Internal controls: opportunity knocks

Sarbox has not only revolutionised the content that appears in corporate
disclosures, it has also revolutionised how that content is compiled. ‘We had to
implement new information systems, a new set of entity-wide controls, new
financial statement close processes, and central processes for treasury, tax and
pensions,’ says Robin Brown, director of control at £1.3bn biscuit company
United Biscuits.

John Wheeler, senior vice-president of financial reporting risk management at
US banking giant SunTrust, says he has encountered similar pressures and time
constraints to ensure his company is compliant. ‘We have had to automate to
facilitate documentation, implement deficiency tracking and introduce new
communication processes between executive management, business unit management,
internal audit and external audit,’ Wheeler says.

He says the business will have to continue allocating resources to its
Sarbanes-Oxley
project to ensure it remains sustainable and does not drop from the standards
set in the original implementation.

Implementing and managing the requirements of
Sarbanes-Oxley through a disparate,
geographically diverse finance network is difficult, time-consuming and risky,
which is why several companies have pulled together their finance teams into a
single location.

Over the course of 2006, companies have spent $6bn (£3.2bn) on
Sarbanes-Oxley compliance,
according to data compiled by AMR Research. The bulk of this sum has been
allocated to external and internal auditing costs, but at least a quarter of the
spending has gone towards the new systems and technology required to implement
Sarbanes-Oxley. This is why the shared service option has become so appealing
for companies that have to comply.

Ted Senko, global leader of internal auditing at KPMG in the US, says a stu
dy compiled by KPMG and the Hackett Group shows that most leading companies are
using shared service centres to comply with Sarbanes-Oxley because of the cost
benefits. ‘Leading companies are showing a greater use of shared services.
Companies that are operating from a decentralised base are finding that costs
are negatively impacted as a result of this,’ Senko says.

Alex Blues, director of advisory at
KPMG, says the stricter
requirements of Sarbanes-Oxley have required companies to re-evaluate how they
manage the functions they outsource. ‘Any finance director has had to look at
the issue of sourcing to keep a competitive edge. The UK has been among the
leaders in taking advantage of the global economy, and a number of companies
have outsourced finance functions, claims processing and call centres,’ Blues
says. ‘Internal auditors, who are used to auditing internal functions, are now
auditing the work of a third party and they need to appreciate the fact that
they are auditing a third party.’

Blues says it is crucial to develop a greater understanding of a third party
in a Sarbanes-Oxley world because companies can no longer simply hand the work
out to such an organisation. The company that does the outsourcing is still
ultimately responsible for the work produced by an outsource partner.

Sarbanes-Oxley compliance is crucial for investor confidence, and companies
can incur heavy penalties if they fail to make the grade. So how can finance
directors and board members be sure the Sarbanes-Oxley work entrusted to
companies, which are often based thousands of miles away, will be up to
standard?

A key factor to consider is the compliance of the service providers
themselves. Many of the providers are listed in either the US or UK, on stock
exchanges familiar to their clients, and are also Sarbox-compliant themselves.
One example is Infosys, an established outsourcing company in India. It is
listed on the Nasdaq in New York and was one of the first foreign-listed
companies to obtain Sarbanes-Oxley compliance. Infosys chairman Narayana Murthy
says this demonstrates that companies can rest assured their Sarbanes-Oxley
responsibilities are in competent outsourced hands.

Blues says the requirements of Sarbanes-Oxley mean companies have to conduct
more thorough due diligence before signing contracts and ensure they conduct
regular checks of their outsourced functions. ‘Pre-contract, there is a strong
need to conduct thorough due diligence. The security of buildings has to be
checked and potential employees need to be vetted. Post-contract auditors need
to be sent out to the outsourcing location every six months for ongoing due
diligence,’ Blues explains.

www.kpmg.co.uk