Manager's Guide to the Sarbanes Oxley Act:
Improving Internal Controls to Prevent Fraud
by Scott Green
Foreword by Ira Millstein

Preface

Regard your good name as the richest jewel you can possibly be possessed of—for credit is like fire; when once you have kindled it you may easily preserve it, but if you once extinguish it, you will find it an arduous task to rekindle it again. The way to gain a good reputation is to endeavor to be what you desire to appear.
                                          —Socrates, 469 B.C.–399 B.C.

A recent CBS poll revealed that, as a result of corporate scandals at Enron, WorldCom, Adelphia Communications, and others, a whopping two-thirds of Americans believe that corporate executives are dishonest. This overall assessment is even worse now than during the last financial crises, the savings and loan debacle of the 1980s. Congress has responded to public outrage by passing the Sarbanes-Oxley Act. The act has far-reaching consequences for every manager who works in a public company. It will not prevent fraud or operational losses, but it will make a manager responsible for one occurring on his or her watch. It requires senior managers to certify that their company has an operational system of internal controls over financial reporting. In business, everything flows down the chain of command. Virtually all managers will be required to maintain a system of internal control and will be held accountable if a fraud occurs.

  Now more than ever, managers need to understand that they are fighting a war. The threats come from within their own ranks and from outside their world of influence. The enemy is intelligent, better financed, and more dangerous than ever before. It seems as if the front line is everywhere. Though fraud can originate from negative forces outside the organization by those positioned to quickly test and take advantage of a company’s control structure, more often than not, fraud will originate from employees within an enterprise. These employees are often trusted, long tenured, and know the company well enough to conceal fraudulent activities for years. The most damaging schemes are likely to be committed by senior executives. Experienced managers conduct frauds that are 28 times more harmful to companies than their junior counterparts. The latest trend is that a company’s own senior management “cooks the books” without the knowledge of the board of directors.

To the average investor, it appeared that Enron went from the seventh largest corporation in the United States to bankruptcy in a matter of a few weeks. In reality, Enron began its descent as early as 1997, when it began filing inaccurate financial statements. Related party transactions that eventually helped to destroy the company enriched long-serving, trusted senior management. All this was done in the full view of the firm’s attorneys and accountants, who helped set up the investment vehicles and blessed the financial statements. The company had a distinguished and savvy board whose members seemed largely unaware of their perilous position. The Enron story is not only one of fraud, but of understanding the ethical makeup of a management team, the culture fostered with the rank-and-file employees, and the absence of an internal control structure.

From time to time, well-publicized events such as the accounting fraud at Enron raise awareness of the importance of a strong control environment, at which point the demand for control advisory services takes off, only to fall back to earth again when the public outrage wanes. We are now in a period of unprecedented corporate scandal. It has cost many pensioners crippling losses, damaged corporate credibility, and resulted in the elimination of thousands of jobs, both internal and external to the bankrupt companies. As a result, this time, it appears that the focus on internal controls will not fade away. New legislation will hold a company’s managers accountable, and they must respond or face stiff penalties and even prison.

The reasons the focus on controls has been so transitory are many, but one of the most compelling is that there have been no simple tools available to apply to a business. The most complete publication currently available is a comprehensive study prepared by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) called “Internal Control—Integrated Framework.” As an auditor, I, as do many professional accountants and CFOs, use this framework to assess controls at the entity level. In fact, the SEC has specifically accepted the COSO framework for purposes of complying with Sarbanes-Oxley. But the two-volume tome contains material that is technical and difficult to understand for all but accountants, CFOs. and general auditors of major corporations. Even for them, some of the material can be arcane and difficult to apply. Every possible risk is contemplated, but most managers will not be in a position to take responsibility for many risks inherent in a company. This is particularly true for entity, or top-level, controls designed to address specific risks that exist far from most managers’ area of influence. For instance, most managers do not have decision rights pertaining to the maintenance of corporate liquidity; nor do they need to understand concepts such as value-at-risk or Monte Carlo simulation. The CFO, treasurer, or a risk manager will normally be tasked to address liquidity, subject the company’s resources to stress-testing to ensure the financial viability of the organization, and regularly report the results to the CEO. Nevertheless, the management of these and other risks requiring highly trained specialists were appropriately contemplated in the COSO publication.

Consequently, for most managers, the vast majority of the publication does not apply to them in a practical way. If the framework were dropped on the desk of most general managers who are untrained in the art of internal control with instructions to implement it, they would not know where to begin. The same holds true for many control self-assessment workbooks. The idea is worthy: provide a template that managers can use to perform an assessment of how well their business is controlled. However, most are written by accountants in a language that is difficult to digest.

On the other extreme are publications by authoritative bodies such as the American Institute of Certified Public Accountants (AICPA) and the Institute of Internal Auditors (IIA). Many of these excellent books and pamphlets provide guidance for conducting audits of complex processes and direction for addressing esoteric accounting issues. But the majority of these too are for accountants and auditors, and are not practically useful to most managers—unless they are in need of a sedative.

Control advisory has been a constant part of my professional life. I am a certified public accountant with over 15 years experience in the field, and I recognized early on that all managers—not just auditors and accountants—needed to add control assessment skills to their set of business tools. So, over time, I developed the Control Smart approach to enable general managers to easily assess their own control structure. I continue empowering managers with this framework today. I am currently the director of audit for Weil, Gotshal and Manges, one of the largest law firms in the world and a leader in the practice of corporate governance, where I have global responsibility for evaluating the firm’s control structure. I previously worked as a managing director of operations at ING Barings, the global investment bank, as well as at Goldman Sachs and Deloitte & Touche, where I also helped clients wrestle with control issues. I have advised managers on many diverse subjects, from executive compensation and reengineering initiatives to due diligence on potential target companies. But no job is more vital to me than advising management on how to set up strong, cost-effective internal controls, not only because it is the right thing for the company and its shareholders, but also because it is the best course of action to protect and preserve the jobs of managers and the livelihood of their employees.

By writing this book, I hope to bring this exciting and unique approach to general managers everywhere. The Control Smart approach enables managers to identify the risk types affecting all businesses—and their owners—and to focus their energy on those areas where they can make a difference. More, Control Smart helps them to identify control gaps, or procedural voids, in their business process that threaten the organization and to design process-level controls.

To put these threats into context and help you avoid similar pitfalls, the book contains numerous examples, most ripped from the headlines of our national media. You will come to understand how to apply the lessons learned from the embezzlement at Harvard University’s Hasty Pudding Theatricals, the fraud at Adelphia Communications, or the massive operational losses experienced by Firestone to your own business. Case studies will give you insight into the personalities at Enron and Tyco, which enabled a fraudulent culture, as well as read what one person did right to surface the smoke-and-mirrors accounting at WorldCom.

Once the framework is implemented, you will have a method to monitor the operational risks inherent in your business. Information and knowledge are empowering tools, and the ability to easily monitor operational risk will enable you to identify whether controls are working. Armed with this data, you can prevent or obtain early detection of fraud and operational loss. Knowing that your business is well controlled, you can focus on serving internal or external customers and developing your career.

Regardless of public perception, most executives are honest and want to do the right thing for their shareholders, employees, and other stakeholders. The lack of readily available management tools, combined with the urgency created by the Sarbanes-Oxley Act, have sent managers and board members scurrying back to school to bone up on accounting principles. However, a recent article in the New York Times indicates that this approach is not effective; but the landscape has changed and managers are doing what they can to adjust. What managers at all levels need is a simple, practical template to help them assess operational risk, arguably the one risk that all managers must address. This need is met by Manager’s Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud and the Control Smart approach, which is a powerful tool that will provide managers at all levels, from the board room to department management, with a template to prevent and detect fraud, embezzlement, and operational losses on their watch. More important, the approach has been developed to complement the COSO framework; to that end, it contains its basic components (control environment, risk assessment, control activities, information and communications, and monitoring) as it relates to most managers, and is presented in language that is comprehensible to nearly all managers. Put another way, Control Smart does not replace COSO, which addresses specific entity-level control activities, processes, and risks normally managed by specialists that are not relevant to the majority of managers. Rather, the Control Smart approach supports, and is intended to be used in conjunction with, the COSO framework by providing general managers with an easy-to-use, complementary tool that can be applied at the process level. I expect that most public companies will adopt COSO as their internal control framework. By implementing the Control Smart approach, a manager will be able to identify, evaluate, and monitor controls for those processes under his or her watch, prepare many of the deliverables required by COSO and similar frameworks, demonstrate compliance with the intent and spirit of the Sarbanes-Oxley regulations as it relates to his or her operations, and, ultimately, sleep better at night. The by-product of this tool is the protection of a manager’s reputation, job security for his or her employees, and demonstration of fiduciary responsibility on behalf of shareholders.

I have endeavored to ensure this work is as up to date as possible. That said, inevitably, the outcome of many cases currently being litigated may impact the effectiveness of current legislation. There are credible movements afoot to water down certain provisions of the Sarbanes-Oxley Act; however, the final rule for management’s report on internal control over financial reporting has been issued by the SEC and will go into effect for most companies on or after June 15, 2004 (April 15, 2005 for companies with a market capitalization under $75 million). As such, every CEO and manager should expect that they will be called on to attest to the strength of their control environment. Whether a manager likes it or not, he or she will be held accountable for a fraud or operational loss occurring on his or her watch. A material control break or fraud can seriously damage and even end a career. The time to address this risk is now.
Whether you are a board member, senior executive, or a middle manager, this book is relevant to you. It will help you understand internal control, design a strong structure, and make certain that a major fraud or operational loss does not occur to a function under your charge and derail your career.