“What do Sarbanes-Oxley, Dodd-Frank and Hedging FOREX have in common; they’re all risk and compliance related” Question: Should Sox 404 Go?

In this uncertain world of potential major compliance changes, this discussion might be interesting to revisit.

The notion of risk is not something that simply gets explained within a couple of sentences. Risk means many things to many people and unfortunately it has become almost an overused word. We live in a society theoretically always under terrorist threats where between Homeland security, CNN and airport security, risk has developed in a sense a life-threatening event. Yes it is true, that the risk of terrorist attacks can be life-threatening and clearly the events of 911 will remain embedded in the minds of most Americans. And for many who did experience losses those memories will continue almost on a day-to-day basis. I say all this for one fact that I am talking about human beings us the people who also are the same people that occupy roles and positions within corporations. Hardly a day goes by, without the media making some reference to either the word threat or risk in some shape or form. It is probably also fair to say that because we have been so inundated with notions of risk and its associated fears that we have effectively blocked-out what it means. Unfortunately, from a corporate perspective the only real way to manage and control risks is to use the same may I say brainwashing techniques so that the avoidance of risks becoming imbedded in our day-to-day thinking. The concept of risk is hardly new to any business; let us face it the definition of business is risk. And by the same token risk need not be an ugly word to be avoided. But by adopting a methodological approach, managing risk on simply to become part and parcel of everyday life at work. Should you happen to work within the financial services industry, the word risk and compliance albeit not life-threatening have become replaced with the words Dodd Frank. And as we shall see does not conjure a warm and fuzzy feeling! In a sense this discussion is almost designed to re-educate the corporates into freshly thinking about that word devoid of all the clutter associated with it. So let us begin!

Before we delve into the purpose and objectives behind this discussion (that of incorporating risk management and measurement into corporations), and what it is NOT, we need to develop a macro perspective of risk using Sarbanes-Oxley and Dodd Frank as reference points or benchmarks.

First, as an introduction however, the subject of risk compliance and 'are you prepared' is being discussed far more frequently than a few years ago especially prior to the mortgage crisis and the subsequent global economic meltdown. Sarbanes-Oxley (SOX) evolved towards attempting to create an internal control structure that would effectively protect the issuance of financial statements from major miss-statements and economic misrepresentation. SOX was never really intended to cover the operational risk-factors of an entity, that is, whether sub-units within an organization (making sub-optimal decisions and/or ignoring the emergence of negative factors impacting other areas) which, if unchecked, could ripple across and potentially bring down the entity or (as in the case of financial services) create global macro-economic repercussions. The identification of where within an entity risk factors exist (requiring a need to define) and then creating benchmarks or indicators that can forewarn that action is needed because it is critical to damage prevention just as negative budget variances in accounting forewarn of a threat to achieving expected net income. OLAP three+ dimensional ERP tools (Online analytical processing cubes) are, for example, used by top management to monitor financial results and performance enabling corrective action to be taken if necessary. It is irony, that so much attention is paid to the accounting data and yet little if any, certainly not on the same scale, is applied to monitoring and managing risks. In organizations where risk factors have insidiously crept in, the damage financially speaking, has already become imbedded within the negative budgeted variances. From a risk management perspective, it is like taking action after the ‘barn door’ has been left open!

These concepts are imbedded (or gradually being mandatorily required as sections become executed) within the Dodd-Frank approach vis-à-vis, risk committees and appointment of qualified individuals capable of overseeing all risk considerations and monitoring corrective action if needed. Though Dodd-Frank (albeit extremely detailed and complex) is specifically for the most part directed towards financial services, any organization needs to AND MUST adopt a similar approach if it is to prevent and mitigate uncontrolled and/or unidentified risks (or systematic risk) creeping into the entity.

BUT recently a business colleague shared this with me. “One thought is an emphasis on the qualifications of the risk manager him/herself. That person must have product knowledge (in addition to finance, compliance or accounting skills) as well as the authority to effect change if needed. An actual example of failure is where a CEO terminated the original Compliance officer who challenged the firm’s exposure to debt, and replaced him with a CCO who had diminished authority. That left the CEO with absolute authority and the results, even in an environment of heightened supervision from Dodd Frank, created a problem the legislation was enacted to prevent.”

And, moving this into the Sarbanes-Oxley field, another colleague once shared with me that all the internal controls in the world can never prevent fraud and misrepresentation where the CEO and CFO collectively are working together against the interests of the corporation. Hopefully though I sense na?vely that the auditors could potentially uncover such collusion (we’ve yet to mention Enron). Regardless, it is clear that whether we are dealing with Dodd Frank or Sarbanes-Oxley that honesty and integrity have to start from the top downwards. Unfortunately, clever dishonest and manipulative top management can often find ways to circumvent even the best of controls.

To make matters even worse, management of risk whether we are talking financial services or regular corporations is directly affected by the corporate culture and the degree to which internal politics is present to varying degrees or completely absent. Fortunately there are organizations today that operate very successfully in a politically free environment and go to great lengths to root out any instances of politics taking hold.

In another instance, the following comments were shared with me that are an excellent example that risk management efforts, even those of Dodd Frank can be stymied.

“. Your reference to “many entities continue to operate in a silo mentally” is most accurate due to many reasons, particularly because, some financial institutions are comprised of groups that have been assembled from outside companies and don’t share a common business culture. Additionally, that culture must be top down. The internal competition that results is as intense as what exists with competitors in the market.”

Over many years what I continue to find very interesting, and not in a na?ve sense, that these are the same individuals that purportedly take positions (i.e., CFO) encompassing considerable fiduciary responsibilities. Unfortunately (a word used far too often) we find ourselves constantly being the victims of individuals whose ability to misrepresent and where greed seems to have no bounds, is a fact of life. 

One need only look to Enron: “Chief Financial Officer Andrew Fastow and other executives not only misled Enron's board of directors and audit committee on high-risk accounting practices, but also pressured Andersen to ignore issues… Shareholders lost nearly $11 billion when Enron's stock price, which hit a high of US$90 per share in mid-2000, plummeted to less than $1 by the end of November 2001.” Enron's audited balance sheet appeared debt free, while in reality it owed more than 30 billion dollars at the height of its debt. (Fastow himself had a personal financial stake in these funds, either directly or through a partner. Fastow made tens of millions of dollars defrauding Enron in this way)

And of course, Bernard Madoff: “the former non-executive chairman of the NASDAQ stock market, and the admitted operator of a Ponzi scheme that is considered to be the largest financial fraud in U.S. history. In March 2009, Madoff pleaded guilty to 11 federal felonies and admitted to turning his wealth management business into a massive Ponzi scheme that defrauded thousands of investors of billions of dollars. Madoff said he began the Ponzi scheme in the early 1990s. However, federal investigators believe the fraud began as early as the 1970s and those charged with recovering the missing money believe the investment operation may never have been legitimate. The amount missing from client accounts, including fabricated gains, was almost $65 billion.”

We of course should not overlook the very interesting shift in the role of internal auditors, theoretically the eyes and ears of senior management of larger organizations that employ an internal audit department:

According to a survey (Economist.com) by the Institute of Internal Auditors (IIA), just over one-quarter of corporate internal-audit work will focus on operating risks. That's a substantially higher proportion than compliance risks (which will make up 15% of internal-audit efforts) and Sarbanes-Oxley testing (12%).

AND

In a way, the credit crisis was good for the internal audit role. 

As regulators continue to call upon managers and boards to improve their oversight of risk management, through speeches and regulations stemming from the Dodd-Frank Act, managers and boards are looking to internal auditors to weigh in on whether the company is assessing its risks and mitigating them within their risk-tolerance levels.

Despite the clear need for risk management especially in downtimes that same survey reported that:

Some of that progress was stalled by the financial crisis, since many internal-audit teams were downsized.

Though the current trends are positive, the fact that downsizing even occurred at all speaks directly to the disdain placed on any effort to manage risks albeit the internal audit role. If any lessons were learned, the financial crisis should have resulted in increasing the internal audit staff and expanding their role!! This seriously raises the question as to whether what resulted in or led to the financial crisis was even basically understood at all!! Those reading should consider it a sad statement of ignorance by those charged at board levels to protect shareholder interests considering one of their functions implicitly incorporates risk management.

We will examine the word “RISK” throughout this discussion. Many entities continue to operate in a silo mentally and that along with politics and a lack of a board-level corporate overseer is part and parcel of why risk compliance and risk management are so crucial today as organizations and the economy attempt to recover. The status quo clearly demonstrated serious short-falls in risk management and board-level oversight of operations and given the severity of the current recession, for example, high unemployment and/or foreclosures; it is highly probable that public sympathy towards repeats will be severely lacking. Finally, FX or foreign-exchange (derivate-hedging) and its management, is the perfect example of how to implement and apply strong risk management principles. FX issues cross the entire organization and FX rates reflect in a single-number the status of global economies. We will explain more about this later. As FX rates move in any direction, this can have major repercussions on corporate decisions from purchases and sales to M&A activities and all boards must monitor and build plans/strategies under varying scenarios based on probability concepts and build a consensus on anticipated directional change.

The discussion aims also to address and compare (albeit at a high level) the requirements of SOX against the Dodd-Frank legislation and contrast how they differ clearly in purpose and objectives. This discussion is not geared toward analyzing specific sections of neither the Dodd Frank legislation nor Sarbanes-Oxley. They do however serve as a legislative backdrop to the whole issue of risk and how it should be managed. On the one hand we have the Dodd Frank legislation that was enacted in response to the mortgage meltdown crisis and the inability of the financial services industry to self-monitor and police itself. Though outside the scope of today's discussion; the extreme draconian requirements within the Dodd Frank bill (many of which still remain to become a mandatory requirement) may significantly stifle the creativity within the financial services industry which has for decades been the backbone of our economic growth engine by developing innovative financial vehicles, increasing yields and providing increased liquidity. Unfortunately, as has often been the case, those financial vehicles themselves are attacked as operating against the public interest rather than the financial managers i.e. people and institutions that issue them. Those attending this discussion today may recall the demise a few years ago of high yield junk bond financing (remember Michael Milken). The issue back then, as today with derivatives, was to attack the financing model instead of exclusively targeting certain individuals who besides suffering from extreme greed also violated certain SEC rules and received the appropriate punishment. Following all the negative publicity the junk bond financing model was considered no longer in vogue and all but disappeared. Theoretically, the high yield junk bond financing model was actually quite brilliant but its application was humanly flawed! It is against this backdrop and with much trepidation that I fear that derivatives might suffer a similar fate. The good news is that the derivatives market is huge but in all probability given the Dodd Frank legislation as current positions are unwound or closed-out, either the reissuance or creativity of new vehicles will be seriously curtailed.

The perception is that Sarbanes-Oxley and Dodd Frank are similar and overlap whereas on the contrary they are distinct, industry unique and target specific areas. Both risk management and internal controls are areas that corporate management has for far too long not adequately addressed considering their fiduciary responsibilities. Boards frequently target EPS or bottom-line and short-term objectives as being a priority for shareholders and owners of such entities. The latter, unfortunately, trust management and are neither informed nor educated on risk management issues. Foreign Exchange management (derivatives/hedging) are also misunderstood and yet FX management has a critical role to play that impacts all areas of an organization and interestingly embrace both SOX and Dodd-Frank. A Treasurer’s role is not an easy one especially when communicating financial concepts to the board and justifying decisions ‘after’ the transaction closed!!! Directional change is a moving target and based on analysis and interpretation of variables often months in advance.

In London (March 8, 2012) Meredith Cross, Director, Division of Corporation Finance, U.S. Securities and Exchange Commission gave a keynote speech and Dodd-Frank was contrasted against Sarbanes-Oxley in this manner: “In some respects, the scope of Sarbanes-Oxley was very narrow —it was intended to dramatically improve the financial reporting infrastructure for U.S. public companies, and it did this by creating new auditor independence standards, a new oversight body for auditors, new audit committee standards, new certification requirements by CEOs and CFOs, new reports about disclosure controls and internal controls over financial reporting, and more, although not a great deal more.

In contrast, the Dodd-Frank Act is much broader in scope and purpose, affecting virtually every aspect of the capital markets, including asset-backed securities, swaps and other derivatives, proprietary trading by banks, consumer finance, and a great deal more. As you know, Dodd-Frank affects public companies in a number of respects. It has provisions relating to credit ratings disclosures in prospectuses and reliance on credit ratings in our rules; executive compensation matters, including say-on-pay and a variety of compensation disclosures; listing standards for compensation committees of boards and for ‘clawback’s’ of erroneously awarded executive compensation; the safe harbor for private placements; asset-backed securities; and topics we describe as “specialized disclosures” — disclosures relating to use of conflict minerals from the Congo, mine safety matters, and payments to governments by resource extraction issuers.”

Okay let's consider what we have so far covered; we now know and hopefully understand that the concepts of risk and compliance have been clearly defined under both Dodd-Frank and Sarbanes-Oxley. Clearly risk exists and there is no doubt it can effectively destroy a corporation, eg Enron. 

Both the examples of Enron and Bernard Madoff who by the way did not limit his actions against individuals alone for clearly many corporations and organizations were also targeted under his elaborate Ponzi scheme. Actually had risk-management practices been in place within these entities it is highly probable that many of Bernard Madoff’s high yield enticements may have come under scrutiny and been questioned before excessive financial damage had occurred.

Here we are not talking about the Dodd-Frank act but we're most definitely referring to Sarbanes-Oxley although I will hasten to add that in all probability the Dodd-Frank act would, by definition, along with its excessive documentary requirements may well have brought the Ponzi-scheme under scrutiny. Moreover, I'll propose that what is needed is a combination of both Sarbanes-Oxley and Dodd-Frank to create an effective risk management approach and methodology. 

It is very important to gain a perspective on what the Dodd-Frank bill actually aims to achieve. Many practices and investment vehicles that flowed freely within the financial services industry were developing risk thresholds (i.e., the mortgage-meltdown via international derivatives) that by definition are unacceptable. The clear intent of the Dodd-Frank Bill is, by forcing open transparency and documentation, is to create an environment in which these excessive risk practices will be either curtailed or at the very least very tightly controlled and monitored. Bottom line, you had better have a very good reason!!

You need to also understand that the precursor to the mortgage meltdown crisis was a combination of greed, highly unethical behavior on the part of certain financial institutions/individuals that chose to ignore very common and standard underwriting practices that would have rejected the vast majority of mortgages that were placed on the books. The reaction on the part of the legislature i.e. Washington, was to create the Dodd Frank act, that all but eliminates any similar behaviors. By creating a high level of documentation, the creation of compliance officers, and strict accountability, any attempts to repeat such behaviors absence solid business reasons is tantamount to seeking a ‘go-to-jail’ card!

If we ‘Google’ the word ‘risk’, we come up with (using Wikipedia) this explanation: “Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called "risks". Almost any human endeavor carries some risk, but some are much more risky than others.”

We have here is abundantly clear: i.e., that in some shape or form, the ending result in financial terms is a loss. Accounting, in a mechanical sense, just simply records the quantitative amount of the loss but does nothing towards mitigating it or eliminating it. The negative aspect of risk has already occurred, and the result in accounting terminology is a loss or a debit.

Another way to look at the Dodd Frank bill is that it creates an environment that effectively forces clean and ethical business practices simply because of the punitive aspects of attempting any alternative path. In the past, very unethical business practices could exist simply because no requirement existed that forced such behaviors into the open. Once that veil of silence (i.e. the way we’ve always done business) is lifted, by mandatory compliance to the Dodd Frank bill, it becomes almost impossible to operate under a status quo. The Dodd Frank bill is clearly operationally orientated; it targets the manner of doing business and ensures that however you carry on business will become open and transparent. It was a reaction to the inability of the financial services industry to police itself, but the discussion here is towards suggesting that the operational aspects of the Dodd Frank bill need to be applied to all organizations and not just financial services.

Before we move further, let us examine the mechanics of the Sarbanes-Oxley act or SOX 404 as it is more commonly referred to. We shall use ‘procure to pay’ and as an example of how the process works. Sox 404 is almost exclusively financial statement orientated. Its purpose is quite simple; to ensure that adequate controls, checks and balances, exist such that any financial misstatements or misrepresentation can be contained within a very reasonable error rate in the 5% range also. No accounting system can ever be error free, however, by creating a system or a process flow that incorporates key internal controls the probability of material errors are greatly reduced.

So, what exactly is meant by ‘procure to pay’? Put another way, procure is the act of buying something whether it be good so services and pay is a process by which it is either paid immediately as in cash or it becomes an accounts payable and paid within a certain timeframe. Whether it is a cash transaction or an amount that is eventually settled is less of an issue relative to whether the items of goods and services were legitimately needed for business purposes and that such an expenditure was duly approved by certain personnel having such authority for that particular amount and purchase in question (generally speaking managers should only sign for goods and services within their sphere of control and responsibilities). In almost every company, managers are given authority to sign up to a certain amount, and as the amount in question increases so does the escalation to personnel of a senior position up to and not limited to the CFO. At this point, anybody with an auditing background will start to recognize the key issues involved here. Such key issues include and are by no means limited to segregation of duties, establishing bank accounts, setting up vendors and so on. And even though in the best of organizations where auditing protocols have minimized any opportunity for fraud and misappropriation of company funds, that still leaves the question of how these expenditures will be recorded within the general ledger and the degree to which that identification is accurate or misrepresenting. Although we intend in this discussion to examine the definition of what is risk, it would not be unreasonable to extend the definition to include the accuracy of the accounting system relative to compliance with debt and loan covenants which commonly incorporate certain penalty triggers for failing to meet certain financial benchmarks. 

Although the accounting department ordinarily should be considered responsible for the accuracy of the general ledger, however, virtually every company especially those with a complex manufacturing structure, rely on the managers and the accounts payable department to correctly record and book invoices for goods and services. Accountants have neither the experience nor training to override an engineering manager’s allocation of expenses. Similarly given the volume of invoices it is impossible other than by sample testing to ensure the accurate allocation or posting to general ledger accounts by the accounts payable department. The concept of risk takes on an interesting definition when you consider all the areas operationally within a company that can affect the line items on the financial statements and whether or not the financial results faithfully represent the transactions of the company. 

Notwithstanding all the above comments and the possible perception that it sounds highly negative there are fortunately between checks and balances and the budget mechanism ways to ensure that any material misstatements on a line item basis are probably pretty low. Any experienced CFO and engineer will know quite accurately the cost structure of the company. The 3 to 5 year business plan and the one year operating budget incorporating variance analysis can be very effective in identifying general ledger coding errors. Additionally companies that incorporate a standard costing system especially those that use industrial engineers to derive the standards create a hierarchy of variances that monitor and control not only expenses and usage but indirectly that of the general ledger system itself. 

Of course within the population of all organizations there will be many that do not effectively use either a budgeting or a standard costing system and for those the risk of material misrepresentation increases proportionately. Also relative to those financial benchmarks we mentioned earlier in discussing loan covenants, oftentimes those benchmarks or required ratios will fall outside that of the budgeting and/or standard costing system. Both the budgeting and standard costing systems are geared to the income statement and not the balance sheet. Therefore the accuracy of the balance sheet will heavily rely on Sox 404 type key internal controls.

As we have already seen the definition of risk, incorporates from a negative perspective that it “will lead to a loss (an undesirable outcome)”. Let us move now from a general description to consider how risk applies to a corporation. We have already discussed in great detail, that Sox 404 pertains primarily to financial statement accuracy, and that only the Dodd Frank bill is clearly operationally orientated. The Dodd Frank bill, as we know is directed towards the financial services industry. But by now it should be very clear that all and every organization needs to consider operational risks, but what are they? And not only that, but just as important is who within the organization ought to be aware of these risks. 

Every organization, virtually without exception, is comprised of various disciplines that are required to work together to achieve the mission of the Corporation. But what do we mean by this. Let us consider a typical organization that comprises marketing and sales personnel, production and engineering accounting and finance human resources and legal quality control and in all probability many others. We also know from experience that all the above disciplines are assigned to various departments and those departments may form part of the business unit. And so on. Depending upon the hierarchical matrix, the organization may comprise of many levels of managers up to and including the CFO and CEO alternatively, it may be a fairly flat structure. But regardless, each discipline has its own internal reporting structure (engineers will report to engineers), and no one person can possibly understand the technical aspects of each discipline. The CEO relies on senior managers to communicate pertinent and relevant information using non-technical jargon that eventually may reach the board level. Even within organizations that are relatively open and transparent. The communication process is complex. In organizations that suffer from internal politics and gamesmanship. It becomes even less likely that all information relevant to the concepts of risk will ever reach the CEO level.

We already know that risk has a negative connotation, and we also knew that human nature, by definition is loath to communicate information that could possibly be construed as a failure on someone's part. The communicating of risk should never become a performance related issue on the contrary but the failure to communicate risk should be. An employee at whatever level that communicates risk factors, or concerns, should be viewed as someone that cares about the organization. The enemy of risk is advanced warning as any opportunity to get a heads up on the potential threat is always advantageous to the company. Any employee who is aware of a threat but fails to communicate, perhaps due to insecurity or other concerns, is actually guilty of potentially damaging the corporation or contributing to the outcome!

So where does all this lead us. We suggested that risk threats need to be communicated and that such communication should always be viewed as positive. But we also suggest that human nature may be loath, especially in politicized environments to take such acts, lest they be viewed as some kind of failure. So bottom line is there a workaround; and the answer is yes!

We have already discussed under Sox 404, that processes like to procure to pay can be documented and key internal controls identified. But consider that everything within an organization from financial processes to manufacturing processes can all be converted into a visual display process map. The manufacturing process in some shape or form, converts raw materials, or other inputs into finished goods that eventually will be sold and from an accounting perspective will be displayed as revenue. There is no part of a company that cannot be associated with simple risk related questions such as “what if”. Such what if questions are by no means isolated to machinery and equipment and, on the contrary, should very much be applied to employees as well. The visual display process map offers an enormous advantage by allowing the reader or analyst to place risk related issues in categories from minor to potentially threatening to the company. Consider also that such a tool can be used to monitor risk related concerns and periodically reevaluate their risk level. The individual that monitors per se absolutely does not need to be technically orientated, but only has to know where within the company and the process the equipment or the person fits. All of the necessary information can be gathered by a simple combination of interviewing and applying basic analytical techniques. Most important to this idea is that it circumvents the need to gather such risk related information through employees or other formal communication channels.

What we have not yet mentioned is a critical need, in parallel with creating such process flow maps, to document each key component of the process and how the threat assessment was determined. Any such assessment should never be assigned to a single individual other than the initial determination. Once the process and documentation are completed everything should be reviewed at senior management level and above and incorporate all disciplines from engineering to accounting. Effectively the package needs to be signed off as fully representing all aspects of the organization. Equally important is that the entire process is not viewed as a single standalone project but on the contrary is a process that will be ongoing. Risk threats and assessments require constant and ongoing monitoring and just as the economic and global economic environment changes so do risk threats either increase or decrease accordingly. Organizations additionally are moving targets thus the entire documentation and process flow mapping needs to be modified and reviewed constantly over time as the organization changes. Key individuals need to be assigned to sections of the process flow mapping and responsible for notification where material and/or significant changes need to be incorporated. Organizations that comprise of multilevel domestic and international subsidiaries need to ensure that not only does each subsidiary prepare its own process flow map and documentation but that all documentation and process flow maps are in sync on a domestic and international basis. Organizations that are active in the mergers and acquisitions area will be particularly challenged to monitor risk threats especially where international entities are concerned.

Cynics may question whether all this effort and time is worth it and is it really necessary to create such elaborate process flow maps and documentation but consider the alternatives. It should hopefully be very clear that relying on either informal or formal communication channels absent such documentation and flow mapping is and of itself risky! A reasonable question might be to ask that if humans are so reliable then please explain the intricacies of the Dodd Frank act. Clearly the legislature does not trust the human animal to be responsive. Dodd Frank vis-à-vis the financial services industry has and is creating a very complex compliance and monitoring process. Dodd Frank clearly cannot simply be overlaid on nonfinancial service organizations, thus we need to look at alternative solutions which, at the same time, will provide a mechanism that monitors and controls risk threats. The suggested approach of using process flow mapping and documentation is a workaround!