Public Company Controls for Private Companies
In the post Halloween spirit we thought we would talk about something that often scares the bejeesus out of CFOs and CEOs of public companies but doesn’t have to: SOX.
The Sarbanes-Oxley Act (SOX) was enacted by the US government in 2002 in reaction to a number financial and accounting scandals in large publicly traded companies. The government concluded that the scandals were a result of improper internal controls in the accounting departments of such companies.
SOX introduced unprecedented requirements on public companies and allowed the government to impose personal penalties on executives if their companies did not comply.
Some of our customers have to comply with SOX and as a result MV has been enhancing Profits Plus and developing procedures to support SOX compliance. Our experience is that the requirements of SOX are system-wide and span all modules in the software.
Our Take on SOX
This Act has not been without controversy. The article cited above includes separate sections for both praise and criticism of its mandates and requirements.
The praise generally talks about how this has made investing in public companies a little safer. The criticism centers around how a reaction to the actions of a few bad apples have punished the rest who didn’t do anything wrong.
While we don’t think it’s productive for us to engage in that debate, it is productive for us to share our insight into anything related that may benefit a smaller, private company that may otherwise not pay attention to SOX.
The basic premise behind SOX is that by defining certain process related requirements, companies will be more transparent and better managed. The idea is that such a discipline will make it harder for individuals in the company to take short-cuts and engage in questionable and potentially fraudulent activity that can put the entire company at risk.
In most private companies, the owners take an active role in management and usually have a good handle on the pulse of the firm. However, as these companies grow, it is possible for them to grow to a point where it is hard for the owners to pay attention to every single detail and also do what they have signed up for operationally.
This is where we feel that having SOX like internal controls can benefit private companies. Certainly we are not suggesting that this be followed to a T as one would have to do in the case of a public company, but in a private company the owners have flexibilities that they can use to their advantage.
Instead, our recommendation is for owners to pick and choose enforcement, and select compliance type processes in the specific functional areas that they feel are of concern. So, if Order Entry and Invoicing is smooth, transparent, and low-risk, keep that as it is. But, the Accounts Payable module may need something in place to control out going cash and purchases.
Finally, our suggestion is to understand the specific requirement and make modifications to the procedures as necessary, so the spirit and purpose of the requirement is maintained.
A SOX Example in Accounts Payable
Here is a simple control mechanism to have in place in the Accounts Payable module:
Requirement: Personnel with access to A/P system are not authorized to sign checks.
Purpose: This simple provision minimizes unauthorized payments being processed from within the system. The subtle point that is not clear up-front is the other way to see this requirement. May be certain personnel with check signing privileges should not be allowed access into the A/P system.
This may seem counter-intuitive at first, but if you consider it carefully, this kind of a rule has the same effect of requiring more than one person to be able to process a payment. Often this is done by requiring two or more signatures on checks. But doing it with access control accomplishes a similar purpose, without adding another person to the signature card at the bank.
Implementation: The access to the A/P tasks or module however, is easily set up using Profits Plus password or module level access capabilities.
There is a complete list of Sarbanes-Oxley compliance requirements and our approach on how to handle this in Profits Plus.
We encourage you to give this some thought and implement the specific requirements that you believe would benefit your company. Our team is always happy to assist you with any questions you may have regarding setting up procedures in your company.
Wishing you a Turkey month and THANKS for being such a great customer!
Barbara, Cheryl, Jim, Joe, Neil, Vivek, and Pavan
phone: (248) 583-4110