In the wake of a series of gross corporate abuses around the turn of the century, Congress passed Sarbanes-Oxley, which was intended to make corporate governance more rigorous, financial practices more transparent, and management criminally liable for lapses. The first year of implementation was costly and onerous, far more so than companies had been led to expect. In the view of a few open-minded firms, however, the second year of compliance turned out to be not only less costly and less onerous (as doing something for the second time usually turns out to be), but a source of valuable insights into operations, which management has translated into improved efficiencies and cost savings.

The areas of improvement go well beyond technical statutory compliance. They include a strengthened control environment; more reliable documentation; increased audit committee involvement; better, less burdensome compliance with other statutory regimes; more standardized processes for IT and other functions; reduced complexity of organizational processes; better internal controls within partner companies; and more effective use of both automated and manual controls. The result is not only shareholder protection, the official purpose of the act, but also enhanced shareholder value.

More than a year since the first deadline arrived, Sarbanes-Oxley still inspires fear—of enforcement actions, of the stock market’s reaction to a deficiency, and of personal liability. Fear can be a powerful generator of upstanding conduct. But businesses run on discovering and creating value. Companies need to start viewing Sarbanes-Oxley as an ally in that effort.

• 
    Tweet  
• 
    Post  
• 
    Share  
• 
    Save  
• 
    Get PDF  
• 
    Buy Copies  
•   Print  

Leer en español

Ler em português

When Congress hurriedly passed the Sarbanes-Oxley Act of 2002, it had in mind combating fraud, improving the reliability of financial reporting, and restoring investor confidence. Understandably, most executives wondered why they should be subjected to the same compliance burdens as those who had been negligent or dishonest. Smaller companies in particular complained about the monopolization of executives’ time and costs running into the millions of dollars.

Perhaps SOX’s most burdensome element was Section 404, which says that it is management’s responsibility to maintain a sound internal-control structure for financial reporting and to assess its own effectiveness, and that it is the auditors’ responsibility to attest to the soundness of management’s assessment and report on the state of the overall financial control system. (See the sidebar “Taking Control of Controls.”)

Taking Control of Controls

The phrase “internal control structure and procedures” features prominently in Section 404 of Sarbanes-Oxley. But what exactly is a control structure composed of? A control is a practice established to help ensure that business processes are carried out consistently, safely, with the proper authorization, and in the manner prescribed. Take, for example, the objective of keeping information secure. Controls to achieve this objective might be as straightforward as locking a file cabinet or as elaborate as encrypting computer data.

Sarbanes-Oxley was enacted to improve the reliability of financial reporting; therefore, most of the controls adopted pursuant to the Act concern themselves with the timeliness, integrity, and accuracy of financial data.

Controls fall into two broad categories. Preventive controls are intended to eliminate lapses, either intentional or inadvertent. An example would be the segregation of duties in an accounts payable department, so that one person approves an invoice, another prepares the payment, and a third signs the check. In this way an unauthorized payment is kept from being issued. Detective controls are designed to identify errors and irregularities that have already occurred. Monthly reconciliation of cash accounts, for example, is undertaken to ferret out such conditions.

An essential element of any Sarbanes-Oxley compliance program is the testing of controls. During the first year the law was in force, many companies and their auditors—because of the law’s newness and the lack of regulatory guidance—tested an unnecessarily large number of them. In some cases, the matters being tested were too unimportant to contribute to a material misstatement in the financial reports. In others, a high sampling rate gave no clearer a picture of certain controls’ efficacy than a lower rate would have done. To reduce the compliance burden, some companies now resort to “controls rationalization,” which involves assessing which activities are most susceptible to error or abuse and whether they could be responsible for a material misstatement. Such controls are tested more frequently; less essential ones may be deemed to fall outside the scope of the testing plan entirely. Many companies have achieved cost savings in the second year of SOX compliance, without any reduction in control effectiveness, by rationalizing their controls in this manner.

Yet in the course of providing compliance advice to executives, we discovered a small subset who approached the new law with something like gratitude. For years, and especially when financial reporting had become fast and loose and criminal conduct entrenched at places like WorldCom and Enron, these executives had secretly wished that some of the resources absorbed by their companies’ profit centers could have been diverted to improving financial management processes and capabilities. They were thinking not only of protecting stakeholders and shielding their companies from lawsuits but of developing better information about company operations in order to avoid making bad decisions.

While providing compliance advice to executives, we discovered a small subset who approached Sarbanes-Oxley with something like gratitude.

However, the burdens of implementing SOX for the first time, in 2004, were so great that this more forward-thinking group could give little time to developing and adopting policies and practices that went beyond literal compliance. Some spoke of putting their planned initiatives in a “parking lot,’’ with the hope of pursuing them the following year. As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.

In any era, the enactment of a law like SOX would probably have prompted a similar stocktaking. But factors in the business world independent of recent abuses had rendered some companies’ operations and reporting opaque even to the people in charge, making the timing of SOX’s enactment particularly fortunate. These factors included a frantic pace of mergers and acquisitions and less-than-seamless integration of the combined entities; the rapid implementation of new information technologies and their incompatibility with legacy systems, as well as flawed electronic security and Y2K’s jury-rigged patches and fixes; foreign expansion, which produced disorienting encounters with unfamiliar languages, cultures, laws, and ways of doing business; the proliferation of business alliances and outsourcing; and the stringing together of supply chains. It is no wonder that actual and reported performance at a number of companies diverged.

Year two of compliance is now complete at most large U.S. companies. Is the parking lot still full of unimplemented change plans? At many organizations, it is. Their executives want to simplify and standardize processes and systems but can’t seem to find the time or the resources to do so. But some executives, particularly those who recognized SOX’s advantages from the beginning, have figured out how to leverage the new law so that those plans for improvement can be realized.

In year two, a number of companies have begun to standardize and consolidate key financial processes (often in shared service centers); eliminate redundant information systems and unify multiple platforms; minimize inconsistencies in data definitions; automate manual processes; reduce the number of handoffs; better integrate far-flung offices and acquisitions; bring new employees up to speed faster; broaden responsibility for controls; and eliminate unnecessary controls. Moreover, SOX-inspired procedures are beginning to serve as a template for compliance with other statutory regimes. In this article, we describe the broad areas in which SOX compliance has benefited firms’ governance, management, and investors.

Strengthening the Control Environment

Good governance is a mixture of the enforceable and the intangible. Organizations with strong governance provide discipline and structure; instill ethical values in employees and train them in the proper procedures; and exhibit behavior at the board and executive levels that the rest of the organization will want to emulate.

These are all components of the control environment, which forms the foundation of internal control. Popularized by the Committee of Sponsoring Organizations of the Treadway Commission in its 1994 report “Internal Control—Integrated Framework,” the term “control environment” encompasses the attitudes and values of executives and directors and the degree to which they recognize the importance of method, transparency, and care in the creation and execution of their company’s policies and procedures.

A proper control environment is one factor an external auditor considers when called upon to evaluate internal control over financial reporting pursuant to Section 404. Bob Murray, the director of internal audit at Yankee Candle, a $600 million purveyor of scented candles and other household items, regularly sends to the auditing firm copies of internal correspondence emphasizing fraud prevention, internal control, and regulatory compliance. “We hope to score major points with our auditor for doing this,” he says (though hastening to add that strengthening the control environment is the company’s primary concern).

These “points” are not tallied in any literal sense. Rather, they contribute to the mass of evidence weighed by the external auditor. If a company can demonstrate a strong control environment, then it can reduce the overall scope of its internal-control evaluation. Reduced scope can mean the company need not carry out as many internal tests and the auditor may do less corroborating, resulting in lower compliance costs. (Testing scope is a matter of judgment and perhaps negotiation between the auditor and the company. Indeed, the Public Company Accounting Oversight Board [PCAOB] and the Securities and Exchange Commission encourage auditors to exercise judgment when evaluating financial-reporting controls.)

PepsiCo uses an annual survey of about 100 senior executives to demonstrate the condition of its control culture. Conducted by the company’s internal auditors, the questionnaire probes hiring practices, employee evaluation, contract solicitation, incident reporting, objective setting, and other areas. According to Thomas Lardieri, general auditor and vice president for risk management, PepsiCo also tests financial employees’ understanding of their responsibilities as part of its annual ethics training. The training is administered via an interactive package that includes scenarios of ethical dilemmas one might encounter dealing with customers, suppliers, and colleagues and suggests possible solutions. About 25,000 managers receive the training. The company’s remaining 135,000 employees receive a code of ethics manual and some level of reinforcement and training, which varies according to business unit, says Lardieri. Records of this training may be reviewed by the auditors.

In our presentations at business seminars and conferences, we are often asked why we emphasize the control environment so heavily. Our questioners seem to believe that good internal control is predicated on the controls themselves—the cross-checking, the reconciliations, the data verification. We reply that without a strong control environment, a company will never attain good governance. A focus on the control environment helps ensure that the controls themselves are the second and third lines of defense, not the first. Employees who have been made to understand that it’s not all right to strike side deals with customers, to recognize revenue prematurely, to conceal possible conflicts of interest, or to look the other way when these types of activities are going on won’t be busy circumventing the control system at every turn.

A focus on the control environment helps ensure that the controls themselves are the second and third lines of defense, not the first.

Some executives feel they need to tie every action back to the bottom line. To them we say: Most investor rating services include an assessment of the control environment as part of their overall evaluation of the company. Scores from these services can have a significant impact—either positive or negative—on investor sentiment and the company’s cost of capital.

Improving Documentation

Documentation activities consumed countless employee hours during the first year of Sarbanes-Oxley, as companies updated operations manuals, revised personnel policies, and recorded control processes. Some minds equate paperwork with busywork, but this labor-intensive effort, to our surprise, received gradually increasing support from the executive suite. The spur was Sections 302 and 404, which require CEOs and CFOs to attest personally to the effectiveness of internal control over financial reporting, and Section 906, which makes “willful failure” to portray the true condition of the company’s operations and finances a crime. Section 404 also requires the independent auditor to attest each year to the company’s evaluation of its controls. The auditor is expected to assess the documentation of controls and procedures as well as how competently employees perform the control activities for which they are responsible. (See the sidebar “SOX in Brief.”)

SOX in Brief

The Sarbanes-Oxley Act of 2002 is almost defiantly brief; Section 404, for example, totals a mere 173 words. Significantly more verbose are the various rules, standards, and elaborations issued by the Public Company Accounting Oversight Board and the Securities and Exchange Commission. For most companies, Sections 302 and 404 represent the bulk of compliance work.

Section 302 (Title III—Corporate Responsibility): Corporate Responsibility for Financial Reports.

This section requires that CEOs and CFOs personally certify the accuracy of financial statements and disclosures in the periodic reports and that those statements fairly present in all material aspects the results of operations and financial condition of the company. Furthermore, the executives must certify that financial controls and procedures have been implemented and evaluated, and that any changes to the system of internal control since the previous quarter have been noted.

Section 404 (Title IV—Enhanced Financial Disclosures): Management Assessment of Internal Controls.

This section calls for an annual evaluation of internal controls and procedures for financial reporting. Like Section 302, Section 404 requires CEOs and CFOs to periodically assess and vouch for their effectiveness.

Section 404 also obliges companies to include an internal-control report in their annual report. Although the SEC has not spelled out all of the elements of the internal-control report, it has indicated that the document should contain the following:

• a statement acknowledging responsibility for establishing and maintaining adequate internal control over financial reporting
• a statement identifying the internal-control framework used to evaluate the effectiveness of internal control over financial reporting
• an assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the most recent fiscal year
• disclosure of any material weaknesses in the company’s internal control over financial reporting (if any material weaknesses exist, then internal control over financial reporting is deemed ineffective)
• a statement that the independent auditor has issued a report on the company’s assessment of internal control over financial reporting

In addition, Section 404 requires a company’s external auditor to examine and report on management’s assessment of internal controls, as well as the effectiveness of the controls themselves.

Section 906 (Title IX—White-Collar Crime Penalty Enhancements): Corporate Responsibility for Financial Reports.

This section requires CEOs and CFOs to sign and certify the report containing financial statements; they must confirm that the document complies with SEC reporting requirements and fairly represents the company’s financial condition and results. Willful failure to comply with this requirement can result in fines of up to $5 million and imprisonment for up to 20 years.

BlackRock, an investment firm with more than $450 billion in assets under management, took an exhaustive inventory of its written policies and procedures, says Paul Audet, former CFO and now chief executive of the company’s cash management business. During this exercise, Audet learned that many job descriptions needed updating. “If you don’t properly document job requirements, then you wind up communicating important information solely by word of mouth,” he says.

With the advent of Sarbanes-Oxley, Audet saw an opportunity to overhaul the job-description documentation. The benefits of doing so have been especially noticeable during employee absences and periods of high turnover, because the revised documentation has helped new recruits become acclimated more quickly. Clearly defining who’s responsible for which business processes is a key element of an internal-control program and facilitates training, oversight, and performance evaluation.

BlackRock’s documentation efforts have also increased employees’ understanding of operations. Having to commit information to paper (or hard drives) has sent internal auditors and other employees into the field to see firsthand how tasks are accomplished and how they might be improved.

PepsiCo has also benefited from updating its documentation processes. In the course of making these updates, the company determined that inadequate controls existed for pension accounting, a complex process that depends not only on the internal compensation and benefits group but on external actuaries and asset custodians. Lardieri says with dismay, “A lot of steps we assumed were being taken—account reconciliations and interest calculations and data integrity checks—actually weren’t.”

As soon as the lapses were revealed, the company assigned a controller to its compensation and benefits group, and an internal team identified, documented, and implemented the missing control activities. PepsiCo also started demanding written assurances from its asset custodians that companies with which it did business were adhering to strong internal controls. (Many other companies obtain similar assurances by requiring SAS 70 Type II reports, which certify that an independent auditing firm has examined a service provider’s internal controls.) These measures clarified the control responsibilities of the treasury and finance departments and the compensation and benefits group. They also improved data transfers among these functions and with third parties.

A CFO of a Fortune 1000 real estate company informed us of another documentation benefit from Sarbanes-Oxley. This executive approached Section 404 documentation confident that his company’s sign-offs had been unfailingly executed, only to make what he referred to as a “humbling” discovery: The people signing off on the documents apparently had been merely glancing at the contracts and leases in question. That lack of attention left the company susceptible to unenforceable contract provisions, miscalculated rent escalations, and unexecuted underlying agreements. After disciplining the negligent parties, the company instituted far more rigorous cross-checks of contracts and leases.

Increasing Audit Committee Involvement

Not long ago, board seats were considered by some to be plum assignments, bringing stature and financial rewards but requiring only limited effort. Today, by contrast, directors face increased legal liability for inattention and, thus, a heavier workload. In addition, all members of the audit committee must be free of most financial and personal ties to the company, and at least one committee member should be a “financial expert,” according to Sarbanes-Oxley. If not, the company must say so. Thus, it should come as no surprise that board membership has changed substantially. It appears that both recruits and veterans are taking their new responsibilities very seriously, as evidenced by longer and more frequent committee meetings and the more pointed questions members pose.

For many CFOs we’ve worked with, the transformation has been dramatic: “At the very next meeting of our audit committee, it was a different world in terms of members’ engagement level,” says one executive. “Some would argue that this intensity should have been there all along, but the fact is, it wasn’t.”

Yankee Candle CFO Bruce Besanko, who was working at another consumer products company when Sarbanes-Oxley was enacted, says that the Act changed the atmosphere on that company’s audit committee. Besanko explains that before Sarbanes-Oxley, many companies used the same Big Four accounting firm for both auditing and consulting, often with the preponderance of fees going to consultants. While SEC rules forbid independent auditors to assist in the design of internal financial information systems, other types of consulting services are permissible. Nevertheless, a number of audit committees, including Yankee Candle’s, have asked their independent auditors to stop providing certain consulting services to the company, except under limited and tightly controlled circumstances. (It should be noted that Sarbanes-Oxley states that any additional services to be provided by the external auditor are subject to the audit committee’s explicit approval.)

Exploiting Convergence Opportunities

Two approaches to Sarbanes-Oxley predominate. Some executives dutifully meet SOX requirements, but at minimum cost and utilizing the fewest possible resources. Others leverage the resources expended on compliance to obtain a return on their investment.

RSA Security, a $300 million technology company that helps organizations protect online identities and digital assets, decided to straddle those approaches, combining Sarbanes-Oxley compliance with other regulatory obligations to gain efficiencies and reduce overall costs. The company convened a team to identify commonalities among the statutory regimes with which it had to comply, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley (GLB) Act, California’s Security Breach Information Act, and other laws to protect privacy and combat identity theft.

One area of convergence was employee record keeping. Like most companies, RSA Security maintains computerized HR files that contain personal data relating to pay, health benefits, and Social Security. Various laws and regulations govern the handling of these records: Financial information is protected under Sarbanes-Oxley, health benefits under HIPAA, and Social Security and other personal information under various federal and state privacy statutes.

John Parsons, RSA Security’s vice president of finance and chief accounting officer, says the executive team realized that a single set of controls could be used for compliance with the various acts, given the similar way the data were organized and the acts’ common interest in protecting the data’s integrity and security. In response, functions such as IT and HR adopted a single set of controls that determined employee level of access to the computer system. An example of this consolidation was a single log-on for benefits, payroll, and other data. “Depending on their level and role, some employees get ‘read only’ rights to the files; some have the ability to change the data; and some, of course, are denied access,” Parsons explains.

RSA Security adopted a similar convergence approach for its International Organization for Standardization (ISO) 9000 project, an international certification program administered by a Geneva-based NGO representing hundreds of national standard-setting bodies. ISO sets standards for quality management and quality assurance in such areas as production processes, record keeping, equipment maintenance, employee training, and customer relations.

The commonalities between the ISO and SOX projects weren’t readily apparent to the two teams working on them (an operations team for the former and a finance team for the latter) because the two groups worked in separate buildings, with little awareness of each other’s activities.

Both teams were charged with documenting dozens of business processes and determining how efficiently they were designed and operated. The ISO team, for example, examined processes established to ensure that only high-quality, fully debugged software reached the marketplace, while the SOX team, for example, scrutinized the account reconciliation process. When Parsons examined a detailed flowchart of the revenue cycle that his SOX team had prepared, it occurred to him that the ISO team was mapping exactly the same process. “Why,” he asks, “would we have two different maps for the same business process? We certainly didn’t need two process maps, two risk assessments, and two sets of controls over the revenue cycle from generation of the invoice to receipt of payment. So we drove what were completely parallel ISO and SOX processes into one converged process map and operational approach.”

The benefits have gone beyond cost savings. “We were also able to free up people and reallocate their time to higher-value activities,” he says. Instead of tying up so many employees in the revenue-draining chores of compliance and certification, RSA Security rededicated some of them to operational improvements, such as streamlining the customer order process and expanding supply chain capabilities.

Standardizing Processes

While process standardization will never be mistaken for low-hanging fruit, many believe it’s worth the climb. The work of identifying and addressing inconsistencies across operating units and locations can be substantial, but so can the yield.

Consider the case of a large clothing manufacturer that operates retail outlets nationwide under several well-known brand names. During the company’s first stage of Sarbanes-Oxley compliance, Deloitte & Touche partners met with the CFO and his staff to review the processes in place for recording basic financial transactions. We started with accounts receivable and learned that each division of the company imposed different due and dunning dates, late fees, and interest rates on customers. If the divisions had been independent companies, these inconsistencies would have been innocuous, but each of these units fed its financial data into consolidated financial statements, and these nonstandardized processes made a mess of the aged-receivable and bad-debt accounts.

An analogous situation existed at Sunoco. In documenting its procedures for Section 404, CFO Tom Hofmann was reminded that the company “had three or four different ways to get an invoice into the system.” Sunoco’s refining business varied the billing process by product category, be it aircraft fuel, lubricants, or wholesale heating oil.

“These transactions aren’t that different,” Hofmann says. “Why would we have different billing methods?” He chalked up the discrepancy to the historical independence of the various business groups and the lack of pressure to standardize. So, on his team’s advice, he commissioned a single form that could capture all the information required to process a customer order. This consistency, Hofmann says, reduces the chances for error in data entry and consolidation.

Having to rebill customers to correct invoicing mistakes can have a cascading effect on operations: Every invoicing discrepancy, whether caught internally or flagged by a customer, must be investigated and reconciled, and the invoice must then be canceled, redone, and redelivered. As a consequence, the cash flow cycle is interrupted, and customer relations may become strained. At Sunoco, creating a single, standardized form for every type of product reduced these problems to a minimum.

The potential benefits of standardization also caught the attention of executives at Kimberly-Clark, the consumer products manufacturer. Mark Buthman, senior vice president and CFO, says his company’s Sarbanes-Oxley work spotlighted an area rife with inconsistency: manual journal entries. “It may not seem that journal entries would be such a big deal, but we have hundreds of people around the world generating them,” says Buthman, whose company employs more than 60,000 workers in 38 countries.

Before Sarbanes-Oxley, the company’s journal-entry process varied widely by division and location, with some employees creating entries by hand, others keying them into Excel spreadsheets, and still others logging them into the company’s SAP financial software program. The process for reviewing the entries was also fragmented, with some reviews conducted by people not senior enough. The management at Kimberly-Clark decided to have staff log all journal entries into the company’s SAP system. “Instead of having hundreds of ad hoc procedures for journal entries, we now have just three,” Buthman says. Data are now more consistent and reliable, and fewer employees and man-hours are required to accomplish the same task, he says.

Standardization is also a bottom-line issue for Manpower, a $16 billion provider of employment services operating in 72 countries. With more than 2 million temporary and permanent employees on the company’s payroll, the need to maintain rigorous checks and balances is significant. “Even minor decimal or application coding errors can have a huge impact,” says Nancy Creuziger, a vice president and the company’s controller.

To guard against these types of errors, Manpower standardized its change-management process for software development. Any code alterations are now subjected to a series of reviews, tests, analyses, and approvals before going live. A regression test is introduced near the end of the development process to validate the new code. During the test, technicians operate two machines concurrently, one running the old code and the other the new. The same data are put into each, and the output is compared in order to identify coding errors. The exercise is designed to reveal any programming changes that don’t fall within the scope of the development plan.

Besides averting financial losses, standardizing the software coding processes also helps streamline the development cycle. “You standardize a process only after defining the most efficient way of doing it,” Creuziger notes. For a company that develops global software applications for its business units, development and support costs can be cut substantially. Further benefits accrue when internal and external auditors come knocking, since standardized processes can be evaluated more quickly and thus more cheaply.

Reducing Complexity

Some tasks are inherently complex—designing computer chips, tracking weather patterns, mapping the human genome. Others are needlessly so. In the case of Iron Mountain, a $1.8 billion records and information management company, merger and acquisition activity contributed to an increasingly cumbersome organizational structure. Over a ten-year period, the company had acquired more than 150 competitors and complementary businesses. It acquired another 50 companies indirectly when it purchased its largest competitor, Pierce Leahy, which had just completed an acquisition spree of its own.

Simplification was always the game plan at Iron Mountain, says John F. Kenny, Jr., executive vice president and CFO, but the extensive testing requirements of Sarbanes-Oxley accelerated these efforts. Each acquired company came with its own organizational chart; Iron Mountain integrated and streamlined the reporting structure. Each acquisition brought its own accounting practices; Iron Mountain centralized all accounting activities. Some of the companies ran Unix while others ran Linux, Novell NetWare, or Windows; Iron Mountain opted for a single platform. Many of the companies calculated taxes by hand or on spreadsheets; Iron Mountain automated tax estimation and payments.

“We can’t say with certainty that such-and-such improvement has led to, say, a 5% reduction in costs,” says Kenny. Nonetheless, he and other executives believe that the company has made significant gains in efficiency.

Strengthening Weak Links

Another source of complexity arises from outsourcing, partnerships, and shared-services arrangements, known collectively as the “extended enterprise.” Although businesses have long outsourced such tasks as manufacturing, order fulfillment, payroll, accounting, human resources, shipping, tax reporting, and coupon and warranty processing, SOX has recast these relationships.

One SOX-related complication arises when the partner company engages in activities that materially affect the primary company’s financials. These can include hosting IT applications, managing IT infrastructure, providing services in accounts receivable or accounts payable, processing payroll, managing benefits, and maintaining warehouse inventories. In such cases, the primary company must obtain evidence of effective internal control at the partner company, ideally in the form of an SAS 70 Type II report that the partner provides. If, however, the service provider is unwilling or unable to do so, the primary company must conduct its own audit.

Because of the difficulties companies have experienced conducting their own internal-control assessments, most blanch at the thought of verifying third parties’ internal controls.

In view of the difficulties companies have experienced conducting their own internal-control assessments, most blanch at the thought of verifying third parties’ internal controls. As a result, many of our respective firms’ clients are reevaluating their outsourcing arrangements and partnerships. Yankee Candle’s CFO, for one, plans to take a hard line if he can’t obtain an SAS 70 report. “If it is a major partner that impacts our financials, we will terminate the relationship,” Besanko says.

Minimizing Human Error

Ask most auditors what they consider to be the weakest aspect of internal control, and they’ll tell you, “Manual processes.” The human beings charged with carrying them out may be fatigued, distracted, stressed, malicious, or absent. Michael Hammer, the originator of reengineering, was fond of saying that it is “the ‘biological work units’ that cause most of your problems.” Automated controls, if properly designed and implemented, aren’t susceptible to such pitfalls. Yet in our experience, most controls are still manual.

Ask most auditors what the weakest aspect of internal control is, and they’ll tell you, “Manual processes.”

Because automated controls are more reliable, only a single sample of an activity may need to be tested. (A manual control of the same activity could require dozens of tests.) Also, according to recent PCAOB guidance, some automated controls can be tested every three years instead of every year, as long as the company can demonstrate that the control has not been changed. Some companies step up their security measures to ensure that unauthorized software modifications can’t be made. For example, many firms now require passwords of at least eight characters consisting of numbers, symbols, and both lowercase and uppercase letters. Users must change passwords at least every three months and are locked out after several consecutive incorrect entries.

Still, some situations call for human judgment. Manpower strives to find a balance between automated and manual controls. For example, its automated monitoring system flags sales adjustments exceeding $10,000. But sometimes such adjustments are permissible. “You need human judgment to determine whether the override is reasonable or whether it needs to be investigated further,” says Creuziger. “Even highly automated systems need the possibility of human override in special circumstances.”• • •

Whether companies saw the need for internal reform before SOX or have made plans only recently, too few have actually implemented business improvements. The reasons for this are several: Audit committees have not insisted that their companies go beyond protecting their assets and reputation; CEOs haven’t deployed sufficient resources to handle the burden of doing so; CFOs haven’t been ingenious enough at devising ways SOX can contribute real value; and CEOs, CFOs, and internal audit departments haven’t collaborated to identify areas where gains in value could be used to offset the costs of compliance.

More than a year since the first Section 404 deadline arrived, Sarbanes-Oxley still inspires fear in boards and top executives—of enforcement actions, of the stock market’s reaction to a deficiency, and of personal liability. Fear can be a powerful generator of upstanding conduct. But business runs on discovering and creating value. The procrastinators need to start viewing the Sarbanes-Oxley Act of 2002 as an ally in that effort. A version of this article appeared in the April 2006 issue of Harvard Business Review.