March 31, 2005
To Mr. Jonathan Katz Secretary, Securities and Exchange Commission
Subject: Feedback on Implementation of Sarbanes-Oxley Internal Control Provisions
We welcome this opportunity to share our perspective with the Commission.
Our organization has worked with many small and mid cap companies to help them effectively and efficiently implement their Sarbanes-Oxley Section 404 internal control review projects. We feel that there are some first principles that need to be reinforced by all involved in this forum:
Principle 1 - Investor trust is priceless.
Principle 2 - American financial markets are responsible for safeguarding the largest percentage of the worlds investments, therefore,
Principle 3 - Only the highest standards in business practices and financial stewardship should be on the table for discussion.
Most people would agree that in all activities involving significant change, the normal human reaction is resistance, fear, chronic complaining and often times foot dragging. The Sarbanes-Oxley Act of 2002 is all about long overdue change, so it is not surprising that there are mixed opinions on the value of the legislation and strong feelings with respect to Section 404 in particular.
Given this we would like to share a few observations from the markets initial adoption of Section 404:
Observation 1 - If effective internal controls were not institutionalized in an organization prior to the introduction of the Sarbanes-Oxley Act, then it is almost guaranteed that there will be issues with respect to poorly designed processes and reliability may be questionable.
Observation 2 - The high degree of implementation of technology over the last twenty years has led to large numbers of segregation of duties issues. In some critical function, one person today is doing the work of e.g. three people two decades earlier. The focus has been on productivity, not control.
Observation 3 - Many processes are fragile because they have evolved from immediate need but not by design. This is like building a house without a plan.
Observation 4 - People cannot spend their way into compliance, they need to take active ownership and participation at a detailed level. Control cant be bought, but it can be earned and embedded into the company way.
Observation 5 - The transition to the buck stops with us not with our auditors is a work-in-progress. Those companies that genuinely embrace good controls will find that this is good work not busy work.
Observation 6 - The CFOs who have been most actively involved in the initial 404 efforts have learned enormous amounts about their own processes and have been able to make positive and necessary changes.
Observation 7 - 404 efforts for small companies in most cases should be easier, not harder, than for larger firms. Generally in smaller organizations there is less administrative inertia, fewer layers of management and patchwork systems, etc. The challenge is for smaller firms to deal with the initial ramp-up to building effective internal controls and then ongoing maintenance.
Observation 8 - The excessive costs that have been discussed/surveyed concerning 404 will be dealt with by the law of supply and demand. Today the demand exceeds supply but not for long. The cost of compliance will come down as specialized expertise and better practices become more commonplace.
For your consideration we would like to make the following suggestions for the benefit of small to mid sized companies with respect to Section 404:
Suggestion 1 - Do not procrastinate. Start now. Leaving the initial 404 work too late will cause you to become overly dependent on costly outside resources. This will undermine quality and longer-term ownership over effective internal controls, and drive up the cost of compliance.
Suggestion 2 - Develop a 404 playbook by planning and scoping your project completely and thoroughly before getting into the details and undertaking testing. The old adage of Measure twice, Cut once applies and will help you create a strong foundation for subsequent years.
Suggestion 3 - Involvement of your staff is critical. As a management team you are the overall process owners. By building effective internal controls in-line with your processes you will build a more prosperous enterprise for shareholders, customers and employees.
Suggestion 4 - Expect imperfection and plan accordingly. If you give yourself time you will be able to remediate and have a clean audit opinion and just as importantly a solid set of business practices.
Suggestion 5 - Your 404 effort is a golden opportunity to improve bad processes. Simplify and strengthen wherever possible. Automating bad processes masks many problems.
Suggestion 6 - Effective internal controls are not just issues for publicly traded firms. Given that trust is paramount when conducting business and transactions between people and organizations, do not be surprised to see similarly legislated requirements for non profits, governments, etc. Good controls arent a burden; they are part of running a good operation.
We know that the SEC is under constant fire for this legislation, but would encourage the Commission to stay the course, as Ronald Reagan would have said.
JFK said, To whom much is given, much is expected.
We know that investors in our markets feel the same way.
This is the price of leadership and the job of management.
Issues Central, Inc.