Sukhdev Bal ponders why companies that do not have to comply with SOX are nevertheless striving to improve their internal control systems

When the topic of Sarbanes-Oxley (SOX) is introduced into a conversation, talk inevitably turns to comparing benefits and costs. The usual conclusion is that the former bear little relation to the latter. However, it now appears that many UK businesses are voluntarily complying with SOX, because they recognise that it leads to more effective internal controls, the benefits of which are starting to be seen.

It is worth looking in more detail at the reason why so many companies are following this path. The answer lies in the advantages (or rather reduced costs) that businesses with robust control systems enjoy - a term we call cost of quality.

Costs of compliance and quality

2005 has seen substantial coverage of the cost of SOX compliance. Financial Executives International reported that the total costs in the first year of a SOX compliance project were nearly 2.3 times those originally estimated. Many companies expect the costs to decrease in year two.

However, businesses that view SOX in such a one dimensional way should start to adopt a more layered approach. They need to consider that cost reduction opportunities are not limited to compliance costs, and they ought to examine their total cost of quality. It is clear that companies that build quality into their process will have more opportunity to realise the benefits of a cost reduction effort more fully. The first step in the process is to determine exactly what quality is.

My own company believes that there are four key components: prevention, inspection and detection, internal re-work and external failures.

The cost of prevention includes the effort expended to limit the risk of errors that cause re-work. Examples include the training of employees, process parameters and controls and system application controls.

The energy required to review process outputs can be classed as the cost of inspection and detection. A classic case of this would be the time spent checking and approving transactions at the end of a process.

Detection and remedy of errors comprise the third cost, that of internal re-work. This is significant because error correction may take 15 times longer than processing a transaction 'right first time'. Recent benchmarking indicates that up to 9% of manual journal entries are made to correct errors discovered earlier in the process. The opportunity is to eliminate the cost of error detection and correction. Moreover, it is in this area of the business processes that fraud is most likely to rear its expensive head.

Lastly, external failures occur when internal review processes fail to detect an error, an external third party discovers the error and the company incurs costs to fix it. At a manufacturing company, product warranty costs are an everyday example of external failures. On a wider scale, when we look at financial reporting, external failures may even result in a restatement.

Companies that calculate their total cost of quality, as outlined above, are often surprised at the significance of the total cost as a percentage of revenues.

Benefits

It therefore follows that those who build quality into their processes and controls can realise a range of benefits. These are not just limited to a reduced total cost of quality but also include:

- improved process quality
- reduced financial process leakage
- a stronger internal control environment
- the reduction of restatement risk from process errors
- increased time for value-added analysis.


Moreover, companies that introduce quality see benefits beyond the boundaries of their own corporate entity. A number of research initiatives support the thesis that a company with improved internal controls is a more attractive proposition to external audiences.

In 2002, KPMG reported that 80% of fund managers would pay more for the shares of a demonstrably well-governed company, with the average premium being 11%. More recently, management consultants McKinsey showed that an overwhelming majority of institutional investors would be prepared to pay a significant premium for companies exhibiting high standards of corporate governance.

In March of this year, management resourcing specialists Robert Half International asked finance directors, 'what is your company's top priority at the moment?' Respondents identified cost reduction (41%) and process improvement (26%) far more frequently than other answers. A mere 10% said compliance was their highest priority.

Moreover, four in five of those questioned confirmed that their companies had been working on improving internal controls during the past year.

This is remarkable when we consider that only a fraction of UK-based companies are actually required to comply with SOX at the moment.

The notion of box-ticking could therefore not be further from the truth - these and other research projects support our experience that businesses are working on improving their internal controls even though they are not required to do so.

When to strengthen controls

There are a number of clear signs that companies should look to bolster their controls and reduce the cost of quality. They will be familiar to any company with a good understanding of the red flags associated with fraud:

- a large number of manual journal entries
- an increased percentage of error-correcting journal entries
- multiple trial balances required to process all journal entries
- a high frequency of exceptions detected at the end of the process
- significant adjustments resulting from account reconciliations
- a high reliance on Microsoft Excel spreadsheets.


If businesses identify these red flags early and if they can attack the cost of quality effectively, they will not only go a long way to improving internal controls, to the benefit of internal and external audiences, but they will also mitigate against their fraud risk too.

Reputation

We have touched on the relationship between reducing the cost of quality and external audiences and we have seen how benignly investors view robustness in internal processes. This is all related to reputation and the fear of reputational damage.

Daily newspapers are littered with stories of businesses who suffer damage to their reputation. A bad story excites readers and makes good copy - and bad stories are much more likely to be repeated than good ones. Reputation is therefore everything, and without it businesses can stutter and collapse.

However, it is highly encouraging that many of our leading companies have been taking the risk of reputational damage more and more seriously and are moving ever more firmly to mitigate it. They are finding that the best way to preserve reputation is to reduce the risk of reputational damage. This can be achieved by an improved internal control environment.

It is a truism to state that most companies have traditionally aimed just below best practice at what we call common practice. The simple reason is that, in the priority list, internal controls have usually fallen behind revenue-generating activities for many businesses. Best practice is therefore an unattainable ideal and the common refrain is, "if only we had the time and resources".

But the tide has turned, and SOX has catapulted common practice ever closer to best practice. In essence, SOX is driving unregulated adoption of strict internal controls by an ever-growing number of UK companies.

This is a lesson for all UK companies to take heed of and should be seen as an opportunity to compete on a level playing field. The simple concept that internal controls equal reduced risk of reputational damage and therefore preservation of reputation is one that is taking its seat at the boardroom table.

The future

Clearly, companies are not merely thinking of their current position, their current effectiveness and their current stakeholders when reviewing their cost of quality. They have an eye on the future. It is not necessarily the case that they will need to comply with SOX, but they are aware that they will eventually have to comply with similar legislation of some sort in their own jurisdictions.

There is a clear case for a certain level of regulation within the European Union and it is possible, now that this message is out, that businesses are preparing for this. The current understanding is that, as a minimum, European companies will probably be required to undertake formal risk assessment. This will gauge the adequacy of the controls they presently have in place, examine the extent to which they are operating effectively, report back to the audit committee and inform the market of any material weaknesses.

However, in order to make this formal risk assessment process work efficiently, some form of independent review of the work performed and conclusions reached may well be required. It is reasonable to assume, as with SOX, that the statutory auditor would be asked to perform this assessment.

Regulation along these lines would cause companies to rethink their approach to risk, even in markets with relatively well developed controls guidance, such as the UK. With this in mind, businesses are getting their houses in order.

Internal control systems

The internal control system is an essential element of the corporate governance system of a company and its subsidiaries and plays a key role in identifying, minimising and managing significant risks, contributing to the safeguarding of stockholders' investments and the company's assets.

The internal control system also facilitates the effectiveness and efficiency of company operations and helps ensure the reliability of financial information and compliance with laws and regulations. In particular, the accounting control system is an important element of the internal control system, as it helps ensure that the company is not exposed to excessive financial risks and that financial internal and external reporting is reliable.

The system of internal control reduces, but cannot eliminate, the possibility of poor judgement in decision-making, human error, fraud, and the occurrence of unforeseeable circumstances. A sound internal control system therefore provides reasonable, but not absolute, assurance that a company will not be hindered in achieving its business objectives, or in the conduct of its business, by circumstances which may reasonably be foreseen.

Sukhdev Bal is an associate director of Protiviti,