Risk & Compliance

Sarbox ABCs for the Rank and File

Concerned about compliance costs, companies are training employees in the ins and outs of Sarbox internal-controls rules.
Helen ShawOctober 13, 2005

Aquila, Inc., an electric utilities company, is so serious about complying with Sarbanes-Oxley Act internal-controls rules that it’s requiring all employees — from line workers to the chief executive officer — to complete an online ethics training program.

Indeed, the problems featured in the program reflect that range of participants. One example, for instance, involves a meter reader who must read all the gauges on a particular route by today so that the readings would be included in this month’s billing cycle. At the end of the day, however, the meter reader hasn’t reached the end of the route, so a colleague offers to split the remainder of the route and suggests entering estimates for that part of it. The training materials examine the situation, explain that good internal controls practices dictate that estimated meter readings shouldn’t be used for bills, and instruct the meter reader to contact a supervisor for guidance.

The course also asks employees to create a “personal action plan” listing how they can meld lessons from the training with their daily responsibilities. In such plans, employees can identify which activities in their group they should monitor to ensure their operations run effectively.

Introduced last year, the one-hour course includes explanations of “Internal Control—Integrated Framework,” produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on the widely accepted COSO guidelines that Aquila has adopted, the course features hypothetical examples of work situations in which ethical values come into play.

After the course was first given, the program directed employees to a secure Web site to express anonymously any concerns they have about the business. Employees were asked to provide demographic information that includes whether or not they were union employees, the state in which they worked, and whether they were corporate or field employees. Aquila’s corporate compliance officer culled the responses and presented them to the board of directors, says Lynn Fountain, vice president of risk assessment and audit services at Aquila.

With a growing number of companies reportedly striving to cut costs by handling more compliance functions internally, executives at companies like Aquila are paying more attention to training employees about the ins and outs of Sarbanes-Oxley. In the early stages of compliance with Section 404 of the act, the provision that covers internal controls over financial reporting, businesses largely outsourced compliance functions because of time and personnel constraints, observed Anne Marchetti, the global practice director for governance and risk management at Parson Consulting.

Although companies expected compliance costs to decline this year, however, most haven’t experienced a reduction, Marchetti observes. “Part of that is because they have not developed an ongoing compliance plan and educated the organization,” says Marchetti. Indeed, compliance costs related to Sarbanes-Oxley will rise from $5.5 billion in 2004 to $6.1 billion in 2005, according to an estimate by AMR Research in Boston.

But cost concerns and plans to handle compliance in-house aren’t the only reasons companies might have plunged into the training game. Indeed, having a workforce savvy in the ways of Sarbox and COSO could in itself become a compliance necessity. “Companies have not thought of material weaknesses related to people, but it’s a possibility,” notes Michael Mellor, director of the change and program management effectiveness group at PricewaterhouseCoopers.

For example, one of PwC’s non-audit clients is overly dependent on the Big Four accounting firm for a specialty that Mellor declined to name. “The company’s auditors, not PwC, have routinely expressed concern about that company’s dependency on us,” he says.

Vividness Is All

Still, compliance with Sarbox 404 rules isn’t the stuff of everyone’s working day. So how can a corporation get its workforce into the swing of complying with the provision? Presenting the facts about controls to employees in a way that’s relevant and immediate boosts employees’ grasp of them, says Norman Marks, vice president of internal controls and process assurance at Maxtor, a supplier of hard-disk-drive storage with a market capitalization of over $1.1 billion.

During a conversation in Singapore last year with Maxtor’s vice president of finance for Asia, Marks drew a diagram of the COSO framework on his office board. “He still has it there,” noted Marks. “Talking about the different layers of control, the responsibility for Section 404, and who does what reinforces the understanding.”

For its part, Socket Communications, a $39 million market-cap company, conducts an on-the-job compliance training program for every employee, says CFO David Dunlap. “Most of it is focused on the general concepts of Sarbanes-Oxley,” he explains.

Socket managers, as well as other employees, train workers who must sign off on documents or transactions. The workers learn how to segregate duties, use online checklists confirming the completion of procedures, and handle the approvals they’re required to make. The reason that supervisors or experienced peer-level employees can conduct such training personally is that the company has just 70 employees.

At Maxtor, the work of the internal controls staff provides the added benefit of buttressing employee training. During “walk-throughs” at various company departments aimed at helping to prepare senior management’s controls assessments, staff members talk with employees and managers about documentation of their work. Marks adds that the walk-throughs inadvertently provided another advantage: the company learned that some employees in different offices were unknowingly duplicating work.

“Completing all the work required to document, assess, and test the key controls that together comprise the system of internal control over financial reporting is a challenge, but we have got to make it into an opportunity,” said Marks.

Training can also help move compliance from one-off project status to that of an ongoing program that becomes part of the culture, observes Deloitte Consulting’s Lee Dittmar, leader of the enterprise governance practice and co-leader of the firm’s Sarbanes-Oxley service. To do that, though, managers often must try to change a culture in which employees merely follow orders to one in which they question how senior executives are portraying company performance, he said.

Persistent employee training, in short, is the only way to drive the importance of compliance throughout an organization, according to Dittmar. “It’s not one Webinar or training course,” he adds. “This is a permanent addition to the ongoing education and training curriculum in the modern organization.”