How Soundly Do You Sleep At Night?

By Yong Jiunn Siong

Advisory Partner

PricewaterhouseCoopers

Corporate accounting scandals that have rocked boardrooms and global capital markets around the world since the start of the millennium seem to have never left us. The million dollar question then would be why such corporate failures occur both internationally and in Singapore.

A multitude of possibilities including both internal and external factors could be drivers for such corporate failures. However, in most cases, the following scenarios (often in combination rather than singularly) may have provided the breeding ground for corporate failures:

• Weak or non-existent internal controls over area(s) of business operations

• Unnecessary pressure on individuals to perform and/or financial incentives that encourage inappropriate behaviours

• Absence of adequate monitoring controls further compounded by individuals in charge who may not have sufficient knowledge in these high-risk areas

• Management disregard for existing internal controls

Often, these corporate failures occur spectacularly only because of late detection which failed to mitigate significant losses to companies.

Corporate governance reform in the United States

Arising from the wake of corporate failures at Enron and Worldcom, the Public Company Accounting Reform and Investor Protection Act, also known as the Sarbanes-Oxley (SOX) Act was passed in July 2002 in the Unites States (US). SOX was designed to improve the quality of financial reporting and corporate governance and restore the loss of investor confidence in the US financial markets. Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs), commonly referred to as the “C-Suite”, together with Boards of Directors, and Audit Committees (AC) in particular recognised their roles and responsibilities to investors. If internal control problems were not rectified in a timely manner, US public companies could face Securities Exchange Commission (SEC) enforcement actions.

Transparent and reliable financial statements are sometimes taken for granted and its importance to investors has never been more apparent nor relevant than today. Current situations in other parts of the world are stark examples of this and these markets are learning the painful lesson that investors will react to unexpected news.

Legislative response in the US

In the US, SOX required companies to evaluate the effectiveness of their internal control over financial reporting (ICOFR) and added the annual requirement that the C-Suite and their external auditors certify that the companies’ internal controls were effective. SOX also required the C-Suite to certify quarterly that the financial information in their reports were fairly presented and did not contain any untrue statements or omissions. Senior management and top managers were made accountable for problems the companies encountered and the C-Suite were responsible for establishing, maintaining and designing internal controls with respect to the preparation of financial statements with the AC having oversight over them.

Good ICOFR increases the reliability of financial reporting and gives CEOs and CFOs the confidence in signing off the results of the company. This in turn gives greater confidence to investors who rely on the results when making their investment decisions.

What evolved out of the SOX implementation process surprised many ACs. The detailed implementation process, comprising scrutiny of internal controls, financial reporting and accounting methods unearthed problems in the way companies operated and other deficiencies at even the best of companies. Some of these problems are notably:

• Little or insufficient internal controls surrounding the management and timely reporting of business and operational risks which could potentially result in significant financial losses.

• Personnel related problems, in particular the lack of qualified finance and accounting staff, insufficient segregation of duties and inadequate training/supervision.

• Ineffectiveness of accounting information systems leading to revenue recognition and other accounting/reporting issues.

• Lack of standardization of processes/controls which increases the risk of misstatements in the financial statements. For many global companies which had expanded operations into countries with differing cultures, business practices and in particular standards on financial reporting, this created a time bomb waiting to explode. SOX forced the standardisation of accounting processes and policies resulting in fewer financial errors.

• Too many controls were being performed manually despite the fact that many companies were using sophisticated financial reporting systems. Generally, when controls are automated and the human element is removed, the risk of (human) error and fraud is reduced

• Excessive access to applications, systems and sensitive data. Even when access control policies were in place, they were found to have been enforced haphazardly. Some SOX compliant companies have automated the management of user identities throughout their organisation (helping enforce compliance and limiting access of sensitive data to authorised users only) and including access controls into coordinated business processes.

All of the above problems prevent the proper functioning of a company’s internal control system. It is worth noting that these problems were disclosed by the largest companies in the world.

A cost higher than compliance

While the SOX implementation costs may be high, the cost of corporate failure is higher. The collapse of Enron, Worldcom and other companies resulted in an estimated US$8 trillion decline in market capitalisation. In many companies, these costs were considered catch-up costs for the many decades of global expansion and growing of top-line revenue (and risk) where there had been insufficient focus on internal controls by management.

So how do we measure the benefits to be derived from improved internal control? This is especially difficult to quantify: frauds and corporate scandals which do not occur, the “incremental” share price from the improved branding and perception of the company or the general boost to investor confidence investing in the financial markets.

Forward-looking companies have used SOX compliance as an opportunity to improve their business performance and achieve competitive advantage and greater profitability. Many companies have also used the post-SOX years to improve their business processes and especially to automate their controls globally. By better understanding the risks companies are facing, and incorporating preventive or detective monitoring controls within business processes, companies are able to be more effective and efficient in their business operations.

Effective financial controls have also been further leveraged by elevating it into a wider enterprise risk management programme. Many risks faced by companies, although initially considered to be operational in nature, invariably have a financial impact which is ultimately reported in the financial statements.

The SOX regulations continue to be fine-tuned and with the release of Auditing Standard No.5 - An Audit of Internal Control over Financial Reporting that is integrated with an Audit of Financial Statements in June 2007, companies are on the path to better achieving the correct balance of costs versus benefits.

Guardians of corporate integrity and public interest

An AC is responsible for overseeing the financial reporting process of the company and its audits. AC members, being independent, qualified (especially in the basic principles of financial reporting) and having the ability to ask difficult probing questions represent the guardians of public interest.

Under the 2005 Revised Code of Corporate Governance, the AC should review at least annually the adequacy of the company’s internal controls (financial, operational and compliance) and risk management policies and systems established by management. The Board of Directors should comment on the adequacy of the internal controls, including financial, operational and compliance controls, and risk management policies in the company’s annual report.

In my opinion, ACs empowered and ready to take appropriate action here the public interest is not protected is a wiser response than a tough regulatory approach. What can Singapore public companies do?

With overall improved internal control, a company is on the path to reliable financial reporting to its investors and in many cases, reduced instances of fraud.  

Singapore directors, AC members and the C-Suite should think through the following questions:

• What are the main areas of risk in the company (a formal enterprise-wide risk assessment process)?

• Are there adequate internal controls in place to monitor them (documentation and regular evaluation of risks and internal controls)?

• Are there areas of potential fraud and management override which could occur in your organisation (anti-fraud controls)?

My personal experience is that SOX and similarly detailed internal control reviews represent the greatest continuous improvement programme for companies. It should be noted that external (financial) audits are not designed to detect incidences of fraud.

I recall what Lynn Turner, a former SEC Chief Accountant, said in the early days of SOX, “You either want good internal control or you do not”.