INSURANCE AND FINANCIAL services planners be warned: If your internal auditing department hasn't yet taken an interest in your meeting spend documentation, it's only a matter of time. That's because section 404 of the Sarbanes-Oxley Act — a bill enacted in 2002 to increase corporate responsibility and curtail accounting scandals — recently became law for some large public companies.
The upshot of SOX section 404, says David Kaufman, a partner in New York — based Acquis Consulting Group and speaker at the 2004 ICPA Annual Meeting in November, is that planners will need to show not just that numbers are correct, but that processes are audited and controlled.
Kaufman should know: He is a former auditor who for the past 10 years has been working with large and mid-sized companies in the areas of strategy, process improvement, and cost reduction, with a specialization in corporate travel and meetings. His standing-room-only seminar created quite the buzz with ICPA attendees, about 40 percent of whom were with companies that have already begun to involve them in SOX compliance. Most planners haven't been through this before, since SOX is new. By this time next year, Kaufman predicts that the recognition factor of SOX will shoot up to 90 percent.
ICP: Why should Corporate America, and the insurance and financial industry in particular, be concerned about SOX compliance?
David Kaufman: SOX is new and it is having a snowballing effect. As companies become more involved in SOX compliance, it is hitting various departments and employees hard and creating a large impact that affects everyone in the company. Financial and insurance companies have generally been more in tune with control issues, and are under greater scrutiny than other industries, due to the financial implications of what they do. For these companies, SOX will put more structure around the controls and documentation that should already be in place. What's different about SOX compared to other industry regulations is that it will also focus on areas traditionally considered noncore — such as meeting planning.
How does section 404 of SOX affect meeting planning departments ?
This section, which requires companies to provide a report that demonstrates appropriate internal controls and control effectiveness, and also requires that registered external auditors attest to the controls report, will have the most impact on meeting planners. It requires documentation not only of the processes, policies, and procedures that are in place — but companies must relate the controls to the policies and procedures.
Meeting planners need to focus on areas where there are risks of error, fraud, or noncompliance with policies, and document the controls that are in place to mitigate those risks. This covers the scope of the planner's job description, including site selection criteria, requests for proposals, planning and organization of activities at meetings, post-meeting activities, and contractual agreements. SOX doesn't state what the approval process needs to be for booking a vendor such as a hotel, but planners should have a documentation process for each expenditure with a provider, and it should lay out what type of approval they need, and in what form. The documentation should also point out what controls are in place to ensure compliance with corporate policies.
The SOX legislation applies to publicly traded companies in the United States. Why should private companies also be concerned about compliance?
Two reasons: first, SOX is based on best practices. Concepts such as documentation, auditing, and controls should be in place in all organizations. Second, most private companies work in some capacity with public companies. Those public companies are going to want to work with companies that are SOX-compliant themselves.
Do you think there is any danger that the kind of corporate scandals that led to SOX could lead to investigations of travel incentive programs in the financial and insurance industry?
Because of SOX, there will be a focus on high-risk areas within companies, travel and incentives being one of them. Companies will need to make sure they can justify their expenditures for incentive programs and document that the programs are appropriate for the business, are justifiable, and are consistent in the way they are awarded. That said, unless incentive programs are repeatedly found to be at risk, or are specifically targeted by the media, I don't foresee a large-scale focus on them.
What can planners do to set up a compliance road map? If an area is unclear, what is the best strategy?
Companies can vary so much in a direct comparison of their processes and technologies that each compliance road map would be specific only to that one company. That said, planners should begin with a comprehensive assessment of the controls and documentation they currently have in place. Then they should identify all areas of risk, including fraud, errors, or inconsistency between policies, and mitigate these risks with controls — or with documentation on why the risk is acceptable. One of the most difficult jobs for a meeting planner is going to be choosing a format for documentation. While planners should be soliciting feedback from their accounting or auditing departments, some companies are even setting up internal SOX teams. Planners should ask these internal departments for basic documentation templates.
For SOX compliance, some experts say that senior management should sign off on meeting objectives and even meeting. Do you agree?
What auditors look at, more than the actual rule, is that a procedural rule on contracts is put in place and is followed consistently. Having senior management sign off on meeting objectives and contracts could be helpful to planners, but this doesn't mean you should get the CFO's signature for every meeting expenditure — that would be burdensome and counterproductive. Planners need to maintain control of their responsibilities without taking on too much personal risk. It's about balance. If you typically sign vendor contacts and something unique to acomes up that hasn't been written before, even if it seems minor, you might want to get someone senior to you to sign off on that contract to protect yourself.
Can you give any advice on what external auditors will be looking for? Any red flags?
Auditors, like everyone else, appreciate it when their job is made easier. Their task is to highlight risks and show controls. Planners would be better off admitting risks and their mitigation upfront, rather than denying that risks exist.
The documentation of processes needs to be detailed but clear and easy to follow. Use process flow charts, outlines, and lists to help with the organization. If you can't easily explain it, or someone can't pick up the documentation and understand it, you haven't successfully completed the task. Also, auditors will be focusing on control lists. These should be tied in directly to the process flows. I like the idea of putting a symbol for controls within the process documentation, so the auditor can easily match the process to the control.
If I were asked to give just one piece of advice, it would be: Protect yourself. Document, communicate, and don't make decisions that could be deemed inappropriate.
TOP 10 LIST
What planners can do right now to jump-start SOX compliance
- Clean your house. If you have been doing something in the “gray area,” stop now.
- Document your processes in a clear and consistent manner.
- Create or update your corporate travel and meeting management policies.
- Admit control weaknesses, but document how to fix or mitigate them.
- Work as a team with appropriate colleagues in your company, such as internal auditors.
- Use this time as an opportunity to improve processes, systems, and documentation.
- Don't overcompensate by putting in unnecessary controls. For example, having a policy that states four people need to sign contracts rather than one or two can open up the company to more risk if the policy is not followed.
- Realize that this is a continuous change in your job, not a one-time thing.
- Speak to others in your company about what they are doing for compliance.
- Protect yourself by having documentation on any changes to, or departures from, policy.