"We are not a public company, why should we worry about SOX compliance?"
"Becoming and staying SOX compliant is very costly; we can’t afford that right now."
"All of those internal controls only get in the way of running our business."
Over the years, we have heard all of these comments and more from some very well-meaning people. But all of the statements are misguided.
Waiting until a company goes through an IPO to start working on SOX compliance is not only unwise but can lead to much greater expense after the IPO. Well-designed internal controls should not be a hindrance to running the business. And having the correct amount of internal controls is not very costly.
In my experience as both a Big 4 auditor and an accountant in private industry, I have worked for companies that range from very small (no revenue and less than 25 employees) to very large (over $5 billion in revenue and more than 5,000 employees in over 125 countries), and I have learned that well-designed, right-sized internal controls can be your best friend.
Years ago, I was in the Army when they decided to begin giving credit cards to each of their supply sergeants. While this took a load off of the logistical infrastructure required to move supplies all around the world, it opened up a Pandora’s Box for spending as there were few controls in place at the beginning. Each unit in the Army was required to designate an officer to be in charge of the credit card purchases made by that unit and draft a policy regarding the use of credit cards. You can imagine the numerous versions of policies that were created by officers often with little or no previous experience over how to safeguard against purchases that were unnecessary and often downright fraudulent.
Upon leaving the Army and starting an accounting career, I received training about fraudulent activities conducted by people who worked in the accounting department. When the subject came up regarding why people participated in fraudulent activities, the answer was, “Because I could. Nobody was watching.”
Running a business without internal controls may invite people to try to get away with fraud. It has often been said that “padlocks only keep honest people honest. The thieves are not going to stop because of the lock.” It can be similarly said that internal controls will not prevent fraud, but they will deter honest people from taking a risk.
There are two keys to remember when putting internal controls in place.
You don’t need any ‘extra’ internal controls (i.e. enough is enough)
Controls should support your business model – not interfere with it or slow it down.
In 2003, while working at a mid-sized public hardware company, SOX compliance was a new thing. We were all trying to figure out what was required and how to do it – both auditors and accountants. A decision was made to document all of our internal controls and test every one of them. This led to an enormous amount of work for a relatively small company. While not every company used this approach, it was evident after several years that many companies (including my employer) were erring on the side of doing too much. This led the PCAOB to publish guidance that companies should ‘right-size’ the number of controls. This number could vary from one company to the next as long as you could reasonably demonstrate that the company had enough controls to produce reliable and timely financial information. Over time, many companies have learned where the balance is, and don’t try to earn extra points by doing any more than is necessary.
It is common in companies that manufacture and sell tangible products to count their inventory every so often at the end of a period (at least quarterly). In the past it was not unusual to stop all shipping and receiving activities for a period of time in order to complete this count. But for a company struggling to meet their revenue goals for a year, any stoppage of shipping products leads to a problem. So many of these companies have now learned how to perform this critical internal control without interfering with the shipments that need to go out. Internal controls should be designed so they do not interfere with running the business, whether in shipping products, delivering software or automatically processing a credit card payment.
The following action plan results from a few simple questions:
Do you feel your company is the ‘Wild West’ with no controls?
Do you feel your company's controls are constantly getting in your way?
If I came to your company and asked two different people what controls are in place regarding paying your employees, would I get dramatically different answers?
If you honestly consider these questions and are not happy with the answer you come up with, you should consider talking with a financial consulting firm like Ravix Group. We have people on our team that have extensive experience with setting up and documenting internal controls, making sure you have enough but not too many controls, and designing controls that fit your business model and help it run efficiently.