Sarbanes-Oxley Act: HR’s Role in Ensuring Compliance
and Driving Cultural Change
Created by BNA Exclusively for ADP
COPYRIGHT © 2006 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. 1
HR’S ROLE IN ENSURING COMPLIANCE AND DRIVING CULTURAL CHANGE
OVERVIEW Passed in the wake of Enron and other corporate scandals early this decade, the Sarbanes-Oxley Act of 2002 (SOX) has ushered in an unprecedented level of government oversight to the internal processes and controls of publicly traded companies. The objective of the Sarbanes-Oxley Act is to ensure that stockholders in public companies are given a clear picture of a corporation’s financial condition by mandating disclosure of all material financial or operational events, thereby preventing the kind of fraudulent financial practices that ensnared Enron Corp. and WorldCom Inc. The sheer magnitude of personnel costs—40 percent to 60 percent of most companies’ budgets, according to one recent study—all but guarantees that the role of human resources in SOX compliance is a critical one. Furthermore, poorly performed or documented HR processes can open the door not only to SOX noncompliance but also to legal risks under federal employment laws. Financial losses from lawsuits filed against the company under these laws could, in turn, trigger further SOX liability. But by leveraging its unique position as the crucial interface between an organization’s human element and its financial bottom line, HR also can help drive efforts to meet SOX’s regulatory requirements—and even change the organization’s culture and profitability in the process. “To the extent that the HR department gave its blessing to activities that might have resulted in fines or penalties being levied, or which led to any kind of employment suit, HR executives might find themselves swept up in any Sarbanes-Oxley charges,” according to Peter Petesch, a partner with Ford & Harrison, LLP, Washington, D.C. “Therefore, it is incumbent upon HR to act vigorously in its ‘checks and balances’ role by squashing any violations before they occur, to supply training to staff on compliance with applicable ethics laws, and to have the ears of executives at the highest levels of the corporation.”
SOX by the Numbers: U.S. businesses over the short term will spend more to comply with SOX than any other government regulation, according to a March 2006 study by AMR Research. The study estimated that compliance with all government regulations and laws will cost U.S. companies $27.3 billion in 2006, with SOX compliance alone accounting for 22 percent of that, or $6 billion, the largest single segment. AMR estimated overall compliance spending will climb to $28 billion in 2007, with SOX again taking the largest share of that amount.
COPYRIGHT © 2006 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. 2
SECTIONS 404 AND 409
OF THE SARBANES-OXLEY ACT Two provisions of SOX—sections 404 and 409—have particular impact on HR operations. Section 404 requires companies to assess the adequacy of internal controls and processes that could affect financial reporting. A central repository of documented company processes is a crucial component of compliance with Section 404, and HR is involved in many of those processes, from payroll to pensions. As of Nov. 15, 2004, publicly traded companies with market capitalization of more than $75 million were required to file annual SOX reports with the Securities and Exchange Commission (SEC) along with their regular financial disclosures. In March 2005, the SEC pushed back the compliance deadline by one year for companies with market capitalization of less than $75 million. Those companies now face Section 404 audits for fiscal years that begin on or after July 15, 2006. Some human resources areas—such as payroll, accrued leave, and pension obligations—have always been subject to the scrutiny of outside auditors. But before SOX, “the auditor could just kick the tires,” said Lynn E. Turner, managing director of research at Glass Lewis & Co., an institutional investment research firm based in San Francisco. “Now, they have to state that the procedures are reasonable and working.” Section 409 of the law is also particularly relevant to the HR function. This section requires real- time public disclosure to shareholders of financial and/or operational material changes. Section 409 is triggered by “any kind of movement of dollars,” said John Cooper, partner with the Atlanta- based Hackett Group, an Atlanta-based consulting firm. Changes that might have a material impact on a company’s bottom line can come from a variety of places in a company, including the HR department. Some examples of material changes include:
• the departure of a CEO or other top executive; • government fines or penalties • employment lawsuits; • revision of benefits programs, such as converting to opt-out 401(k) programs or
eliminating defined benefit retirement plans; • new labor contracts; and • noncash compensation, including awards and incentive programs.
SOX by the Numbers: A study conducted for the Big Four accounting firms by CRA International found that auditors in the first year of SOX tested an average of 669 key controls at larger companies (more than $700 million in revenue) and 262 at smaller companies (between $75 million and $700 million), at an average per-company cost of $2 million for larger companies and $423,000 for smaller companies. In year two of SOX audits, all of these figures fell by about 20 percent.
COPYRIGHT © 2006 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. 3
HR’S CRITICAL ROLE IN SOX COMPLIANCE A SOX compliance audit looks at processes and asks whether they are documented, repeatable, automated, and auditable. Top management will look to HR for participation in SOX compliance not only to meet the needs of the particular audit, but also to evaluate and improve processes for the future integrity and profitability of the business. “Given the importance of establishing proper controls and to re-look at processes and systems that ensure [compliance], Sarbanes-Oxley has given HR functions senior-level visibility” and support for instituting “best practices,” such as fully utilizing the functionality of information systems, said Steven Joyce, HR practice manager at The Hackett Group. Management will expect HR to engage in risk management and to provide the executive suite with monthly risk assessments, said Cooper. HR also must ensure data integrity for the corporation’s personnel records since HR management systems track who works for the company, how they are paid, and what they are owed. HR also acts as the gatekeeper for a wide variety of information systems and must develop visibility and transparency controls for critical information. Distribution lists for financial information must be kept up to date to prevent data from falling into the wrong hands. Core HR management systems generally have the most current organizational structure. HR should be getting “much more use out of the functionality of their systems,” Cooper said. For example, HR’s automated system should be integrated with directory services, so that when an employee leaves, HR can automatically find all the passwords and access codes and replace or eliminate them. This process was “a big paper chase before,” he said. The workforce also needs training to understand the complexity of the new disclosure and auditing regulations and how each employee can help preserve the company’s financial integrity. In addition, through training, HR management can reinforce the importance of compliance with other employment laws to reduce risk of fines and settlements that could be corporate liabilities under SOX. By tracking that the workforce has been educated on these responsibilities, HR can further demonstrate compliance during the annual SOX audit.
Key Roles for HR In SOX Compliance Efforts
SOX by the Numbers: Partly because of the increased scrutiny of SOX audits, nearly 1,200 U.S. companies filed financial restatements in 2005—about one for every 12 public companies, nearly double the number of restatements that were filed in 2004, according to March 2006 Glass Lewis & Co. report. Another study, released by Lord & Benoit, reported that financial restatements reached record levels in 2003, 2004 and 2005.
COPYRIGHT © 2006 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. 4
EXAMINING INTERNAL CONTROLS
More than anything, SOX emphasizes the importance of internal controls to manage risks to investors. HR should examine internal processes to answer questions such as:
SECURITY Does the system provide application security? Does it track which employees have access to what programs and ensure that these access points are regularly updated to reflect personnel changes?
NOTIFICATION Does the system have event-based features that notify management when specific actions are required, such as performance reviews?
EDITING Is the system regularly edited to ensure data integrity?
ROUTING Does the system provide automatic routing of transactions, such as online salary administration by line managers?
CALCULATIONS Can the system automate complex calculations—for example, overtime obligations or eligibility for benefits?
QUALIFICATIONS Does the system include a database of qualifications for various positions, job descriptions, degree requirements, work permits, etc.?
REPORTING Does the system assist in compliance reporting to regulatory agencies, such as the Department of Labor and the Equal Employment Opportunity Commission?
A BNA Graphic/wfsspec