Sarbanes-Oxley Act (SOX): Creating Sustainability Through HR
16 May 2005
A New World
The large corporate collapses and financial scandals of 2002, and the resultant need to restore confidence in corporate America, led to the passage of the Sarbanes-Oxley Act (SOX) in early 2002. The act's mandate is clear: "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes."
Conversations
Conversations is a series of discussions about key topics that have an impact on Human Resource management. Our purpose is to spotlight the issues, highlight the concerns they raise, and discuss best practices.
This month, Steve Bohannon of ExcellerateHRO joins Cecil Hemingway, a managing principal at Towers Perrin, to discuss the Sarbanes-Oxley Act (SOX) and its implications for the human resource function. Specifically, we examine issues HR has encountered in the transition to compliance and identify strategies for building compliance sustainability in the future.
While the law generally applies only to publicly-held companies in the U.S. and those that raise capital in the U.S., signs point to the development of similar regulations in other countries as investors and regulators recognize the value of its provisions in restoring public trust.
Under SOX, the CEO and the CFO are personally responsible and accountable for providing accurate financial information to investors. "Each quarter, the CEO and CFO of publicly held companies are required to acknowledge in writing their responsibility and accountability for the financial statements, and each year they must acknowledge accountability and responsibility for the processes that stand behind the production of the financial statements," says Steve Bohannon. "As a result, Sarbanes-Oxley has the potential to impact the very fabric of an organization."
Many of the processes that HR 'owns' – including payroll and benefits – have an impact on financial reporting, and could expose companies to significant financial risks if they don't function properly. But other HR processes, including recruitment and incentive systems, can also be important in the context of SOX, Cecil Hemingway says, because they can impact the entire culture of an organization and the mindset of its employees. "Ultimately, that mindset is one of the most important lines of defence against fraud or other misbehaviour," he adds.
Lesson Learned
Various SOX requirements have been implemented in the last couple of years and the remainder will follow in 2005. With implementation costs averaging about $4.36 million for publicly traded companies (FEI Research, March 2005) the road to compliance has been expensive and difficult for many organizations. For functions like HR, which have historically been under-resourced, complying with SOX has been a complicated and often exhausting exercise.
Hemingway and Bohannon agree that many companies struggled with compliance in 2004 because they didn't have time to plan and prepare for the implementation of SOX.
"In the first year most organizations had to spend millions of dollars in a fairly reactive way just to comply with the deadlines," Hemingway says. "And for HR," he adds, "the implications extend beyond the bottom line. HR professionals have struggled for many years to be seen as strategic business partners in many publicly listed corporations. SOX has forced them to divert their attention from the higher level strategic issues, where they can contribute quantum gains to an organization's value, and to become immersed in administrivia once again. In fact, many HR people believe that Sarbanes-Oxley forced them to take a couple of steps backward."
According to Hemingway, "Most companies are saying 'Whatever we do, let's not repeat year one.' They know that they have to be more thoughtful about risk assessment and in identifying the real points of weakness. They realize that SOX compliance isn't a one-off event. It's a rolling requirement, something they have to live with forever, and they're asking what they can do to their underlying business processes to make compliance sustainable."
Bohannon agrees, and adds that SOX can ultimately have positive implications for HR professionals. "In many ways, SOX has served as an eye opener for CEOs and CFOs to the risks inherent in their HR processes and systems," he says. "Because SOX has put these processes in the spotlight, many HR professionals will now have an opportunity to consider implementing long-term, sustainable strategies as a means to acquiring the security and assurances of best practice. Additionally, these strategies must be implemented using highly precise and reliable systems."
Finding Sustainable Solutions
While the likelihood of year two costs being the same as the year one is low, the costs will still be significant enough that organizations will need to find efficiencies and smart ways of complying.
Having the appropriate infrastructure can certainly help, but even companies that already operate automated ERP systems to run many of their HR processes would be well-advised to review the reporting capabilities and standards built into these systems to determine the extent to which they comply with SOX requirements.
In many companies, a drive toward long-term solutions rather than short-term fixes will require significant improvements in the systems available to HR professionals.
"Many large corporations are still using paper forms to collect and process information," Bohannon says. "Others have legacy systems or decentralized systems that simply don't integrate with each other. Often, these systems are cobbled together as a result of mergers and acquisitions, and they make accuracy a difficult goal to achieve because they require manual data entry at several points, followed by reconciliation of the work. This leads to escalating costs and huge risks." With SOX, he says, HR has the opportunity to create a clear business case for re-engineering and automating its critical processes to minimize the risk of error.
"Because it's prohibitively expensive for many organizations to build their own infrastructure to automate and improve processes," Bohannon continues, "we're seeing more organizations using a Business Process Outsourcer (BPO) to reduce costs and take on the burden of providing standardized, documented processes."
BPOs leverage their systems investments across many clients, and they stay abreast of best practices in SOX compliance, so they can be a cost-effective and risk-effective option. For example, Bohannon says, "a payroll file can be sent to an external administrator like ExcellerateHRO for uploading to the application. Using this process, the information is key punched once on the company side; we upload it, and then automatic reconciliations are generated. The likelihood of errors has been significantly reduced."
Automated workflows built into compensation, performance management and other self-service applications accessible to managers through Web portals provide an additional safeguard by 'forcing' users to follow the appropriate approval process as well as reducing the risk of error.
It's important to recognize that outsourcing doesn't free a company from its ultimate responsibility under SOX. Companies must be able to measure their service provider's performance and assess that the controls and standards are in place to ensure ongoing compliance. "At ExcellerateHRO," Bohannon says, "we receive a Type II SAS70 report on the effectiveness of controls over certain control objectives. The Type II reports deliver significant savings for our clients because the standardized processes and controls are assessed once and then leveraged across our client base."
Managing For the Future
Hemingway and Bohannon agree there are several key steps companies need to take to ensure SOX compliance over the longer term, including these:
- Eliminate the risk of serious error
- Automate and re-engineer for maximum efficiency
- Create sustainable and integrated HRIS across the business
- Consider the benefits of outsourcing to a SAS70 leveraged BPO
"By making the case for compliance sustainability and working to achieve it," Hemingway says, "HR professionals have the opportunity to be recognized as strategic business partners. It's not just about reducing errors. Through programs like performance management, succession planning and recruiting, HR can help the business institutionalize the control culture. There is a huge opportunity for HR to use SOX as a way to demonstrate its value to business."