Reaping the rewards

Achieving a company-wide programme of compliance may certainly be challenging, writes Anthony Waller, but the long-term benefits will be gratifying

Compliance seems to be the new management doctrine. Companies around the world are falling over themselves (or being dragged, kicking and screaming, depending on your point of view) to new heights of transparency and clarity. Internal audit or newly-formed compliance functions are leading the charge. But compliance is not just about the finance function. The final reported numbers are generated by processes that touch everybody. To achieve true lasting compliance demands buy-in from every discipline. This leverage is both a challenge and an opportunity for function heads to increase their sphere of influence and create new networks across the organisation.

The buzz word of the decade seems to be corporate governance (OK, buzz words to be pedantic). The image of Enron using off-balance sheet entities named after characters from Star Wars, and Tyco CEO Denis Kozlowski buying shower curtains for the price most of us would spend on a new car, can make us think this is something new. But it’s not. Unscrupulous practice has dogged organisations for as long as we have had organisations. The model for good internal control, now used by most companies complying with Sarbanes-Oxley, was developed after the savings and loans crisis in the US in the mid to late 1980s. The south sea island bubble has been around so long, it is almost a myth. You can even find evidence of governance failures leading to the decline of the English Royal Navy, following the death of Queen Elizabeth I in the early 1600s. We are on a journey, closing off the available avenues for the unscrupulous or downright criminal activities, and are nowhere near the end.

Even in recent times, one advance in corporate governance has been followed hot on its heels by another. The COSO standard was finally published in 1992. Cadbury, the British version, came about six months later. In just a few more years we had a Canadian standard, CoCo, and a standard for risk management published jointly in Australia and New Zealand. Now, almost every developed country has its own laws, regulations or guidance on how to ensure good corporate governance, and many have already been updated.

I don’t really have to comply, do I?

The common thread of these developments has been to widen and deepen the scope of compliance activities. Turnbull built on Cadbury in the UK by extending from financial to all business risks. Sarbanes-Oxley built on COSO by making compliance mandatory, rather than best practice, and backing it up with severe penalties. There are moves by the US, for example, to extradite a UK-based chief executive for what went on in his US subsidiary.

This added emphasis has given internal audit or compliance functions greater visibility and influence within companies. For many companies, perhaps more so with those having to comply with Sarbanes-Oxley, these have been narrowly focused on the traditional areas of control such as reconciliations, segregation of duties and approvals. Often, this is a top-down approach, which is not a bad approach, but often imposed on the business.

The common feature of all the governance laws or regulations, including Sarbanes-Oxley, is that even if the outputs over which comfort is required are strictly financial, the controls will, to some extent, lie in non-financial processes. Payroll costs will have controls in the human resources (HR) function. Revenue cycles will have controls in the sales department, especially when sales include revenue recognition. Where cheques are received, even the process to open the post can be a key control. Compliance requires the support of the business outside of the finance team. As in any multifunctional project, active support of all participants will achieve a much better result than grudging acceptance.

Almost everyone understands that getting the whole business engaged is the right way to proceed. Few appear to have found the right way yet. Using the language of the whole business, not just “auditor speak”, is a key first step, removing a barrier to acceptance. Next, the focus needs to move to “value adding” for all participants; helping functional heads to achieve the things they want to, rather than occupying their time auditing.

Getting the tiger by the tail

But there is a price to pay for engaging the business. For some, the movement out of the comfort zone of auditing and compliance can be a big step to take. When regular business language and concepts are used, the auditee becomes more than a passive recipient - they will be encouraged to challenge and propose. And this is exactly what is required. The great benefit for the business is the avenues of communication it opens up. This holistic view of control means that functions can both better contribute to the success of the whole and help others understand how their functions cause difficulties elsewhere.

We have described this brave new world of a business totally engaged in the compliance programme. But what will this look like? What will look different? Let’s take a few examples to show how it might look in practice.

HR has the responsibility for making sure the business has the right skills in the right places through recruitment and training. Having the right skills and knowledge is fundamental to the operation of controls. If we want to pay suppliers on time and accurately, and only the bona fide ones, those people involved in the process need to have a certain set of skills. Therefore, HR department processes are key controls. Improvements demanded by the audit committee flow directly through the compliance function to HR.

The procurement function has the responsibility for making sure that only the best suppliers are used. This, then, achieves the objective that only approved suppliers are used, directly lining up with the compliance objectives.

The logistics function takes responsibility for the physical movement of goods. There are many processes to ensure that the correct goods are collected, moved and delivered as they should be.

Compliance with corporate governance regulation, or legislation, is a fact not an option, almost no matter where you are based or operate. To achieve that compliance will necessarily involve all functions in the organisation. And to make it work, the whole organisation needs to buy into the programme. This can be a challenge to the compliance function but is a fantastic opportunity for a wide swathe of functional heads. Those that embrace the change will reap the rewards.

Anthony Waller is client service director at Resources Global Professionals.