Sarbanes Oxley(SOX) and Credit Management
[ Senator Paul S. Sarbanes | Congressman Michael G. Oxley The Authors of Sarbanes Oxley Act ]
The Sarbanes-Oxley Act, enacted in July 2002, is a direct result of the large accounting scandals that had occurred over the last several years and shaken the very foundation of public accounting. Simply stated, Sarbanes-Oxley is a reform designed to institute stricter financial controls and reporting, and assure that financial reports are written in easily understandable language. Reports must be certified by the CEO, the CFO and signed off by independent auditors. As the full name, the Public Company Accounting Reform and Investor Protection Act implies, the Sarbanes-Oxley Act is designed to avoid the rampant irregularities and surprises that were discovered in 2001 and 2002, and to protect the public and investors.
Although Sarbanes-Oxley is designed for public companies with a market capitalization of over $75 million (U.S.), the expectation is that small companies will not be exempt, specifically companies with the hopes of eventually going public. As a result, the Sarbanes-Oxley Act is going to have far-reaching repercussions for many companies and its effect will be felt throughout the organization across many different departments.
It is also changing the way credit and collections function is being handled both by public limited and privately held companies. Yet being in its very nascent stage the Act finds Credit associates navigating areas that are still uncharted. The section that should be of specific concern to credit management is section 404. This section deals with internal controls, an area that credit management is closely associated with. The section adds the responsibility of having SOX-compliant credit policies and procedures for the credit function. Additionally, the credit department may have to provide and or obtain certification for the process and work performed in their domain. This implies increased roles of responsibility and risk for the credit professional.
The Key impact of SOX revolves arount three sections of the act and they are Section 302, 404 and 409.
•Section302: Officers of the company must make representations related to the disclosure of controls, procedures, internal controls and assurance from fraud.
•Section404: The company must provide an annual assessment as to the effectiveness of internal controls in financial reporting and obtain an attestation from external auditors that the controls are effective.
•Section409: The company must disclose to the public on a "rapid and current basis" material changes to the firm's financial condition.
The Certification responsibility stems from the requirements under section 302 of the Act. The Section requires that the principal executive officer (CEO) and principal financial officer (CFO) certify in each annual (10-K) or quarterly report (10Q) filed with the SEC that:
1.the signing officers have reviewed the report;
2.there are no untrue statements of material facts or omissions of material facts that might be misleading;
3.the financial statements fairly present in all material respects the financial condition of the issuer;
4.the signing officers have established internal controls to ensure the prompt and accurate reporting of material information to them;
5.the auditors have been made aware of any significant deficiencies in the internal controls that would affect the accurate reporting of material information; and
6.the auditors have been made aware of any fraud, material or otherwise, involving management or other employees who have a significant role in the company's internal controls.
Since Credit Management plays a significant role in the company's internal controls and risk management due to its close proximity to accounts receivable, the credit administration becomes a subset of the overall certification process.
Questions being asked in these uncharted SOX waters are:
•What is the definition of 'significant controls', 'significant deficiency' and 'material weakness'?
•How does one cover 'additional gaps' when there is not ample clarity on what are these gaps?
•How to balance additional workload and paperwork for SOX compliance while managing the day to day credit operations?
•How to manage a balance and bridge between System Implementation and Control Implementation?
•How to Budget the additional costs of SOX compliance?
•How to build dashboard reports of real-time analysis under Section 409?
•What would be the consequence of attestation?
The reforms initiated by SOX will pay off in terms of the focus of the section 404 compliance effort will prompt executives to evaluate overall operations, not just design of controls, and thus derive new business value from the data captured during the compliance process.
Under Section 906 of the Act, a CEO or CFO who certifies a report "knowing" that it does not comport with all the requirements of the Act is liable to a fine of up to US$1 million or imprisonment for up to ten years, or both. If the CEO or CFO "willfully" certifies a report "knowing" it does not comport with all the requirements of the Act, they may be subject to a fine of up to US$5 million or imprisonment of up to 20 years, or both. Knowing the difference between "knowing" and "willfully knowing" could also impact case law with the passage of time.