The Sarbanes-Oxley Act (SOX) of 2002, named after its primary architects, Senator Paul Sarbanes (D-MD), and Representative Michael Oxley (R-OH), is most familiar to relocation professionals as it relates to interest-free equity loans given to executives to facilitate a corporate relocation.
The SEC Regulations for Section 404 of the Act require that an internal control program be implemented and validated through a management assertion process; how the relocation department can work with management to implement this requirement is what will be discussed in this article. While the procedure surely will be different in various programs and companies, the general principles regarding tightened internal controls and reporting undoubtedly will be applicable, to some degree, to almost every relocation program of companies subject to SOX.
As stated in the Deloitte & Touche publication, “Moving Forward—A Guide to Improving Corporate Governance Through Effective Internal Control,” good corporate governance and ethical business practices are no longer niceties—they are the law.
Excerpts from the Deloitte & Touche publication combined with an interesting analogy of an everyday task provide the framework for a better understanding of this task. Sarbanes-Oxley makes company executives explicitly responsible for establishing, evaluating, and monitoring the effectiveness of their company’s internal controls. Section 302 mandates that CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures. Quarterly filings must contain a certification stating that they have performed an evaluation of the design and effectiveness of these controls. Section 404 requires an annual evaluation of internal controls and procedures for financial reporting.
The Committee of Sponsoring Organizations of the Treadway Commission defines controls as: “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.”
Section 302 calls for CEOs and CFOs to certify that controls and procedures are in place and are effective. To facilitate certification within the organization, companies should require that all controls be identified and drilled down to the lowest levels. Companies may require that department heads certify the controls and procedures within their area of responsibility.
Are relocation program managers prepared to sign off on certification of controls for relocation disbursements and financial reporting?
Using an analogy familiar to us all—doing the laundry—is an excellent way to describe the control review process used to ensure that documentation and testing supports management’s assertion on internal control over financial reporting.
- Gather your SOX and separate appropriately (separation of duties).
- Add detergent (documentation).
- Apply stain remover as needed (control objectives/risks).
- Do all of your SOX match (key controls)?
- Do some require mending (gaps, holes)?
- Should you discard some and get new ones (process improvements)?
- Repeat as necessary (on-going monitoring).
Using similar principles, the Siemens Shared Services relocation department completed internal sign-off certification of controls for relocation disbursements and financial reporting.
Are Your SOX Clean, Matched, and Put Away?
The overall purpose: to ensure that documentation and testing will support management’s assertion on internal control over financial reporting:
- document complete, clear, sufficient detail of processes;
- verify consistencies within processes;
- develop adequate testing;
- draw appropriate conclusions; and
- ensure processes and controls can be read and followed by an external auditor.
SOX gives companies the initiative to “fix” problems and the opportunity to enhance processes. Restructure the entire process, from receiving the invoices to sealing the check. Learn from peers what they doing.
Are Your SOX Clean? Detergent = Documentation
You cannot get clean SOX without detergent. Think of your detergent in the control review process as your documentation. Documentation of processes may include narratives, flowcharts, and templates. The business process narrative must contain enough information so that an individual from outside the company could perform a process walkthrough with very little supervision. It must reflect the actual steps in the process, not what you would like to do. Lack of documentation of the process means failure.
The Siemens Shared Services relocation department’s internal SOX certification began by documenting all department processes. Flow charts and narratives were created to document the process flow of relocation disbursements, beginning with establishing relocation policies, application of policies, individual authorization of a relocation, estimating relocation budgets, payment disbursements, invoice audits, service provider file audits, and following the disbursement process through to reporting of relocation payments in W2 wages. Any of these areas could result in additional expenses for the corporation, inaccurate financial reporting, as well as non-compliance with laws and regulations.
Are Your SOX Clean? Stain Remover = Control Objectives/Risks
According to Deloitte, “risk assessment involves the identification and analysis by management of relevant risks to achieving business objectives.”
Controls are developed to specifically address each objective to mitigate the identified risks.
Siemens Shared Services relocation department identified some examples of potential risks for relocation departments, including authorization of incorrect relocation benefits, incorrect payments to relocating employees, incorrect charges from service providers, and improper wage reporting of relocation-related payments.
Are Your SOX Matched? No Two Lefties = Key Controls
According to Deloitte, “key control activities are the policies, procedures, and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out.”
Identify your key controls, then review to ensure they meet the objectives. For example, are the required authorized approvers for application of relocation benefits clearly identified? How do you ensure all relocation expenses paid to an employee or to a third-party balance to all relocation expenses reported as taxable wages?
Key controls may be automated or manual. For example, at Siemens, an automated system is used for data transfer from the relocation service provider into the payroll system. A manual process, however, is followed to balance data imported into payroll to relocation invoices paid by accounts payable.
Controls can be preventative or detective. Preventative controls prevent errors from happening, while detective controls detect when an error has occurred.
Segregation of duties (not in my sock drawer) can reduce financial risk. Ask yourself, does the result of your household goods invoice audit function benefit the auditor? Is the auditor also a stakeholder? Do you have an audit process that incorporates separation of duties?
How the Sarbanes-Oxley Act Affects the Relocation Industry
The Sarbanes-Oxley Act (often referred to as “SOX,” or “Sarbox”) was a comprehensive overhauling of corporate accounting and auditing standards as a result of the corporate scandals of the early 2000s, such as ENRON and TYCO. In these companies, and many others, investors and analysts were deceived by corporate auditing and accounting that covered up massive amounts of debt and questionable spending. When the stock market “bubble” burst during this period, investors in many companies found the corporate asset cupboard bare, even though the books showed healthy reserves. Congress attempted to make sure this did not happen again by overhauling the Securities Exchange Act of 1934—which regulates publicly-traded companies.
It has taken several years for the Securities and Exchange Commission (SEC) to finalize several rules implementing the Act, and it undoubtedly will take several more to complete all sections of it. Early this year, an important rule dealing with internal controls and reporting was released implementing Section 404 of the Act; it will apply to companies during a phase-in period beginning in November 2004 and ending in July 2005, at which time all regulated companies will be following it (See 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274.). As with any such massive change to the accounting system, it likely will take years of interpretation and litigation to finally understand the full effects of the regulation.
Prior to the Section 404 regulations, SOX affected the relocation industry primarily through the Section 402 prohibitions against loans to corporate officers. But for corporate accounting and governance, the Act always has constituted a complete revamping of the old methods, and the introduction of a whole new series of regulations designed to make corporate accounting and reporting more accessible, reliable, and understandable.
The Section 404 Rule requires:
“Companies subject to the reporting requirements of the Securities Exchange Act of 1934 to include in their annual reports a report of management on the company’s internal control over financial reporting. The internal control report must include: a statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting; and a statement that the registered public accounting firm that audited the company’s financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.”
Corporate auditors are now tasked with creating or fine-tuning their internal controls and reports. For some companies, this has resulted in a massive overhaul of their accounting and management practices; for others only slight modifications of existing controls have been implemented. But, regardless of the method of compliance, the importance of accurate and timely internal controls and reporting undoubtedly will increase.
Relocation departments are not exempt from this requirement, of course, and are, and will be, the subjects of scrutiny under the Rule. The accompanying article explains how one company has visualized and implemented a revamping of its internal controls as part of its company-wide response to it.
While one attempts to grasp the significance of this new Rule to our industry, it is important to keep the extent of the Rule in perspective; it only applies to the relocation programs of publicly-traded companies, with each company complying it its own specific way. It does not apply directly to suppliers, vendors, or for companies not covered by the Securities Exchange Act of 1934. But suppliers and vendors may in the future be called on to certify to their customers who are subject to the Rule that they, too, have in place the internal controls regarding the financial information and policy decisions provided to the customer. Only time will tell how far down the chain the requirements of the Section 404 Rule will be pushed.
—Richard H. Mansfield, III
Worldwide ERC® General Counsel
Are Your SOX Put Away? Looking for Holes = Gaps; Do We Need SOX? = Process Improvement
Deloitte says to “identify areas where needed controls are absent and remediate. Once all existing control activities have been mapped to control objectives, it is probable that there will be control objectives for which corresponding control activities do not exist. These gaps should be identified and documented for remediation.”
Evaluate and assess the quality of internal controls. What are your risks? Where can the process break down? What controls are in place to ensure your homesale program is compliant with the Worldwide ERC® recommended 11-step process? If your homesale program is facilitated by an outside supplier, what audit steps do you take to ensure your supplier’s processes are compliant?
As you document your processes and identify key controls, look for efficiencies. Siemens Shared Services relocation department has successfully streamlined relocation administrative processes for 23 Siemens companies through a shared services environment. Look for areas of opportunity to synchronize and streamline processes within your company.
What Next? Repeat as Necessary = Ongoing Monitoring
According to Deloitte, “monitoring is a process to evaluate and assess the quality of internal control over time through ongoing and special evaluations. Monitoring can include both internal and external oversight of internal control by management, employees, and outside parties.”
Periodic testing should be conducted to ensure controls are in place. Keep processes up-to-date and accurate. If you make changes, update the documentation. If it no longer works, remove it from the process.
To test controls within the Siemens relocation department, non-stakeholders were identified from other departments and used in the testing process. Each tester was provided documentation of the process and a description of the control and asked to test each control. Controls were rated as:
- effective; or
Processes were evaluated and improved, additional controls identified and implemented, until each control could be rated as effective or better.
According to Deloitte, “the need to link sound corporate governance to effective control activities has never been clearer. And in terms of restoring public confidence in the financial market, there has never been more at stake. Forward-thinking companies and executives will seize the opportunity. Those who fail to act may pay a heavy price.”
Effective internal controls should be as routine for companies as a visit to the laundry room. Using a simple set of laundry instructions can put your relocation department well on its way to achieving certification of controls for relocation disbursements and financial reporting.
The final step of the Siemens Shared Services internal certification process requires certification of all suppliers facilitating outsourced accounting functions and in possession of any employee personal data. This is most easily achieved by a SAS 70 Type II report, which is an independent auditor’s assessment of a supplier’s internal controls. Anand Singh, who leads internal control and risk management at Siemens Shared Services, Orlando, FL, reminds us, “With ever-increasing legislation surrounding data privacy, ensuring the protection of employee personal information is just prudent business practice.”
For Siemens Shared Services relocation department, achieving supplier certification relates to the homesale HUD reconciliation transaction, relocation expense administration, as well as tax reporting and tax gross-up calculations. Certifications of outsourced suppliers encompasses their controls within their organization in areas of administration, computer operations, application development/maintenance, physical/logical security, system software, telecommunication, networks, and the like.
As the corporate customers of the relocation industry complete their SOX certifications, outsourced relocation service providers may receive multiple requests for documentation of their own internal certification.
Are your SOX clean, matched, and put away?
Anne May is program manager relocation for Siemens Shared Services, Orlando, FL, and a member of the Mobility Editorial Advisory Committee. She can be reached at +1 407 487 5044 or e-mail email@example.com.
Pam Menjivar is manager of accounts payable Shared Services for Washington Group International, Boise, ID. She can be reached at +1 208 386 5419, or e-mail firstname.lastname@example.org.