The Sarbanes-Oxley Act has created several unintended consequences including, in my opinion, eliminating many basic company controls it was intended to enhance in the first place.
Sarbanes-Oxley (SOX) became law in 2002 and was shortly followed by more regulation and the creation of the Public Accounting Oversight Board (PCAOB). SOX has created many interesting dynamics and consequences, which I will elaborate on in this post. Initially, public companies struggled with how to define a “control” to document that could be used to monitor compliance with Sarbanes-Oxley. I related it to one of my past roles where I was required to read two magazine articles a quarter to maintain my technical knowledge. The way the control was written, it seemed I could read any magazine article to maintain compliance and I was uncertain how an article in People or Cosmopolitan was going to help fulfill this control. SOX regulators and my supervisor both needed to tighten up the definition of “control.”
Since 2002 there has been significant, well-documented analysis of the requirements related to SOX, leading to very specific rules and oversight. The result in the public sector is that the audit team who is auditing for compliance now must to try to keep the regulators from sending them letters and questions about controls that may not be the most strategic as it relates to the health of the company. The auditors then, in turn, have their hands full during the audit process reviewing these types of controls, making it harder for them to add value and help with overall strategy. They have less time to step back and analyze the numbers in a way that results in a critical eye on the company’s financials, as they are auditing to the specific regulation to prevent the SEC from having a reason to come after them.
The increased regulation has flowed into the AICPA audit guidance, enhancing the rules of all audits; consequently, the cost of audits has increased for public and private sector companies. One of the most impactful changes has been the enhancement of the rules around auditor independence, including:
- The auditor can no longer prepare the accounting records of the company they are auditing at all. Twenty years ago, if an auditor identified a small issue or difference, that auditor could determine what adjustment was required and make the entry to the financial statements. Now the auditor must communicate the finding to the client and request they analyze to determine what the entry should be and submit the entry to the auditor. Especially in smaller companies, the staff may not have the specific expertise to carry this through. These types of delays in the audit process drives the cost up.
- The public company can not hire partners and managers on the audit team while they are working on the audit. Twenty years ago, public companies would frequently hire professionals from their audit firm who were already familiar with their company and the culture. The SEC was concerned this impacted independence because if the auditor is expecting to be hired and receive a large salary, they may not work with complete independence.
- The peer review regulation has been enhanced, requiring even the smallest audit firms participate in peer reviews. However, a small CPA firm has a difficult time allocating the time to either host a peer review of their work or go to another firm to perform a peer review on their work.
Those were some of the enhancements. Now for the unintended consequences of regulation:
- Partners in big CPA firms are leaving the practice as they are tired of dealing with the PCAOB inquires while still having to complete their audit responsibilities.
- The number of companies entering the public market with IPOs has declined over time as they are unwilling to incur the cost to comply with public reporting. This trend reversed in 2018; there has been an increase in IPOs as noted in the EY Global IPO trends Q4. Most of the increase is in the healthcare and technology sectors as you can see in this report from EY.
- The typical entrepreneurial growth company does not have the disruptive technology and the ability to attract multi-billion-dollar valuations. Take Farfetch (FTCH), for example, who commanded the initial $6.2 billion valuation after the first day of trade in September 2018, with a $112 million loss in 2017. Farfetch’s valuation will make it worth the increased regulation of a public company. This example is the exception rather than the norm.
- The cost of an audit for both public and private companies has increased significantly. As a result, many companies subject themselves to an audit when it is necessary. Recently, I learned of a company that was required to get an audit to comply with the buy-side due diligence of their potential acquirer. The cost of the audit was double the original estimate, significantly delaying the sale closing.
- Private Equity firms struggle getting through buy-side due diligence without having audit reports or typical systems infrastructure and controls upon which they have historically relied. The standard of requesting an audit has been lowered and the Quality of Earnings (“QOE”) report is being used more often.
- Public company accounting and finance executives are expending valuable energy managing to the specific concerns of the PCAOB, leaving inadequate time and mental space to think strategically and apply judgment to controls in their environment.
- The companies electing not to have an audit due to the cost may not have proper data and information to run the business day-to-day, which an audit would reveal.
- By choosing not to pay for an audit and the value a third party brings by reviewing their controls, the company may not have adequate controls, leaving companies more vulnerable for fraud and embezzlement.
- High growth companies have grown without the benefit of audits and may be using a combination of QuickBooks and an Excel spreadsheet explosion to maintain their records. The accounting team may not be reconciling balance sheet accounts and applying proper month end closing process. When the company seeks outside investment or desires to implement an exit strategy, they may find themselves in a situation where they must get an audit completed. The cost of an audit will likely be enormous at that point, as the books are probably not ready for an audit and chances are the existing staff may have never gone through a process of preparing a company for an audit.
SOX and PCAOB are certainly necessary in the United States regulatory environment. Public reporting and transparency are necessary for investors to be properly informed. The regulation should be reviewed and “right-sized” for the current environment. It is a shame that a few companies with less-than-stellar ethics, like Enron, led to a set of rules that has grown into such a powerful force. The PCAOB is not strategically focused on keeping businesses in business, and C-level executives should be pushing back for regulations that help businesses and against those controls that waste time.
Private companies that feel they are unable to afford an audit should keep their books and records so they are auditable. Basics such as monthly bank and balance sheet reconciliations and proper month end cut off should be a normal business practice.
Other articles of interest:
Instant – Not Always Good
The New Sales Tax Laws- What You NEED to know!
If you are a regular reader of my emails and blog posts, you know that I am passionate about companies having the right financial infrastructure to operate their business. Real costs are eroding your bottom line when you don’t have a handle on people, procedures, and process.
Consider the cost of these infrastructure “fails”:
- Little to no understanding of the cost of individual services or products and whether your price covers the costs;
- The inability to seek funding from investors because you can’t pull together the required financial information;
- The cost of replacing frustrated financial staff who refuse to follow old, antiquated processes;
- Time spent by C-suite execs creating their own financial reports when their own Finance Department can’t meet their needs; and
- Fraudulent activity that goes undetected until it’s too late due to the lack of proper procedures and education.
Finance and your company’s IT capabilities are closely linked by the daily transactions that run your business. Sound, efficient infrastructure in Finance is great, but it must be supported by a highly secure and reliable IT infrastructure. I’m not speaking hypothetically, either. This reality hit home when a colleague shared with me his story of being a ransomware victim. The following reads like a script for a cybersecurity who-dun-it!
Our company uses a cloud-based server provided by Intermedia Solutions to host mission-critical applications, including our QuickBooks accounting software and our back-of-the-house order management system. The actual computer hardware on which our cloud server was running was physically located in a server farm in Atlanta, Georgia. This order management system handles everything from accepting of orders from all the channels we do business through (our own website, Amazon.com, Walmart.com, eBay and orders we take via telephone), plus it performs inventory control operations, vendor management, and purchase order issuance. Virtually everyone in the company uses one or both applications throughout every day, seven days a week. They’re accessed via Microsoft’s Remote Desktop software.
On Sunday, February 26, 2017, one of our employees logged into the server, preparing to work, and saw this message on the screen of our supposedly secure cloud server:
Whoever posted the message said that our data and applications were being held for ransom and the only way to free the data was to pay, 24 bitcoins, at the time, about $35,000. We found that the data on the server was not available to us. It has been encrypted. We were a victim of a ransomware attack.
After a moment of panic, we recalled that we and our cloud server provider had prepared for this possibility. If we hadn’t prepared, we would have been a statistic- another company who was either forced to pay the ransom or go out of business as a result of the loss of all of the company’s data. In 2017, there were 184 million ransomware attacks, most in the United States.
But we were ready and if any day was a good day for a ransomware attack, it would be a Sunday when we aren’t speaking to customers.
We had backups. Our cloud services company made image backups of the hard drive containing our cloud server and its data every night at midnight. The one thing we weren’t going to be doing was paying the ransom. Instead, we contacted Intermedia’s after-hours helpdesk and explained what happened.
We instructed them that we did not want the physical computer hardware repaired (because we didn’t now and would never trust that hardware again). Instead, we wanted a new server configured for our use. They had that ready for us in about four hours. We now had a brand-new cloud server ready to go but with none of our data on it. We then asked for a SECOND brand new cloud server to be set up for us but re-imaged from the backup image taken Saturday night at midnight. This would take longer.
Monday morning, although we were still not operating, we now had a clean, empty server and another server that APPEARED to be working with all of our applications and data on it exactly as it was at the close of business Saturday night. But I didn’t want to actually use this for fear that the ransomware application was lurking on the hard drive someplace ready to be reactivated again.
Over the next two days, we created data backups on the server and worked with our two application software companies to reinstall fresh versions of their software on the new empty server. On the third day, we did a restore of the data from the server image to the new server we planned to use. We gave instructions to Intermedia to abandon the original server that had the ransomware and the server image we had created. We were almost ready to resume operation. But I wanted to get some idea as to how we might have become victim in the first place. What I learned is that ransomware is almost always delivered via a rogue email containing an image, HTML or a PDF. The travel path for the virus was likely from one of our users who likely clicked on an email on their local computer while they were also logged into the cloud server. If that was the case, then the ransomware virus was also residing on someone’s workstation.
In my investigation, I also learned that a) Microsoft’s included anti-virus software is completely inadequate for company use and b) the ant-virus software on the server was grossly out of date.
We needed an anti-malware application that created a closed loop- coverage for the server and all of the user’s workstations that access the server. Also, it needed to be managed centrally. Users could not be trusted to keep their anti-virus software up to date. This was not the time for “free” anti-virus protection. Ultimately, I selected Symantec’s Endpoint Protection. For $28 a year per workstation/server, we got a managed malware protection suite. From a single web portal, I can see that everyone’s computers are properly protected. Then I installed it on the server and in the process, it confirmed that my restored data was clean.
Finally, on Thursday morning, we were back in full operation and properly secured.
I was pleased we had no data loss and didn’t have to pay the ransom but disappointed it took four days to recover. Here’s what I learned:
- We chose wisely when we chose Intermedia. They take our cloud-based service needs seriously.
- If you’re using computers in your business, take a good long time to think about what would happen to if you had a complete data loss, ransomware attack, etc.
- Take your IT infrastructure security needs seriously. PLAN for a worst-case breach. Do not presume that your employees keep their computer software updated.
- Don’t take your provider’s word for it that you’re protected, backups are being created, etc. Every few months I have a new server brought online and a restore performed. Once I’ve seen with my own eyes that everything works, I delete the server. It’s like conducting a fire drill.
Lessons Learned for Finance
Had Larry not had the right disaster preparedness and IT infrastructure, the costs of his crisis would have been much more than the $35,000 ransom. He still would have incurred at least 4 days of downtime. With his confidence shaken in the violated server, he still would have repeated the recovery process to bring new servers online.
Larry’s Lessons may be applicable to your own IT infrastructure, whether you’ve followed a similar process or realized that you should. Here is how Larry’s Lessons Learned can be applied to your Finance infrastructure:
- Have a disaster preparedness plan for your department that aligns with your IT disaster preparedness. Test it periodically against various scenarios, but not less than every 6 months. Update the plan based on changes in your systems, procedures or business.
- Cheaper is not always better – in fact, it rarely is. Understand your needs and invest in meeting them with the most robust tools you can afford.
- Have an IT Security Policy and related Procedures. Educate your staff at time of hire and throughout the year on the latest scams and the importance of following your company procedures.
Finally, have a third party review your processes for areas of improved efficiency and security.
Barker Associates has the unique ability to work with all sizes of organizations and building infrastructure that matters. Contact us today!
Mindy Barker, Founder & CPA | Jacksonville, FL 32256
(904) 394-2913 or (904) 728-2920 | CFO@MindyBarkerAssociates.com
C-level executives, particularly financial executives, historically have relied exclusively on their technical abilities and work ethic to advance up the corporate ladder, within the same organization. My father talks about when recruiters came to Georgia Tech in 1959 to discuss with upcoming graduates their potential future with the company, including their retirement plans. The expectation was that graduates would get a job, work hard and stay with the same company their entire career. Today you must manage your personal brand – especially CFOS, who have approximately a 2.5-year lifespan at a company.
Unsure how to get started managing your brand?
The CFO Leadership Council is a dynamic, energetic organization that provides countless opportunities for professional development and to keep up with the changing role that CFOs face. Jack McCullough, founder of the CFO Leadership Council, offers his perspective on the value of building and maintaining a personal brand.
“In the modern business climate, it is no longer good enough to be good enough. Any up-and-coming executive, or even one who is well-established, needs to understand and own her or his personal brand. This is especially challenging for financial executives who are hampered by a “humility gene” that prevents that from taking credit for their accomplishments. But, it is also critical for these leaders to cultivate these brands, since there are still many who consider CFOs to be glorified controllers. Every executive has a personal brand. The question is, are you going to control it, or is it going to control you.”
Jack McCullough, Founder, CFO Leadership Council
CFOs and other senior financial executives are invited to join the Jacksonville CFO Leadership Council on September 25 for a panel discussion on Elevate Your Personal Brand & Executive Presence. Click here for more information or to register.
What do making your bed and pitching to potential investors have in common? According to Admiral William McRaven, in his book, Make Your Bed (available at Amazon.com), it’s the simple steps, taken each day, that achieve great results.
To better link these two seemingly unrelated activities, consider this: Chief Executive and Financial Officers may feel overwhelmed by the need to focus on daily tasks and raising capital. But by executing a simple task, such as making your bed each day, the tone is set for the rest of the day’s attitude and accomplishments.
Combine the responsibilities of a C level position with the priorities of kicking off a new year, and CEOs and CFOs may lack the required focus to also prepare to meet with potential investors. I suggest you personally implement one to two simple habits successfully, then move on to other new habits. The success of achieving even simple changes will reinforce your mindset for success.
Or – how to become an irreplaceable business partner to your CEO.
Why do accounting departments exist? The accounting department can be a processing machine producing mountains of data and reports that get little to no attention OR they can serve as business partner to senior management.
But how do you make that transition to the irreplaceable business partner?
It starts with innovation. Most people think about inventing a specific product when they hear the word innovation. That is not necessarily the case. It can also mean changing a process – even something as basic as how an entity receives mail, pays bills or records revenue.
Innovation – a new idea, more effective device or process; the application of better solutions that meet new requirements, unarticulated needs, or existing market needs (Wikipedia, 2015)
Consider these examples of innovation:
- NetFlix innovated Blockbuster out of business with online streaming.
- Amazon innovated a new way to interact with customers with the Prime and Subscribe and Save programs.
- New technology in police cars that carry canine officers has the ability to sense when the temperature in the car is too high, triggering the window to automatically roll down and starting a fan to keep the dog cool.
Companies have implemented lots of new ways to process a piece of paper and save steps, time and money … small changes like these add up and allow the accounting team to provide a better product to stakeholders.
Where do we start to transition from a process machine working too many hours … to a business partner to senior management? The key is to move the work time from “process and reporting” to “advisor and special project work.” To do this, you must shorten the month end process and change the annual budgeting process to a rolling monthly or quarterly process.
The CEO must support this change and as an accountant, you will need to pitch the change by thinking through the emotional drivers that will appeal to the CEO. If your CEO is the type who is uncomfortable with the financial side of the entity, he or she may ask for more data than they actually need. It’s your job to help them understand the best way to guarantee their success is to know the answer to key questions and have the answers to these questions laid out in a meaningful dashboard format.
A great place to start is with the laborious process of Accounts Payable. The paper associated with Accounts Payable and Expense Reporting can be overwhelming.
Here are 11 actions you can take to streamline your company’s accounts payable process:
- If possible, use an automated purchasing system so that purchases are approved at the beginning of the process. This minimizes time on the back end. The system should be set up so that employees that can order a specific type of product and then send to the appropriate approver.
- If you do not have an automated system, think through your process with the goal of moving the approval process to the beginning of the payment process – rather than at the end.
- In all cases, maintain a list of vendors and their websites with the logins and passwords, securely stored where only authorized users can access. This is especially important with PayPal, who is relentless if you lose the login and password for their site.
- In all cases, set up an Accounts Payable email address that routes to at least two accountants. It should go without saying – but I will anyway because I see it all the time – You do not want vendors sending emails to a specific person. When that person leaves, it creates chaos with the accounts payable communication.
- If possible, with your technology, set up a process where vendors upload invoices to the purchasing or accounts payable system, with the general ledger codes already noted.
- If this is not possible, ask the vendor to send invoices to the accounts payable email address. From there, the invoice can be matched with the purchase order, approved or sent to the cost center owner for approval.
- If you do cannot automate the receipt of invoices, except for nonprofits that must maintain original invoices for grant purposes, scan paper invoices and save invoices emailed with a naming convention either in a cloud-based storage or on a shared drive. Set the naming convention to assist with location of invoices later for research. Something like: <invoice date_vendor name_cost center>; think through what information you will need when you research a payables question. If you are the lead of the accounting department or a leader – do not set this naming convention without the input of the person doing the work.
- Process payments on a regular basis. If you are processing invoices when the cost center owners request it or vendors call – you are flushing money down the toilet. This is not a good practice. Get your employees and your vendors on board by communicating the payment pattern.
- Consider implementing an e-Payment process, either through your accounts payable software or using a third-party vendor who specializes in e-Payments. Utilize the controls that are built into these types of products, don’t bypass them if they seem inconvenient, they exist to protect the company from fraud.
- Process all invoices for the month by the last business day of the month. This is essential to maintain a tight monthly schedule. So you may say – I will not have all the invoices – OK – but you generally get 12 invoices a year and it really does not matter if each and every one is in the month it covers. For the month you implement the change, you may need to record an accrual of expense you will reverse until you get the pattern of expense working correctly.
- Reconcile Credit Cards on a monthly basis. You can use Expense Management Apps from your phone similar to “Expensify” to assist management with keeping up with receipts and expenses.
If you can implement these changes in your AP environment, you have made a great start to free up time for the transition to a trusted financial advisor to the CEO. The next part of this series discusses changes to the month-end process that will continue to advance your progress from “process and reporting” towards “advisor and special project work.”
Mindy Barker & Associates (firstname.lastname@example.org) works with companies to help maneuver the many questions of strengthening accounting processes and practices through process improvements, as well as other decisions that face growing companies.
We are already well into Q3 of 2016 and perhaps you are considering a big career change in 2017? Maybe even entrepreneurship. If so, click here to read my article this month in Advantage Business Magazine – where I share my insights into key personality traits for entrepreneurial wannabes to be aware of.
Mistakes happen to the best of people and organizations. When I was promoted to Chief Financial Officer at the age of 29, I articulated my fear of making a mistake to one of my mentors. It was overwhelming to accept and consider the responsibility of the lead financial role. I would be the last one to review information before it went to the President and Board. The response I got from expressing my concerns was great – You will make mistakes, I guarantee it. What sets great leaders apart is how they deal with the mistakes.
What I learned from that experience is that leaders can impede or even stop the ability to develop and execute strategy if they do not take responsibility for their own mistakes. Lack of execution can cause the organization to miss revenue opportunities and quickly burn through cash.
When you are a leader of an organization one of the toughest responsibilities you have is leading by example. The Type A leaders who are bold enough to put together a start up or buy a company may not be sufficiently self-aware to take responsibility for their own actions and, as a result, when something goes wrong they can turn into one of three personalities: the Victim, the Judge or the Warrior. What happens next depends on which personality the leader assumes.
The Victim says, “I can’t believe the team did this. They are out of control and now this project is ruined.” This is followed by public accusations that humiliate workers.
Leaders, put on your big girl or boy pants and take responsibility as the Warrior.
The Judge says, “I can’t believe this happened. I am so stupid for trusting the team and I am never going to do it again. The project is ruined.” This is followed with micromanagement and control freak like activities.
Either personality can lead to turnover in the organization, which significantly slows down the organization’s ability to develop and execute strategy. A Star player on your management team will not stay and live in chaos. The star players on the team are all updating their resumes and keeping their ear to the ground to determine what other positions they can pursue. They will resign and say something like: “This opportunity was just too good to give up” or “They approached me, I was not looking.” They were not looking until the leader turned into the Victim and/or Judge and created chaos and an uncomfortable working environment. The culture is such that the star player cannot contribute in a meaningful way and they will leave you. Baby boomers tend to have a deeper sense of loyalty, so they may stay and hope the situation will change. The Millennial generation, in contrast, will bolt quickly once the Victim and/or Judge show up. They are very focused on making certain they can personally contribute immediately.
The Warrior says, “I’m responsible for this team and actions. How can we correct and learn from this mistake?”
Instead of using blame and shame to work through the dissonance, Warriors use tools like awareness, compassion, integrity, and ownership. Warriors empower their team to fix issues with customers at the earliest point possible. Warriors take responsibility and execute. Execution leads to building enterprise value and higher existing values.
Leaders, take an honest assessment of your leadership style and adopt a Warrior attitude!
Responsibility can be scary. Leaders put on your big girl or boy pants and take responsibility as the Warrior. Stop the blame and shame, micromanaging and control freak ways that keep the organization from executing. We all have the ability to change once we become self-aware – take an honest assessment of your own actions.
Board members, investors, coaches, and mentors – challenge the leaders of the organizations in this area. Although it can feel distressing to challenge a leader without it sounding like a personal attack, it comes with the territory. I have sat in many a meeting when I knew the Board wanted to ask these types of questions and did not because it is uncomfortable. You have a fiduciary responsibility to address the issue if you think it exists. If you suspect it exists – it almost certainly does.
Star players – before you update your resume and bolt, try to effectively manage up and have a frank conversation with your leader about the situation. Even if it does not work and the leader does not change, it is good practice for you. To help develop the dialogue, consider reading the book, “Crucial Conversations, Tools for Talking When Stakes Are High,” (Patterson, Grenny, McMillan, and Switzler), before initiating the conversation.
As a Chief Future Officer, I can help you analyze your financial results and determine if the actual results are aligned with your strategy. Contact me at email@example.com or www.mindybarkerassociates.com.