By Steve Dalton and Aman Desouza
Recently, the U.S. Department of Justice issued a memorandum entitled “Individual Accountability for Corporate Wrongdoing.” The title sums up the issue pretty well: whenever a corporate misdeed is uncovered, the DOJ is advising investigators to take steps to identify and investigate the individuals responsible.
This is in line with a global trend, in which lawmakers and regulators are dicing up individual accountability around corporate wrongdoing. With new laws and regulations continually being enacted, it’s nearly impossible for companies to keep track of them all. The burden of compliance, and the risk of running afoul of one of the many regulations governing corporate responsibilities, continues to pile up.
Anyone in a finance department who must sign off on their financial reports recognizes their personal risks. CFOs, controllers, and audit committees must certify that their financial reports are materially correct, and also certify that their internal controls over financial reporting are effective. When you set your signature to paper, you’re signing off with faith and trust in your people and processes. Unfortunately, these processes are not necessarily documented, nor verifiable.
Many finance processes—such as paying a supplier, or reimbursing employee expenses—rely on individuals following proper procedures. People, as we all know too well, are busy and prone to making mistakes, and controls are not always followed. Worse still, while controls can be automated in their ERP system, many controls are still manual in nature and dispersed throughout the organization, including in departments other than Finance.
This is where technology can play a critical role in your compliance efforts.
If you are in a position of signing off on financial reports, you must certify that you have strong internal controls; that the controls have been tested and that they work; and that material risks to your business are being well managed. Even though the majority of companies still use unsecure and error-prone spreadsheets, some are now using technology as an enabler to help document their internal controls process and manage it in a secure, collaborative and streamlined fashion.
This allows the C-suite to focus on more strategic, undefined risks, which ultimately present a greater threat to the survival of the company. (As an example, if your business model is built on renting DVDs, and you fail to foresee the market trend away from DVD rentals and towards streaming video, that could mean the end of your business.)
It’s difficult, however, for any executive to focus on identifying strategic risks if he or she is overwhelmed by compliance and control issues that should be delegated to lower-level managers. And you can’t effectively delegate unless you have a mechanism in place to provide transparency and oversight.
Any organization concerned with SOX compliance (or similar mandates or frameworks, such as COSO, COBIT, OMB 123a or the Model Audit Rule) should consider risk and compliance software in order to provide that transparency and oversight. Companies that are looking down the road to an IPO, or that need to demonstrate financial reporting integrity to raise funds or satisfy investors, are also well-advised to consider automating their risk and compliance controls.
CFOs and controllers should look to software that:
Like most directives, it will take some time to digest the implications of the DOJ memo. Often, corporate leaders pay too little attention to a new regulation until someone else runs afoul of it, and it ends up in the news. By that time, it’s too late, and company executives are already out on a limb.
The time to take action is now, before the bough breaks.