Archive

Archive for the ‘Sarbanes Oxley’ Category

Small Company Structure vs. Internal Controls….

June 11th, 2009 Comments off

     During one of my prior engagements I was challenged with a situation in which we had a serious possibility of fraudulent accounting activities. The source was one of our foreign offices, which had only a small operating staff, and even worse, only a few accounting folks. There was not a broad enough staff to implement all the necessary levels of control to have a strong level of comfort to say all was operating perfectly. What triggered the entire situation was the combination of operating expenses that continued to exceed Budget in a very material way, as well as the delay, or cancellation of payments for shipments into their country. What was even more amusing was the fact that the country entity even passed a corporate audit after improprieties were suspected. After I was given the green light for a surprise audit, as a inter-country supplier, we effectively blew the lid off what was happening within that country. I’m actually quite proud of the work that was done on that situation.

     There real question though is how do you put effective controls in place to prevent fraud or other improprieties? In my current engagement, I find myself with a company that has a Finance staff that is much leaner than normal for a company of this size. Fortunately I have a GREAT staff that I am able push hard and we have implemented new documentation, new control procedures, and a level of financial reporting that is consistent with GAAP and fully supported with all the necessary documentation. So what’s the big deal? Try reaching this level with a small entity, where habits are long-lived, and financial disciplines are an afterthought.  To the Company’s credit, we also have great Management team that is both open, and supportive, of the change. They’re also seeing the benefits of the improved financial reporting on their ability to run the business and make informed decision. Great, so we now have solid reporting. What next?

     Next is the task of putting a more rigid control structure in place and implementing regular audit procedures that will prevent the temptation or likelihood that fraud will be perpetrated against the Company. But how do you do this when you don’t have the resources to add additional headcount, engage external resources, or implement new software platforms?  It comes through the diligence and integrity of the existing staff and cross-testing the existing resources. In the most elemental spirits of internal audit and Sarbanes-Oxley, it comes from having an effective control environment, appropriate risk assessments, as well as the necessary monitoring to determine that all controls are effective and that any necessary correction actions are undertaken. 

But our Company doesn’t have it’s financials audited?

-But our Company does not have an Audit Committee?

     Doesn’t matter…create the necessary level of communication with the Shareholders and Executive Team and keep them informed as to how the resources of the company are being protected. Ultimately, the inattention to these areas, will at a minimum, result in funds being diverted from the Company, or worse, could lead to the demise of the Company.  In a positive outcome, the actions taken will lead to a significantly higher level of trust in the financials and a higher valuation as it might relate to any acquisition activities your Company may find itself in. What is your commitment to ensuring that the proper controls are in place?

Thanks for reading . . . .

Jeffrey Ishmael

Quality Control…or is it Quality of Controls?

September 17th, 2008 Comments off

It’s a bit disheartening to continue reading about so many instances the last few days of internal fraud carried out at both private and public companies. There’s no need to look any farther than CFO.com to see examples in the last few day, which include American Intl. Pasta Company (fraudulent reporting), Hilfiger ($19m embezzled), and Quest ($10m “questionable” transfer). As a Finance professional who has worked at both smaller and larger entities, the biggest question I have is what were the levels of audit / control that were supposed to be in place and why didn’t they detect this activity sooner? It’s an easy question to ask but we don’t need to look any farther than some of the most recognized institutions, which have some of the most stringent controls, for examples of controls gone bad. Do you recall the collapse of that English banking institution formerly known as Barings as a result of the futures trading and wiping out the banks reserves entirely? How about more recently, Jerome Kerviel of Societe Generale and his 7.2 billion Euro loss on his futures trading?
Whether public or private, every company needs to have these levels of control in place to detect potential mis-dealings by employees. And it’s not going to be found just within the Finance department. It’s going to be found in Purchasing, Marketing, Logistics, and every other functional area of the organization. It’s not just going to be in the form of embezzled funds, but in inappropriate relationships, kickbacks, or even something as elaborate as a shell corporation, which I discovered had been set up by a country manager at our Mexican subsidiary. The foundation for having these controls is not just the documentation of certain processes. It needs to start at the top of the organization and putting in place an environment of control that communicates to employees what their span of authority is. Defining what their decision making limits are, and if pending decisions are outside of those limits, what the escalation process is for approval.

Within the scope of a SOX framework, it outlines the need for a “suitable and recognized control framework”. There are a number of segments that comprise this framework, but from overall view, there key areas to address. These areas include, as discussed, a Control Environment, Risk Assessment, Information / Communication, and Monitoring. Now, as I’ve mentioned with all my posts, this is only meant as a summary and not an exhaustive commentary. Our ultimate goal as Finance professionals should be the ability to generate company financials that are free from error and allow the key players in the organization to make informed business decisions. To generate information that can be trusted and relied on in the growth of the business. Only after we have managed to deliver this, as a functional area, can we fullfill the remainder of our role as an advisor on other corporate matters.

It would be easy to spend a week discussing the topic of internal controls, structuring an internal audit, and the follow-up activities of such an audit. Not quite possible here. The intent here is to have you consider the topic, whether it’s appropriately addressed within your organization, or that maybe it’s in need of a refresher due to material changes in staff, market, or regulations. What is the Quality of your Controls?

Thanks for reading . . . .

When SOX is undermined by the actions of management…..

April 25th, 2008 Comments off

     With only the best intentions, the Sarbanes Oxley Act was enacted in 2002 as federal law in response to a number of high-profile accounting scandals that rocked the financial markets and individual investor trust.  The Act also established the formation of the PCAOB, or Public Company Accounting Oversight Board, which is entrusted to oversee, regulate, inspect, and discipline the work of accounting firms regarding public companies.  The Act also provides guidance on major other issues such as auditor independence, corporate governance, internal controls, as well as enhanced financial disclosures.

     With almost six years since the passing of SOX, the vast majority of public firms have moved well beyond the implementation, testing, and validation phase to now begin working on new major projects.  Further, I have been seeing a shift in the demand for new candidates softening in this area since most implementations are complete and internal audit departments are established.        So all of this must be fantastic for the individual investor and trust must certainly be building exponentially in the public markets?  Right?  Not necessarily……      Let’s take a look at one company, who’s management seems to have undermined the effectiveness of SOX through ineffective forecasting, poor communication, and inattention to key corporate performance indicators.  My company of choice for this analogy is Crocs, Inc. (CROX).

 

Read my full commentary in Undermining Sarbanes-Oxley .