsh & McLennan, David Shedlarz at Pfizer, and Pedro Reinhard at Dow, really stepped forward to make a positive difference.
AT: Phil Livingston, thank you for your time.
PL: It’s been a pleasure.
Phil Livingston is vice chairman of the board of directors of Approva Corporation. He is also a director and audit committee chair of Cott Corporation (NYSE: COT, former CEO of Financial Executives International (FEI), as well as a former CFO of several companies. Livingston earned his CPA while working in financial management and auditing with Genentech and Ernst & Young. He testified before the U.S. House of Representatives Financial Services Committee during the formulation of Sarbanes-Oxley and directly authored two sections of the legislation.
Tags: Phil Livingston, SOX, Sarbanes-Oxley, Financial Executives International, Approva
Posted on July 18th, 2007 by Audit Trail »Permalink
Audit Trail recently sat down with 2008 Presidential Candidate Ron Paul, R-TX, to get his views on Sarbanes-Oxley 5 Years Later, as one of only three members of congress at the time to vote against the bill.
Audit Trail: It has been five years since the passage of Sarbanes-Oxley. Has your initial position on the legislation changed, or do you still believe it was an overreaction to a real problem?
Ron Paul: The damage inflicted on American businesses and capitol markets by Sarbanes-Oxley has strengthened my conviction that this legislation should be repealed. In 2000, nine of every ten dollars raised by foreign companies were raised in the United States. In 2005, nine of the ten largest offerings were not registered in the United States, and, of the largest twenty-five global offerings, only one took place in the US. The number of public companies going private increased from 143 in 2001 to 245 in 2004. Sarbanes-Oxley is a, if not the, major reason companies are fleeing America’s capital markets. Furthermore, according to some estimates, Sarbanes-Oxley has cost the very investors the law claims to protect at least $1.4 trillion. How could anyone regret voting against such a harmful bill?
AT: What has been most surprising to you as you look at what has happened since Sarbanes-Oxley was enacted?
RP: The solid consensus that today exists among Representatives of both parties and the regulatory bodies charged with enforcing Sarbanes-Oxley is that this legislation, which Congress overwhelmingly passed and the administration heralded as a great achievement, was poorly drafted and that small businesses need relief from the unintended consequences of the law.
AT: Do you think the recent changes that the SEC and PCAOB have made with respect to SOX 404 will be successful in easing the burden of compliance? Do they go far enough?
RP: No, the Securities and Exchange Commission’s new regulations implementing Section 404 do not go nearly far enough in lifting the unjustified burdens Sarbanes-Oxley imposed on America’s economy.
Sarbanes-Oxley expert John Berlau, director of the Center for Entrepreneurship at the Competitive Enterprise Institute, said of the new rule that “Simply proclaiming that audits should be ‘risk-based’ won’t make them so, as long as the other mandates of this auditing standard remain in place. Auditors and companies will still face potential liability for not looking at every last process that could be deemed an ‘internal control,’ even if it has little relevance for shareholders. And the big accounting firms will also still have the big incentive to find every last ‘internal control’ they can audit and bill for.”
Of course, the regulators can only go so far in relieving the burden of Sarbanes-Oxley; it is up to Congress to correct the mistake it made when it rushed this unconstitutional, anti-prosperity, and anti-liberty bill into law.
AT: Is Sarbanes-Oxley still top of mind for you? Do you follow developments closely?
RP: Reform, or even repeal, of Sarbanes-Oxley remains one of my top priorities. As a member of the House Committee on Financial Services, I intend to continue to be an active participant in the debate over Sarbanes-Oxley and similar legislation.
Ron Paul is a 10th-term Congressman from Lake Jackson, Texas, a physician, and a candidate for the 2008 presidential election. He has represented Texas’s 14th congressional district in the U.S. House of Representatives since 1997 and represented Texas’s 22nd district in 1976 and from 1979 to 1985.
Tags: Ron Paul, SOX, SEC, Section 404, Sarbanes-Oxley
Posted on July 5th, 2007 by Audit Trail »Permalink
Audit Trail recently caught up with Harvey Pitt, independent board member of Approva, to get his perspective on what the environment was like that generated SOX and how things have changed over the last five years.
Audit Trail: What was the biggest challenge of your career at the SEC?
Harvey Pitt: There were actually two big challenges that stand out from my time as SEC chairman. The first was the disruption to the capital markets that happened on September 11, 2001, and the second was the implosion of several large corporations, along with the accounting firm Arthur Andersen, that resulted from the excesses we witnessed in the 1990s.
AT: Let’s start with the market disruption that happened on 9/11.
HP: The disruption to the capital markets that occurred on 9/11 resulted in one of the longest shut downs in the history of the U.S. securities markets. Our securities markets were shut down for six days. We wanted to make sure we could get them back up and running without any additional disruption. We knew we’d only get one crack at it.
The exceptional staff of the SEC orchestrated much of this successful response, working alongside the financial services sector and the President’s Working Group on Financial Markets to ensure a successful resumption of U.S. trading activities. I am very proud to have been associated with the commission during that critical period of history. The coordinated efforts paid off. The markets reopened on September 17, 2001 and this first day of post-9/11 trading became the highest volume trading day in history.
AT: How about the corporate meltdowns. How much do you think those events, combined with the market disruption of 9/11 set the tone for the Sarbanes-Oxley Act?
HP: The 1990s were an era of rapid technological development and broad expansion of global capital markets. But time has also shown them to be an era of corporate excesses that benefited a few at the expense of many.
The collapse of Enron, WorldCom and Arthur Andersen presented a tremendous challenge for the SEC. Philosophical discussions aside, these high-profile accounting scandals that were spawned by the excesses of the 1990s had a very real, negative impact on myriad investment and retirement portfolios as well as on the capital markets as a whole.
The SEC’s response from the trenches was eventually largely codified by Congress’s response, which established clear legal authority and defined new rules of the road for accounting firms, corporations, and investors alike. The centerpiece of this response, of course, was the Sarbanes-Oxley Act of 2002 or SOX. And while we need to recognize SOX as a significant part of the government’s response, it’s also important to remember that these unfortunate actions took place at a relatively small number of market players.
The 1990s-era corporate scandals dealt a nasty blow to the U.S. and global capital markets. The Government’s response, in harmony with that of the markets themselves and the corporate sector, minimized the short-term damage and catalyzed a sober and sustainable long-term response that continues to deliver benefits today.
AT: How has the business climate changed since your time as SEC chair?
HP: I believe that the overwhelming majority of business people want and intend to do the “right thing”. That said, the “right thing” is not always clearly defined and, as a result, ethical gray areas can lead to decisions that create problems. SOX and its aftermath, along with all of the prosecutions and SEC enforcement actions, reinforced the tendency of corporate America to do the right thing and comply with good corporate techniques and sound principles of accountability.
So the business climate has definitely changed over the last five years. There has been a marked improvement and the U.S. has been a leader. The events that followed from Enron, and WorldCom were unfortunate blemishes on that record. But since I’ve left the commission I’ve seen real determination on the part of corporate America to get it right. And that’s essential to the U.S. corporate market. And today we see the combination of individual responsibility and government oversight delivering investor benefits.
AT: Do you see more corporate accountability today as compared to five years ago?
HP: Today we are working in an era of corporate transparency that has not been seen before in the United States or, in fact, any where in the world. As individuals, corporations, and accounting firms embrace these ideas of transparency, companies, investors, and the capital markets will all continue to benefit. I see a growing number of public companies that have embraced these ideals and continue to apply them through their governance, risk and compliance efforts.
AT: Harvey Pitt, thanks for your time.
HP: It was my pleasure.
Harvey L. Pitt, CEO of the global business consulting firm Kalorama Partners, is a former SEC chairman and a current independent board member of Approva Corporation. As SEC chairman from 2001 to 2003, Pitt led the commission’s response to the market disruptions resulting from the terrorist attacks of 9/11 and led the commission’s adoption of dozens of rules in response to the corporate and accounting crises generated by the excesses of the 1990s.
Tags: Harvey Pitt, Sarbanes Oxley Act, Kalorama Partners
Posted on May 21st, 2007 by Audit Trail »Permalink
Audit Trail recently sat down with Approva Corporation Chief Technology Officer Steve Elliott. An expert on building, marketing, and selling enterprise software products in the areas of security management, Internet applications, ERP tools, and identity provisioning solutions, Elliott shared some insights on compliance and risk management.
Audit Trail: You’ve spent much of your career at the nexus of technology and risk management. Will the recent governance-related developments out of the SEC and PCAOB have any effect on corporate risks, especially those related to compliance?
Steve Elliott: Virtually any substantive announcement from any oversight authority can have an effect on risk and risk management. That said, the PCAOB’s proposed auditing standard (AS5), a corollary to new guidelines from the SEC, should indeed have an impact on how corporate boards and executives assess risk across the enterprise.
Specifically, AS5 has a lot to say about developing reliable financial statements. To the extent AS5 leads to more accurate reporting in a given company, certain risks related to inaccurate reporting are averted. This hypothetical development would then modify the overall risk profile of the company and lead to subsequent changes in the risk picture presented to the board.
AT: Are there other ways AS5 may affect risk management?
SE: AS5 also places a fair amount of emphasis on automated controls. If a company makes a significant shift from human to automated controls, the risks associated with those controls will change as well. For example, if a company relies on its managers to identify and mitigate anomalies in the company’s procurement process, it manages related risks based on that model. Should that company choose to implement systems that automate procurement controls, it must then realign its risk management program to address this new procedure. For one thing, moving from human to automated controls in this scenario is likely to reduce the risk of procurement-related losses leading to criminal prosecution of employees, which itself poses risks to both the operational well being and the public reputation of the enterprise.
AT: So maybe the link between AS5 and corporate risk isn’t so clear after all.
SE: It’s clear in that changes to a company’s audit process will lead to changes in the risks that company needs to manage. Risk is a constant; risk management is the way a company manages its own unique set of risks.
Will new auditing standards related to governance have an impact on a given company’s risk? Absolutely. Can broad lessons be gleaned from examining the proposed standards and considering their risk impact? Most likely. Will a new general auditing standard have specific risk-related impacts on a particular company? That’s a question that only the executives of the company can answer. And it will likely be a question posed by their board as the new standards move closer to implementation.
AT: Steve Elliott, thanks for chatting with us.
SE: It’s been my pleasure.
Steve Elliott is Chief Technology Officer of Approva. Steve joined Approva after serving as Vice President of Products at Virsa Systems and Director and Service Leader for the SAFE product, a PricewaterhouseCoopers’ global service offering centered on controlling SAP segregation of duties and continuous monitoring for Sarbanes Oxley and Audit compliance. He also spent a number of years selling and managing projects for PricewaterhouseCoopers Enterprise Applications Security and Controls group. Steve holds a BS in Computer Science from West Texas A&M University, an MBA from Texas Tech University, and is a graduate of the Executive Management Program at Kellogg School of Management at Northwestern.
Posted on April 13th, 2007 by Audit Trail »Permalink
Tax time is clearly an exciting time for us here at Audit Trail. April 15th is coming up this weekend and to celebrate this day, we have come up with the 1st Annual Audit Trail Tax Trivia Contest. We ask all Audit Trail readers to test their mettle by answering the following questions:
1. Name the world’s first tax-free haven.
2. Is it true that beards were once taxed? If so, in what country?
3. Why was the first U.S. tax office (Office of the Commissioner of Internal Revenue) created? What did it fund?
4. Is it true that urine was once taxed in Rome, circa 1 A.D.?
The first Audit Trail reader to answer all of these questions correctly will win the opportunity to be featured in a Q&A article on Audit Trail. That’s right, your name in print…15 minutes of fame. Come on…make your family proud and send us your answers.
Posted on April 2nd, 2007 by Audit Trail »Permalink
Audit Trail recently sat down with information security consultant Bryan Palma of Ponic, an expert on the nexus between compliance, security and privacy.
Audit Trail: First of all, tell us a little bit about your rather unique background.
Bryan Palma: I first became involved in information security while I was with the U.S. Secret Service. While serving in that capacity, I co-founded the Electronic Crimes Task Force in Washington, D.C., and helped institute and guide a number of similar task forces around the country. I also did cyber-advance work for many key events including World Bank meetings, G-8 summits, the Olympics, and more.
I had the privilege of serving in the private sector as Chief Information Security Officer (CISO) of PepsiCo, a company with a proud history of good governance. As a consultant, I’m involved in a wide variety of information security programs, many of which are now directly tied to the technical aspects of compliance.
AT: So which do you prefer, Coke or Pepsi?
BP: Definitely Pepsi, though I most often drink Gatorade. Is that germane to our topic?
AT: We’ll ask the questions here. From your view, what do you see as the most important business issue today related to compliance?
BP: Our firm is currently focused on what we call Practical Compliance - meeting the mandatory and valuable objectives of SOX while also achieving a corporate equilibrium that balances compliance, security, and privacy.
To achieve this elusive but critical balance, we counsel clients to pursue compliance vigorously and stay focused on building a compliance program that is both effective and efficient. We are at that point in the compliance journey that requires organizations to be more productive with their compliance efforts.
AT: That sounds pretty aggressive. How do you make it happen?
BP: Through transparency and independence. In a very real sense, compliance is a journey, not merely an event. Transparency in the compliance effort demonstrates an enterprise’s commitment to continuous improvement. Continuous improvement requires that internal auditors retain their independence, that the effectiveness of controls is not dictated by the limitations of an ERP system (another form of independence), and that there is a single point of accountability in IT for security, compliance, and privacy. This model fosters forthrightness, which is what SOX is really all about.
AT: How does automation play into all this?
BP: Automation enables the compliance effort to be connected to the business in a way that helps ensure the success of both. SOX has required businesses to focus on controls, largely in response to several high-profile cases of mismanagement that unfortunately hurt a lot of investors and tarnished the markets in general. While a critic might call SOX heavy-handed, it has made undeniable progress in the elimination of fraud and reemphasized accountability. The other side of the coin has been the skyrocketing costs of compliance and its negative impact on productivity and even profitability.
Enter players like Approva that deliver technology solutions that support the Practical Compliance we discussed earlier. With these tools in place, the compliance effort enjoys increases in effectiveness, integrity, and efficiency, allowing business to function more productively.
Automated compliance systems can also help foster the transparency and independence that promote the kind of forthrightness that SOX ultimately requires. Approva’s solutions especially support the independence we talked about because they’re vendor agnostic and can be leveraged cross-platform.
Finally, well-conceived compliance automation makes the system easy to use, especially for personnel outside IT. If the system is accessible to business users, those users are more likely to embrace it and contribute to the continuous improvement of the compliance program. We’re big fans of compliance technology.
AT: Bryan Palma, we appreciate you being with us.
BP: Thank you.
Bryan Palma is president of Ponic, a consultancy that helps businesses design, build, and improve information risk functions. The firm’s expertise spans security, privacy, compliance, and risk management. A pioneer in the field of cyber crime, Palma is widely regarded for his pragmatic, business-centered approach to information security and compliance.
Prior to founding Ponic, Bryan served as PepsiCo’s Chief Information Security Officer. As CISO his responsibilities included coordinating global information security management, information technology compliance, and litigation support for Frito-Lay, Pepsi-Cola, Quaker, Tropicana, Gatorade, and PepsiCo International. Bryan implemented a holistic, business driven information risk program at PepsiCo, which leveraged a variety of technical, business, and legal strategies.
More information is available at www.ponic.com
Tags: Ponic, compliance,
Posted on February 14th, 2007 by Audit Trail »Permalink
Audit Trail recently sat down with Approva Corporation’s Phil Livingston, who’s been on the front line of Sarbanes-Oxley (SOX) since the law’s formation back in 2002.
Audit Trail: There’s been a lot of buzz lately about the changes to the guidelines that corporations follow in order to comply with the requirements of Sarbanes-Oxley. Why the buzz and why now?
Phil Livingston: The buzz is a result of a great deal of significant activity recently at both the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). In December they issued all new rules for companies and auditors regarding the execution of SOX 404 reporting and auditing on internal control of financial reporting. It’s a direct reaction to the tremendous cost burden of implementing 404. That’s the thrust of the new rules, reduce the cost while increasing investor protection.
The biggest developments include the SEC’s issuing of safe harbor rules that, if followed, offer companies confidence that they won’t be second guessed. Additionally, the PCAOB has decided to replace its pivotal Auditing Standard 2 (AS2) with a new standard, AS5. The PCAOB is now collecting public comments on its proposed standard. Beginning at the end of February 2007, the board will review those comments and decide whether or how much to modify the standard before it is formally adopted.
AT: Do these emerging guidelines represent a SOX revolution or more of an evolution?
PL: Clearly AS5 and the SEC’s recent moves represent an evolution. The core requirements of Section 404 remain in force. The regulators are simply taking responsible actions to make compliance with the law more manageable, not only for the smaller companies that are now embarking on SOX compliance for the first time, but also for the accelerated filers that have already made significant compliance investments.
The most important changes in the proposal are that the auditor will no longer give an option on management’s 404 process and the auditor won’t be required to collect direct first hand evidence. Judgment and reasonableness are strongly encouraged. So is the automation of internal controls. Automation to reduce costs and automation to increase the reliability of controls and control monitoring.
During the PCAOB proceedings, one of the board members, Ms. Kayla Gillan, summed it up nicely. She said that the new standard recognizes that compliance carries a cost that cannot be unlimited and must be sustainable over the long term. That’s what this evolution is all about.
AT: So what’s the magic formula? How can the same level of risk management be delivered over the long term at a lower cost?
PL: I’m not sure there’s a ‘magic formula,’ but the new guidelines seem to be focusing auditors on the controls that prevent financial reporting misstatements. Ultimately, accurate reporting is what every current or potential stockholder relies on to make investment decisions, so it is paramount. The SEC allows for both manual and automated controls to be put in place and - this may be the magic formula you are looking for - if companies with manual and automated controls in place so you choose, they are permitted to test only the automated controls, a process that is dramatically more efficient than testing manual controls.
Given the right set of automated controls and a solid program for accurately testing them, the focus can then move to ongoing monitoring by auditors, executive managers and directors to ensure ubiquitous integrity.
AT: That sounds like the SEC and PCAOB have added specificity to key controls plus a new requirement for better monitoring. How does this simplify things?
PL: There’s much more to the new standard, such as the elimination of unnecessary procedures, scaling of audits for smaller companies, and simplifying requirements overall. These are all important developments, but the approval of automated controls is crucial. It simplifies things because automated controls offer companies the same or better accuracy with more efficiency and the reduced costs that efficiency brings.
AT: The focus then moves from the controls themselves to monitoring the systems that enforce the controls. So who’s defining what good monitoring looks like?
PL: That aspect of the larger compliance picture is just now starting to come into focus. The committee of Sponsoring Organizations of the Treadway Commission (COSO) is playing a key role in defining what acceptable monitoring looks like. I have the privilege of serving on a COSO Project Task Force that recently commissioned the accounting firm Grant Thornton to lead the development of guidance on monitoring. The task force involves representatives from all of COSO’s sponsoring organizations - the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants - and will develop formal guidance on how organizations can monitor the quality of their internal control systems. The task force had its initial meeting and is making very good progress. Look for more information on this topic from COSO in the coming months.
AT: What is the expected result of all these changes?
PL: The bottom line is that investors will continue to get the protections they need and deserve without public companies being subjected to potentially harmful financial and operational burdens. Frankly, if the costs were to remain as high as they’ve been, eventually political pressure might build to repeal SOX, which would be a tragic step backward. These new guidelines will allow directors, executives and auditors to more efficiently meet the requirements of SOX Section 404 by employing automated solutions where they’ve been proven highly effective. Automated controls and monitoring are pivotal to building cost-effective compliance programs that are sustainable over the long term - which is really what matters most to investors as well as executives and directors.
In summary, I’m very optimistic about these developments. From my view, the powers-that-be are taking very smart, responsible actions that will benefit investors without unduly burdening public companies. So far, it’s looking like a winning scenario for all involved.
AT: Phil Livingston, thank you for your time.
PL: Thank you, it’s been my pleasure.
Phil Livingston is vice chairman of the board of directors of Approva Corporation. He is also a director and audit committee chair of Cott Corporation (NYSE: COT) and a former CFO of several companies. Livingston earned his CPA while working in financial management and auditing with Genentech and Ernst & Young. He testified before the U.S. House of Representatives Financial Services Committee during the formulation of Sarbanes-Oxley and directly authored two sections of the legislation.
Tags: Sarbanes Oxley, PCAOB, Securities and Exchange Commission
