Home Project Management General Sarbanes Oxley SoX Managing the Sarbanes-Oxley Project
US FTC Compliance
Yes, all these ads are some kind of affiliate link and I get paid a commission if you click or buy.
Not enough to quit my day job, but it keeps the site alive.
- Jeb Riordan, Editor, PROJECTmagazine
Managing the Sarbanes-Oxley Project Print

At the close of the last century, public corporations raced to meet the Y2K challenge. Now, during the initial few years of this century, these same corporations are racing to meet another deadline: compliance with the Section 404 requirements of the Sarbanes-Oxley (SOx) legislation.
Compliance with this legislation requires effective implementation of project management disciplines.

History of SOx

The SOx legislation was passed because of a number of abuses that occurred in public corporations during the economic upswing and decline of the 1990's.
The abuses were quite numerous and ruinous. Some key abuses included providing low interest loans to executives; issuing complex stock option schemes; using "structured financing" techniques; booking tenuous profits to meet market expectations; providing golden parachutes; placing people in executive positions who lacked the requisite skills and experience; and weakening the professional relationships among corporations, banking institutions, and auditing firms. In time, well-known firms began hitting the headlines concerning one or more the abuses mentioned above: ENRON, Anderson, Tyco, and WorldCom.

In response to these abuses and others, Congress passed the SOx legislation to preclude and deal with these circumstances more effectively in the future; however, not without substantial cost. To comply with the legislation, the estimates range anywhere from hundreds of billions to tens of billions of dollars. A study by the Johnsson Group, Inc. noted that a $3 billion company will spend anywhere from $3.5 to $9.5 million to comply with SOx and then will have to expend millions per year on sustaining costs1.

Despite these high projected up front and sustaining costs, SOx offers many several potential benefits.
Perhaps, most importantly, it can help to restore investor confidence in financial reporting by addressing issues like ethics, security, audit controls, due diligence, financial relationships, responsibility, accountability, generally accepted accounting principles (GAAP), and shareholder value. Other benefits include increasing the chances for good governance practices by setting the right "tone at the top"; clarifying expectations and improving relationships among the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Board of Directors, Audit Committee, line management, employees, and investors; and satisfying the emerging requirements, rules, and standards by exchanges, like the NYSE and NASDAQ. Consequently, the opportunities for fraudulent financial reporting and improper expenditures of monies will likely lessen.

The legislation also necessitates greater attention on risks that confront enterprises, especially ones affecting financial performance. These risks relate to topics like information technology, reputability, terrorism, environment, exchange rates, and lawsuits.

Scope of SOx

The SOx legislation is divided into several sections that deal with audit standards and reporting; approvals by the audit committee of a public company; certification of contents in quarterly and annual reports; and financial disclosure.

Section 404 of the legislation is causing the most challenge to public corporations and is consuming considerable resources for demonstrating compliance. This section involves establishing, maintaining, and assessing an effective internal control structure for public corporations. At the conclusion of the project, this section requires a report in the annual report on the adequacy of internal controls and a statement that management has the responsibility to institute and sustain an internal control structure.
To make those statements with confidence, considerable work is necessary before external auditors and senior management can attest and certify, respectively, the internal control structure. Critical activities under the section include documenting the key existing controls for both business processes and supporting information technology (IT) applications and infrastructure; conducting tests to determine the degree of scalability; and certifying and attesting to the adequacy of the controls.

To ensure that the intent of the legislation is implemented successfully, the Securities and Exchange Commission (SEC) established a five-member board called the Public Company Accounting Oversight Board (PCAOB). The Board provides direction on the applications of the legislation and sets auditing standards on financial reporting.

Congress often passes legislation that leaves regulatory agencies define the details and their implementation. SOx is no exception. PCAOB has had to provide the direction and guidance for satisfying many of the requirements of the legislation. Areas addressed include the attestation and certification of controls; accountability; responsibility; authority; and disclosure. Although a good degree of the direction is complete, there is still considerable room for interpretation and misinterpretation, resulting in rework and considerable slides in progress. These decisions on direction will have and has had a profound impact on corporations as they strive to comply with Section 404 of the legislation.

Project Management - the Key

Project management disciplines are the most efficient and effective means for managing this type of project. These disciplines are: providing a vision for the project; managing requirements; developing a meaningful schedule; communicating effectively; defining roles and responsibilities; and collecting status regularly.

Providing a vision. The vision behind the SOx legislation was not clearly articulated, leaving PCAOB, corporations, and external auditors to define that vision. PCAOB has been vague in answering questions of scope, materiality, methodology, and models. This circumstance has lead to gradual expansion and contraction of scope throughout the life cycle of many SOx projects.

An effective tool to develop and sustain the vision manage is a project charter. This document provides a sense of direction to immediate team members and the other stakeholders. The charter for the Sox project also provides a basis to manage with the vague and evolving requirements of the legislation. It will further help in determining the processes and applications to cover and segregate them according to risk level, e.g., high, medium, or low. It also helps in determining the processes to cover based on the level of materiality; defining the key controls; and the presenting the evidence to demonstrate compliance.

At minimum, the project charter should include a description of SOx and its relationship to a corporation; its goals and objectives for the project; and what is and is not in scope from business process, IT applications, and IT infrastructure perspectives. Other topics the charter can cover are issues and concerns surrounding financial reporting and outsourcing; major deliverables; as well as tasks, and schedule phases, and major milestones. Ultimately, the charter needs to be approved by the core team members.

Managing requirements. The evolving vision behind SOx makes managing requirements quite difficult. Considerable disagreement exists by internal and external experts over what really constitutes high, medium, and low processes and applications; is the appropriate level of materiality; constitutes a key control and its attributes; and consists of a credible body of evidence. Such evolving issues make defining and interpreting requirements very difficult and can add to the complexity, length, and cost of a SOx project because rework can become the norm rather than the exception. Questions can frequently arise over what documentation is necessary for certification; its accompanying level of detail; and criteria for completion. Then, there are differences over the standards of what internal staff and external auditors consider adequate for compliance to SOx legislation. These circumstances become even more intense as time, expertise, and budget become limited.

Change management becomes, therefore, very important. However, it must be more flexible than usual to deal with a moving target. That's because PCAOB and external auditors are still trying to "get a fix" on their requirements to determine what constitutes certification. Processes and applications are examples of what will likely move in and out of scope as the requirements change and the project progresses through its life cycle. The project manager has really no option but to accept a change or risk the company not being certified. Change management, then, becomes more of a means to determine the impact of a change and to adjust accordingly. There really is no option to reject a change, such as in an engineering or information technology environment.

The key elements for change management include collecting and identifying changes; categorizing them according to priority and impact; and determining if and when they should be implemented. Establishing a change board to help in the determination of changes can prove quite useful. The board consists of key stakeholders who meet regularly to determine the fate of any changes. Specifically, they look at impacts to cost, schedule, and quality and then decide whether to accept or reject a change.

A good practice is to produce a change management document. This document should include providing information on roles and responsibilities of the change board in general and its members in particular; recording and disposition of changes; requirements for analysis; and selecting a medium to capture changes. The document should be readily available for reference, e.g., posted to a web site.

Developing a meaningful schedule. Because Sox is unprecedented and so much ambiguity surrounds its vision and requirements, developing a schedule is difficult.
There is no basis for estimating the work to do; the work often requires considerable rework, especially when PCAOB and external auditors shift requirements; and there exists a pervasive lack of expertise. Still, a schedule becomes critical because it serves as a road map to navigate the turbulent waters of SOx.

However, it requires deviating from the existing mental model of what constitutes effective scheduling. The schedule is seen as a living dynamic game plan. It cannot be treated as "fixed in concrete." Change to the schedule will require altering the baseline as requirements become more definitive by PCAOB and external auditors. Hence, changes to dependencies, estimates, and deliverables must be considered the norm to deal with the large degree of unknowns and ambiguities.

The schedule, therefore, becomes a guide rather than a standard. Because of the ambiguities and shifts in requirements, a rigid game plan may lead to a mismatch between what is happening with what is as opposed to what should be happening. The eventual result may be a "layered cake" effect, whereby the top layer does not align with the lower one. When that happens, confidence in the schedule wanes. To avoid that, changes to the baseline must be decided quickly.

Copyright © PROJECTmagazine (c) 1998 - 2019 for practical project management information. All rights reserved.