The (Surprising) Positives of Sarbanes-Oxley

Brian Lane
Baker Tilly

What? There have been positives?

Little has been written about positive outcomes arising from the Sarbanes-Oxley Act. Most commentary discusses the downsides of expenses, documentation, auditor expenses, etc. However, we have seen some advantages and they may present some considerations for the accounts receivable management (ARM) industry.

Most of the positives arose from the specific provisions that either required certain communications or promoted various ways for issues to be raised.

Section 302 quarterly certifications

Section 302 requires executives responsible for financial reporting to certify that internal controls are functioning as intended. The process many companies used to implement this created a series of cascading internal sub-certifications – essentially the executives with the official responsibility asked those under them to sign a similar certification. Many of those asked to sign sub-certifications used this process to either raise issues or remind leadership of various ongoing internal controls issues. They used the opportunity presented by the signing requirement to say, “Yes, the internal controls I am responsible for are working, except for ‘x’, ’y’, or ‘z’.”

Audit committee executive sessions

Post Sarbanes-Oxley, executive sessions, where key members of the external audit firm met with the audit committee without any internal corporate executives present, became much more candid. Audit committees began to hold management accountable for their actions. Discussions around issues, especially more subjective topics such as executive competency and performance, became a common topic.

The empowerment of internal audit functions

While internal audit functions were mandated for public companies by the Foreign Corrupt Practices Act during the Carter administration, Sarbanes-Oxley gave internal audit functions a significant boost. Executive leadership, now being held to higher standard, demanded and empowered internal audit to focus on higher risk topics and gave internal audit a stronger voice.

The bottom line

All of the above measures made it easier for employees within organizations to raise their hand and voice their concerns. We feel that while this is a softer topic, it is critical for an organization to identify and address its internal control issues.

What is the lesson learned for non-public companies that don’t need to comply with Sarbanes-Oxley? Creating an environment where it is acceptable, even encouraged, to raise issues can go a long way to improving an organization’s operations, including governance and internal control. Some practical steps that non-public companies can take:

• Tone at the top. Executives who encourage their direct reports to speak freely help to establish an open culture. In one story coming out of the turnaround at a large company, the CEO, after hearing overly positive status reports from executives, quietly put the briefing package down on the table and said, the company is not doing well and we need to be a lot more open about issues. When a member of the executive management team finally took the first step and informed the CEO of a problem at his division, the CEO applauded the acknowledgment of the problem and encouraged the entire executive team to help formulate a solution. He set expectations and the tone –and performance clearly turned around. 

• Training. Every company has its own style and methods of operations. Formally explain the best ways to raise issues when new hires come on board. Don’t let new hires thrash around in their first 6-12 months trying to figure out how improvements get identified and made. 

• Checkpoints. Have periodic checkpoints where employees can raise issues in a constructive manner. Some companies do this during quarterly group status meetings. Others take care of natural checkpoints in their yearly planning cycles, such as the budgeting process. 

• Expect some false positives. In an environment where you have various mechanisms for employees to raise their concerns, you are bound to have some issues raised that will turn out to be non-issues. This is OK – if employees worry that they have to always be right they will be reluctant to bring up anything.

About Baker Tilly

Baker Tilly is 12^th largest accounting & advisory firm in the US, with 2,500 professionals and offices in many major cities.

Services for the ARM Industry:

• CFPB and other Reg Exam Preparation
• SOC 1 & 2 reports
• Financial statement audits/reviews
• Corporate tax preparation and advocacy services 

About the Authors

Paul Becht is an audit partner at Baker Tilly in charge of the firm’s Debt Collection Services Group. Mr. Becht has over 15 years of experience in accounting and auditing debt buyers and debt collectors. He has helped clients assess their internal controls and satisfy their compliance requirements. He can be reached at paul.becht@bakertilly.com.

Brian Lane is a Partner at Baker Tilly with decades of experience assisting financial service organizations with internal control, governance, and regulatory compliance issues.  He has assisted clients to implement, test, and maintain their Sarbanes-Oxley compliance programs.    He can be reached at brian.lane@bakertilly.com.