Finding a framework for sustainable SOX compliance

Pulp & Paper, Sep 2006 by Kumar, Suresh

NOTHING IN RECENT YEARS has caused as many headaches for public paper companies as the work necessary to comply with the Sarbanes-Oxley (SOX) regulations. Costing companies millions of dollars, the draconian regulations were decried as an overreaction to a few corporate scandals by many in management, who hoped that the burden would ease over time.

Recent history, however, is dashing these hopes, and it is clear that SOX regulations are here to stay.

Now that companies have completed the initial implementation of SOX controls, it is time to create a framework for ongoing, sustainable SOX compliance. The focus of management is to insure that it has adequate and effective internal controls over financial reporting (ICFR), which are designed to instill faith in the numbers that are publicly reported.

The first step in insuring that your company is not faced with serious Sarbanes issues is creating a culture of accountability and responsibility. No amount of procedures or technology can replace culture, and it's the highlight of guidelines provided by the Open Compliance and Ethics Group (www.oceg.org), an organization dedicated to providing guidance about core processes around governance, risk management, and compliance.

The creation of culture is a function of pure leadership, and creating leaders and champions focused on SOX compliance involves direction from the highest levels in the organization. Whether it's the CEO or a mill manager, every sub-unit's leader must create that culture.

Plan, act, respond

Beyond the culture, there must also be a defined and formal process. Here the "rubber meets the road", and there are really three key tasks, as the following sections describe:

Plan: Identify the risks and the controls to mitigate those risks. The initial Sarbanes requirements, embodied in the 404 Rule, were enacted quickly, and it required quick action to comply at that time. Now is the time to step back and retrace the steps taken to insure that they are the most efficient. You must identify the significant reporting risks, both at the organization level and at the activity level. Organizations must decide whether they have sufficient resources and expertise to identify risks in the form of internal auditors. Lacking sufficient resources, they will have to go outside for additional support.

Act: Change, test, and remediate problems. Once the risks are identified, you must craft plans to change the controls, and in doing so, you are bound by Section 302 of the Sarbanes Oxley Act, which requires companies to disclose changes in their internal controls that are reasonably likely to materially affect the company's financial reporting.

You must also have a reasonable test plan to insure that your controls are adequate, and management should review the testing methodologies on a regular basis to insure that they continue to be adequate. In this vein, controls must not be viewed as a single event, but as a changing process that must be monitored and reviewed on a regular basis. If you have deficiencies, you should classify them according to their severity, with Material Weakness being the most severe followed by Significant Deficiencies and then Deficiencies.

Respond: Mitigating the problems. The important thing to remember is that the response to problems must be sustainable. They must adapt over time to insure that the deficiencies are corrected not once, but at the root cause. The deficiencies must, of course, be reported to both management and to the audit committee of the board of directors for public companies.

Adapting to future challenges

The best companies will still have to adapt their control systems to account for major changes in the business, particularly changes in accounting rules, new information technology (IT), or merger and acquisition activity. It should be remembered that the Securities and Exchange Commission prefers companies to include any newly acquired company in the scope of its control activity in the year of acquisition.

One trend we certainly will see in this industry is the consolidation of "back end" operations, particularly finance, human resources, and IT. This is due to the reduction of costs in creating, maintaining, and auditing controls within these functions in a centralized environment. It is certainly significantly less expensive to audit a centralized finance function than it would be to go to a variety of mills and converting operations that have their own systems and controls.

SURESH KUMAR, CPA, is director, internal audit and SOX, for Caraustar.