When the Sarbanes-Oxley Act (SOX) was enacted three years ago, it was widely believed that the new law would impact HR executives little, if at all. After all, Congress, in an effort to make it harder for publicly traded companies to cook the books, was simply holding CEOs, CFOs and their auditors responsible for misstating the financials. Where would HR fit into this equation? Front and center, it turns out.
Section 404 of the act mandates financial reporting accuracy, and the single largest line item for most employers—the one on which they spend between 40 percent and 60 percent of their budgets—is people-related costs, including salary, benefits, incentives, training and the like.
And that places HR executives squarely in the center of the SOX fray, especially regarding Section 404, the most costly and time-intensive aspect of the act. Simply put, Section 404 requires that U.S. public companies and their independent auditors show the Securities and Exchange Commission (SEC) that their financial numbers are accurate and that they have processes in place to ensure that accuracy.
This is a significant change. Before SOX, if the numbers were accurate, no one questioned how they were derived. Now, how an organization arrives at its numbers is becoming nearly as important as what those numbers actually are.
So, while the CEO and CFO must approve assessments of the company’s financial controls, HR plays a crucial role in working with CFOs and auditors to make sure the internal controls governing HR processes are accurately reported.
“Without our input, a financial person is only guessing,” says Karen Cunningham, SPHR, director of human resources at Network Multifamily Security Corp. in Irving, Texas, who is currently helping her company meet Section 404 mandates. “It’s like asking HR to set the process for controlling inventory.”
Fortunately, HR executives in smaller companies can benefit from the experiences of larger companies, which are already up to their necks in SOX compliance. That’s because public companies with market capitalization above $75 million were required to meet 404 compliance as of November 2004, while those with a market cap under $75 million have until July 2006 to comply. (Illustrating the complexity of this regulation, at press time, the SEC was considering extending the deadline by one year.)
A Big Burden
Lest one think setting up internal controls is a piece of cake, digest this: Since reporting on financial controls began, 750 companies out of 2,500 have admitted failings, says Dave Richards, president of The Institute of Internal Auditors (IIA) in Altamonte Springs, Fla., an association that represents 107,000 internal auditors worldwide.
What’s more, HR issues were second only to financial systems in being cited for “material weaknesses” or “significant deficiencies” in control processes by companies or their external auditors. Twenty-nine percent of the disclosures related to personnel problems, which typically involved poor segregation of duties, inadequate staffing or related training, or unclear reporting relationships.
While having deficiencies or weaknesses won’t result in legal fines or penalties—unless fraud is proved—they may cause heartburn for companies in other ways.
For example, if a company has even one “material weakness” or “significant deficiency” in a financial control process, it will be required to disclose that fact publicly. The outside auditor, acting independently, must do the same. (Only time will tell what impact such negative revelations will have on investors.)
Corporate executives must then prove, to the auditor’s satisfaction, that they have in place and follow sound processes—internal controls—that account for these figures. If they can’t, they’re supposed to correct the weakness and, if necessary, restate any figures that may have been affected by the lapse.
Avoiding such problems requires time, effort and significant sums of money. Larger companies have found the costs associated with SOX compliance to be staggering, averaging $2 million per company. According to a 2004 study by AMR Research, company expenditures on SOX compliance totaled $5.5 billion. Of that, 42 percent was people-related—staff additions, assignment shifts and outside consultants.
In 2006, as smaller and mid-size companies gear up for compliance, AMR estimates total expenditures will reach $6.1 billion. Eventually these costs may level off or even drop, but SOX compliance is not a one-time investment like the Y2K race, cautions John Haggerty, vice president of research at AMR in Boston. “Section 404 is ongoing; it requires companies to have consistent oversight, documentation and testing on a quarterly and annual basis—forever,” he says. “You can’t just walk away.”
With the first wave of company filings on record, the heat is on the 16,000 smaller companies sprinting to attain SOX compliance. Compliance may be especially challenging for these organizations, which are already stretched thin.
“Large companies already have regular systems and processes in place,” says Steve Joyce, HR practice leader at The Hackett Group. “Smaller companies may still be running the way they were when they were mom and pop.”
That often means staff extended to the breaking point. “Who will be my backup on the HRIS [human resource information systems] when I’m out of the office? Who can I assign the job to who won’t have a potential conflict [of interest]?” asks Kathleen Huggins, SPHR, manager of compensation and HRIS at small-cap Crosstex Energy Services in Dallas. “We’re overworked, lack specific expertise and don’t have enough bodies.” But there is no choice. “You need to set expectations that this is a priority,” Huggins says. “It isn’t something we can do if we want to. This is the law. Make time.”
Though SOX legislation includes other sections that will drain your time and resources, expect 404 to be the most demanding. “Eighty percent of HR’s role under SOX is making sure the processes work, testing them, working it through with the auditors and making sure the processes are being followed,” Joyce says. (For more information on the other HR aspects of SOX legislation, see "Are You Clear?")
The essence of Section 404 is internal controls—financial and operational. In essence, a control is a system of checks and balances that ensures that a process is carried out accurately, correctly and legally.
Though the law requires controls to be in place, it does not mandate any particular type. “SOX has no road map, telling you, ‘Do these 100 things and you’re clear,’ ” says Michael Fuchs, principal in the Human Capital Practice of Deloitte & Touche in New York.
As a result, companies and auditors have been working toward a voluntary consensus; a best practice benchmark, known as the “COSO standard,” has emerged. This standard breaks down internal controls into a framework of interrelated components, all of which have HR implications. Experts advise HR executives to apply the following framework to all their processes. “If you’re able to follow all of [the COSO framework], you’ll be in control nirvana,” observes Joyce.
• Create and enforce an ethical culture. The board and C-suite must lead the way in fostering integrity, ethical values and leadership competence. HR plays a major role in supporting these commitments by establishing and maintaining the appropriate climate and making sure ethical behavior is reinforced through HR systems.
• Prioritize the areas to control. Not all areas of your business have an equal impact on the accuracy of your financial reporting. Decide which areas are your highest priorities. “They’re the potential areas where something can go wrong in HR,” says Richards of the IIA. “If you’ve got 15 processes, look at each one and ask how it’s supposed to work. Determine what’s in place and whether you’re satisfied.”
• Establish controls. Within HR, these controls should apply to any HR-related activity that affects financial performance, as well as those that ensure compliance with laws, rules and regulations. These controls include approvals, authorizations, verifications, reconciliations, and reviews of operating performance, security of information and segregation of duties.
• Conduct a risk assessment. Examine your controls to ensure that they will work well even if changes occur in the economy, industry, regulatory environment or operating environment. For example, if a key executive in a control process suddenly dies or leaves the company, how might this affect your controls? How might rising health care costs affect your benefits budget and your controls for that process?
• Provide information and communication. This refers to information, tools and training you provide to employees to ensure compliance. In most companies, HR is the single best means to disseminate compliance training and other education. “The No. 1 chief control in an organization is its people,” Richards says. “If they’re not ethically trained, if they don’t have the right instructions to follow or don’t understand the rules and regulations, the organization gets what it deserves.”
• Monitor your processes. Assess your control systems over time to ensure that they continue to operate effectively long after the first wave of compliance mania has receded. This is a vital function. Without it, all other efforts could be rendered useless. It’s also a function for which HR is often responsible. Ninety-four percent of the 97 respondents to a recent Hewitt Associates survey said HR was assigned responsibility for monitoring internal controls.
Organizing for Compliance
The Hewitt survey found that in 54 percent of the respondents’ companies, HR shared responsibility for SOX compliance. For example, at Williams in Tulsa, Okla., a large market capitalization firm, HR vice president Robyn Ewing is also the chief compliance officer. She partners with finance and legal to ensure that the necessary SOX policies, training and communication are in place.
While the Hewitt survey found that CFOs take the compliance lead at most organizations, savvy CFOs are looking to cross-functional teams with HR input. The diversity encourages partnering among units that otherwise tend to hunker down in their individual silos.
At large market cap Ameren, a major provider of electricity in St. Louis, oversight is shared across the C-suite. “We approach it from a team perspective,” says Donna Martin, senior vice president and chief human resources officer. “We put together a team from legal, finance and HR to study the implications of SOX and identify the gaps we had to fill.” Kansas City Southern Railway, also a large market cap firm, assigned lead responsibility for SOX compliance to a finance executive who heads up a companywide compliance team. HR has its own four-person team that feeds into the companywide one.
Charting the Course
For those who keep internal controls oversight in-house, the first step is to figure out what you’re actually doing through process analysis, usually referred to as mapping, which charts out the steps a decision must pass through before it is approved. For many in HR, mapping is a new way to look at how they work, and the exercise can be jarring. “It was painful; I’d just as soon be shot than map,” Ewing says. Consultants helped Ewing establish 33 HR controls for compensation, benefits, employee data management and payroll.
As a railroad operating under federal regulations, Kansas City Southern was steeped in compliance activities long before SOX; HR Director Tony Robertson reached out to expertise already on board. “Several of our internal auditors supported us as we identified the initial controls,” Robertson says. “We took each task and broke it down to an individual’s responsibility—who performed what and what their role was on a weekly and monthly basis.”
Robertson says it’s easy to overlook steps in processing executive compensation or reporting salary and compensation data. “Don’t take your responsibilities for granted. No matter how minor you think it is, it has to be included in the controls. We found that what began as 10 steps to a process, when examined carefully, wound up being 25.”
Fuchs says the biggest issue his clients faced was mapping controls where responsibilities for items like compensation or benefits crossed from HR into another unit, like payroll or information technology. “The handoff is difficult. If I have seven controls within my area and you have three in yours, how do we make sure we don’t miss any?”
Tightening and Tweaking
Generally, mapping is revealing that HR is in fairly good shape. But there’s plenty more to do. At Williams, Ewing says, “SOX highlighted how we weren’t keeping on top of our processes even when they were in writing. We were at a point where we were handling things too informally.”
“It can’t be as loosey-goosey as it was,” says Clint Berge, vice president of HR at business management consulting software provider Applix in Westboro, Mass. “There may have been a time when we’d make a decision on the management team to recruit someone. I’d find her, and she’d start work. There would be very little documentation. Now it’s more tightened down. You have to go through workflows, describe how the process works and map out the approval matrix. That’s what auditors are going to do. They’ll say, ‘Tell me who gets involved in a salary increase, who signs off, was it approved by the correct people?’ “What makes it more challenging is that it’s harder to get things processed in as timely a manner as possible,” Berge observes. “I might have to hold back on recruiting for a position until all the documentation is in order. It will force us to create more bureaucratic systems, but that’s not so bad. We want to make sure whatever we do can be substantiated.”
Others learned that they had the processes in place but needed to boost documentation proving they consistently followed those processes. “We didn’t have to invent new processes, but we did have to strengthen our documentation and approval trails,” says Boon Ooi, senior vice president for global compensation and benefits at State Street Bank, a large market cap firm in Quincy, Mass. “For example, we looked at our equity grants—the whole process of how we process and pay bonuses and issue stock. There had to be sign-offs at every level of the chain up to the compensation committee of the board. After we completed our process analysis and adjustments, the controls were reviewed first by internal auditors and then outside auditors. What surprised me were the minutiae and bureaucratic things you have to put in place: the sign-offs, the signatures; it’s like the closing on a sale of a house.”
At Ameren, the HR department conducted a full audit of its files. It also put in disclosure controls and proved to the satisfaction of the CEO and CFO that it is following them. When the auditors came in, Martin was ready.
“They were most concerned about the benefits side, recordkeeping and confidentiality,” she says. “We passed with flying colors.”
Advantages of Automation
HR executives at large market cap firms who have completed the initial analysis of their controls say technology helps to ensure the quality of internal controls. Their HRIS are up to speed. (For more information on meeting SOX mandates using HRIS, see "Use Technology To Stay in SOX Compliance" in the May 2005 issue of HR Magazine.)
Smaller companies, on the other hand, may still be running their processes manually. Although manual controls can pass muster, Huggins says automated ones are a better bet.
“It’s much tougher to work with manual controls,” she says. “On paper timesheets, I noticed at least five places where people could commit fraud. The automated system eliminates opportunities for fraud. Under HRIS there’s only one chance—if the employee inputs his or her time incorrectly. But that should be caught by the manager who approves the transaction.”
Manual controls are harder to manage and more difficult to verify, cautions Joyce. “You can’t do it through people power alone; you’ll fail if you don’t automate.” Still, failure to automate is not necessarily a control weakness or deficiency.
As a rule, companies have been allowing about a year to prepare the initial SOX filing—six months for analysis, implementation and testing, then six months more for external auditors to do their work. In the six months Kansas City Southern took to identify and document HR-related processes, Robertson estimates each of his seven staffers spent about an hour and a half each day.
Now that the controls are in place, the workload has lightened. “I spend most of my SOX time reviewing controls, speaking to our SOX team and internal auditors—about five hours each month. Another staffer does the same; it dwindles off from that. We review our processes quarterly and do an annual audit. We just completed our second-quarter report. If there are no changes in your processes, there’s not a lot to do. If we revise, the changes go back to the companywide SOX team for review and approval.” Williams began 13 months before the deadline, completed testing within six months, then had to cool its heels for six months waiting on the auditors. “After we agreed on key controls, we couldn’t change them until the auditors looked them over,” Ewing says. “For us, it inhibited process improvement, efficiency and effectiveness, particularly in the last six months of the year. We had to delay an outsourcing deal in Costa Rica because it would have altered our controls.”
Worth the Effort?
In the end, most HR executives who have gone beyond the “getting up to speed” phase of SOX compliance are seeing its value. “It can be a struggle, but once the initial fright over SOX compliance is over, it gets better,” Robertson says. “Yes, the government had to come in and do something; somebody had to step up to make sure these controls were in place. It was a very expensive process, but worthwhile.” “It’s not just drudgery,” says Roxanne Gilbertson, senior consultant and CPA at Hewitt. “It’s a chance to demonstrate you’re part of the leadership team and can be a strong contributor, and help the organization shine for the financial analysts.”
Robert J. Grossman, a contributing editor of HR Magazine , is a lawyer and a professor of management studies at Marist College in Poughkeepsie, N.Y.