Tweaking HR information systems can help HR stay in compliance with Sarbanes-Oxley rules.
Like for many HR professionals, the Sarbanes-Oxley Act has become a problem for Shane Burris. The vice president of corporate HR at Carmel, Ind.-based health and life insurance company Conseco Services LLC not only saw his department’s staff costs jump by 10 percent while the company was coming into Sarbanes-Oxley compliance, but his stretched budget also had to pay for new HR technology.
“It’s not always necessarily buying software,” explains Burris, who can’t quote an exact figure but called the expense significant. “It may require modifications to existing software. And if you’ve outsourced that software, guess what? You’re paying your vendor” to make those modifications to its software.
After finance departments, HR departments are getting hit the hardest by Sarbanes-Oxley. The requirements run from keeping a finger on the pulse of organizational structure to tracking every bit of noncash compensation offered by every department. Solutions require additional manpower and time—and automation is becoming the best way to stay on top of compliance.
Congress created the Sarbanes-Oxley Act of 2002—commonly nicknamed SOX—in reaction to high-profile cases of corporate malfeasance to ensure that investors get reliable financial information from public companies. Beginning Nov. 15, 2004, the act’s Section 404 required that annual reports from public companies discuss “the effectiveness of the internal control structure and procedures.” That means a specialized SOX audit by a public accounting company. But accounting firms have come under as much increased scrutiny as corporations, and, as a result, they are being expansive in their interpretations of what “adequate controls” means.
Accounting firms “are really being rigorous on these issues, and that doesn’t surprise me given their laxity in their role before Sarbanes-Oxley,” says Michael Zuppone, a partner in the corporate department of law firm Paul, Hastings, Janofsky & Walker LLP in New York.
The result is that audit firms are forcing companies to go beyond simply documenting current practices and really improve their control structures through business process, daily operations and organizational structure.
According to a Forrester Research report from December 2004, “HR is a key player in SOX compliance because of the magnitude of people costs, compliance and legal issues, data integrity, and HR’s skill in communicating and leading organizational change.” In other words, for many SOX issues, HR is where the buck stops. Given the size and complexity of modern corporations, the best way to ensure control is to implement effective software systems.
A simple example of monitoring for SOX compliance is reviewing the current status of employees. Companies will have to show SOX auditors that employees continue to be qualified for their jobs. Checking experience and background against a list of specifications from a hiring manager is fine at hiring time; however, businesses change, and so do positions. Under SOX, a company needs to continuously document additional degrees, certifications and training, and also periodically monitor whether an employee continues to be qualified for his job.
If the job title and pay are no longer in sync with what the employee is doing on a daily basis, HR would need to talk to the appropriate supervisor to see if the person should be an exception to the stated requirements for the job. If so, HR should document that fact. If not, HR should determine if changing compensation or even hiring a replacement would be necessary.
An HR information system (HRIS) can provide automatic notifications that qualification reviews are necessary, or even produce an exception report to identify people whose backgrounds do not meet the documented requirements.
Organizational structures change as well. When the chain of command is hazy or badly constructed, or if it does not keep up-to-date with changes in the business, a company may have a problem. Lois Melbourne, CEO of TimeVision Inc., an Irving, Texas-based company that writes enterprise organizational applications, recalls a client that was analyzing a large subset of employees to develop an organizational chart. “Out of 17,000 people, they had 400 people who didn’t report to anybody, and they had 35 people who reported to each other,” she says.
Maybe the people were left floating when a supervisor left, or perhaps this was the result of data entry errors. No matter. “The [Sarbanes-Oxley] auditor doesn’t care” what the reasons are, she says. “They see 400 people not reporting to anyone.” Among those orphans could be people just drawing a paycheck, and, by reporting to no one, there is no natural check on what they should be doing.
“One of the first things auditors do is come into a company and say, ‘We need to know that everybody that’s getting a paycheck has a job,’ ” Melbourne says. If someone does not have a supervisor, an auditor would likely interpret that as a lack of control over what that employee is doing, and would then have to wonder if the person’s job is legitimate or a fraudulent position created by someone else in the company.
Organizational software becomes even more important as SOX forces companies to expand so-called segregation of duties. Finance departments are typically structured to keep certain responsibilities separate to prevent confusion and fraud. For example, the person approving purchase orders doesn’t authorize payment when the invoice arrives, and someone entering new vendors into the system cannot cut checks to them. Without the split, the risk of an employee embezzling from the company rises.
To ensure accuracy of financial reporting and everything that can affect it, though, this principle will have to expand to encompass anyone who can perform actions that could affect financial results or reporting. Programmers who write code that affects financial systems cannot test the software, and different people would need to perform maintenance. It keeps a rogue coder from leaving technological “back doors” into the accounting systems untraced.
Segregating duties puts a number of responsibilities on the shoulders of HR. One is working with departments—IT is a prime example—that are understaffed and now being expected to restrict the range of work an employee is allowed to do, but somehow doing so without increasing head count. Managers will no longer have traditional flexibility to have anyone do anything necessary, according to Melbourne.
To ensure the ongoing segregation of duties, HR departments will have to watch changes in organizational structure for possible violations of Sarbanes-Oxley. That means organizational software often will be used to look for potential conflicts—and not just once a year for an organizational chart.
Furthermore, the HR department will have to configure its HRIS to send automated notification to other departments. IT and security, for example, will need to ensure that people don’t retain access rights and system privileges that could cause a problem as they shift positions. For example, “a person in accounts receivable gets moved over to the accounts payable side and maybe gets moved up,” Melbourne says. HR needs to ask: “ ‘Were their rights ever turned off for their old job?’ If not, that is a control deficiency.” And a control deficiency could conceivably prevent an organization from passing a SOX audit, according to many experts.
Making these checks becomes extremely important during a major reorganization because suddenly things are changing for many people at the same time. Someone must track the current access each employee should have and inform IT of the changes—and then follow up to be sure that the changes occurred.
Intellectual property is another problem. According to the LUBRINCO Group, a vulnerability management consulting firm based in New York, the Securities and Exchange Commission (SEC), the regulatory body that controls interpretation of the legislation, has ruled that SOX requires tracking and controlling theft and loss of intellectual property. A company must document what sensitive information employees have access to and further use an HRIS to appropriately warn employees about specific information’s confidential nature, repeating the warning when someone leaves the company.
“Companies often don’t say to people, ‘Remember, you signed a confidentiality agreement and you can’t take things with you,’ ” says Richard Isaacs, senior vice president of LUBRINCO.
Intellectual property would even include such things as contact lists and a company phone book. A SOX auditor would likely interpret the lack of formal procedure for reminding employees that they cannot take such information with them as a weakness in the company’s control systems.
SOX adds new wrinkles to compensation problems as well. A change in payroll and benefits expenses can represent a significant shift in the financial status of a public company that must report such things to the SEC.
For example, a new labor contract changing employment hours would need to be reported. Changes in vacation time allowances or other time off for all employees could have a similarly large impact on the financial health of the organization and may need to be reported. Even issues of vacation accrual can become problematic.
Labor management software, whether separate or part of a larger package, is necessary to enable such reporting, and HR departments that adopt these applications sometimes discover that they have been making accounting errors. Robert Farina, CEO of CyberShift Inc. in Parsippany, N.J., which provides a labor management package, remembers a customer with a new CEO who started an internal examination. “They had been making for all intents and purposes an estimate on accrued vacation time” over a period of two years, says Farina. Auditors examined the situation and estimated that the company had been underreporting this balance sheet item by $30 million, precipitating a sudden profit loss.
Noncash compensation reviews can offer big surprises as well. Michael Dermer, a former SEC lawyer and now president of IncentOne Inc. in Carlstadt, N.J., which makes software for managing incentive programs, notes that reward, recognition and incentive programs often total between 1 percent and 2 percent of a company’s payroll—numbers large enough to make a Sarbanes-Oxley auditor sit up and take notice.
Dermer recalls a client with more than 10,000 employees. “We asked, ‘How much do you spend on your award recognition and incentive programs?’ They said, ‘One of the reasons we’re doing this is that we don’t know.’ ” Similar to the vacation time problem, a company may have employees who are entitled to participate in award programs but who haven’t yet taken advantage of them. HR departments need a way to track such corporate obligations.
Expect some additional legal issues that will, in turn, make software considerations even more complex. Does your company have wholly owned subsidiaries? If so, the subsidiaries have the same complexities of reporting and the information needs to be available to management at the parent firm, according to Kristan Peters, a former assistant U.S. attorney and head of the labor and employment office for the international law firm Pillsbury Winthrop LLP in Stamford, Conn.
Yet even if a company isn’t wholly owned, if “the parent controls it to such a degree that it’s an instrument,” then it too falls under SOX reporting, arguably including all the HR aspects. So even if a company’s HR department has implemented proper solutions for its SOX needs, it might find itself having to either extend those measures to or integrate the reporting from other companies.
In addition, if an employee complains of wrongful discharge and mentions financial issues at the company, what would have been a labor issue now needs referral to at least the company’s internal SOX audit committee and possibly to legal counsel, according to Peters, because any potential financial impropriety is automatically a Sarbanes-Oxley issue.
The legislation also has strong whistle-blower protection that prohibits any form of retaliation, so any encounter involving an employee who has filed a Sarbanes-Oxley complaint must proceed with scrutiny and caution, ensuring that no one takes an action that could be in breach of the law.
A company cannot hire a member of its outside auditing firm, so HR must obtain accurate information from any job candidate—internal or external—about any prior association with the company’s outside auditor. This means HR must ask questions and document the answers in a way that makes them easy to retrieve when necessary.
HR directors at privately held companies who are sighing with relief should beware. Many such companies are looking at undertaking Sarbanes-Oxley compliance—if for no other reason—to make an acquisition by or a merger with a public firm easier to negotiate. When entering into these transactions, even companies that aren’t legally bound to comply with the act may find that they have to anyway.
Sarbanes-Oxley has obtained its unpleasant reputation among businesspeople for a reason. Coming into compliance is time-consuming and expensive. Software will help, but the longer a department waits, the bigger the problems it may have to confront.
Erik Sherman is a freelance journalist in Marshfield, Mass., who covers management issues.