The Sarbanes-Oxley Act and Incentive Compensation Management. What Sarbanes-Oxley Means for the Future and How Companies can Prepare for it Now

Transcription

1 The Sarbanes-Oxley Act and Incentive Compensation Management What Sarbanes-Oxley Means for the Future and How Companies can Prepare for it Now

2 Executive Summary The Sarbanes-Oxley Act of 2002 has been described as the most sweeping piece of legislation to impact corporate governance, disclosure and accounting since the Securities Act of It s all that and more. Passed in response to the liberties that executives at Enron, WorldCom, Global Crossing, Adelphia and other troubled companies had been taking to make their numbers look good and their wallets fatter, Sarbanes-Oxley is intended to provide better protection to investors by improving the accuracy and reliability of corporate reporting and financial disclosures. Specifically, Sarbanes-Oxley attempts to achieve this goal by legislating: An increased degree of transparency in corporate accounting and reporting, Personal responsibility on the part of top executives and board members regarding the accuracy of financial statements their companies release, and A greater emphasis and a new structural framework around efforts to prevent, detect, investigate and remediate fraud and misconduct. To achieve these goals, Sarbanes-Oxley requires companies to document the controls that have a bearing on financial reporting, then to test them and report on any gaps and/or deficiencies. Since Sales and Cost of Sales can have a significant impact on a company s statement of earnings, incentive compensation management comes into focus as a business process with strong exposure for companies that are actively seeking to reduce their risk of Sarbanes-Oxley non-compliance. Consider: Most companies spend a significant amount of money to incent employees and business partners, but do a poor job monitoring, auditing and controlling these expenditures with spreadsheets and manual processes. Studies have shown that companies typically overpay incentives by 3-10%, which amounts to a poor use of corporate resources and a loss of value to shareholders. You only hear about underpayments and almost never about overpayments. Proper incentive compensation management typically results in appropriate tracking and accounting of revenue transactions, which are critical to the accuracy and accountability of the bottom line. Tying incentive payments for executives, other employees and channel partners to welldocumented sales performance is a key to good corporate governance, and demonstrates alignment of compensation to shareholder interests. Let s also not forget that managing incentives correctly can help optimize and drive additional revenues which are also good corporate governance. 2

3 Getting From Here to There Most responsible executives and business managers understand and embrace the goals of Sarbanes-Oxley, but many have concerns about their implementation. The 66-page law is chaotic and offers few guidelines for getting from here to there. It contains obscure references, problematic language and what often appears to be overlapping rules. Part of industry s concern about Sarbanes-Oxley is simply a knee-jerk reaction to new rules, regulations and responsibilities of any sort. Part comes from the scope of the law itself, which is very broad, and indeed daunting. Additionally, Sarbanes-Oxley relies heavily on the concept of materiality-a term that is not very specifically defined and is subject to interpretation. Then there is the cost of compliance. Many companies have already experienced more than a doubling of their auditing bills and more than a few are wondering if the cost justifies the means. One CEO attending the January 2004 World Economic Forum in Davos, Switzerland put it this way: Corporate America is spending an awful lot of money on internal controls that are not benefiting shareholders. Finally, there is a belief that bad people do bad things, and that no amount of regulation or legislation, Sarbanes-Oxley or not can guarantee ethical behavior. While no one downplays the difficulties of meeting the requirements of Sarbanes-Oxley, the process itself can yield major benefits. Past SEC Chairman William Donaldson elaborates: If companies view the new laws as opportunities-opportunities to improve internal controls, improve the performance of the board and improve their public reporting-they will ultimately be better run, more transparent and therefore more attractive to investors. This requires, of course, complying not only with the letter of the law but the spirit as well. Corporations that embrace strong ethics, good governance and reliable reporting will have the opportunity to re-energize their operations and give their stockholders the reassurance they need and deserve. Moreover, if Sarbanes-Oxley compliance efforts are leveraged to include a hard look at existing business processes and systems, it s very likely the exercise will uncover complexities that can be simplified and operations that can be eliminated, yielding long-term cost savings that will drop straight through to the bottom line. To help with this effort, members of the IT industry have come up with answers to many of the Sarbanes-Oxley challenges. Callidus Software s TrueComp, for example, can provide internal process control over the incentive compensation business process. It is a route many companies are taking to lower the risk of non-compliance with Sarbanes-Oxley and, at the same time, improve their corporate governance environments. Translating Sarbanes-Oxley into Rules and Regulations In order to facilitate the implementation of such sweeping reform, Sarbanes-Oxley established a rules-making body called the Public Company Accounting Oversight Board (PCAOB), which is tasked with interpreting the law into guidelines that can be deployed by the auditing community. One of the PCAOB s early rulings required outside accountants to establish auditing, quality control, ethics, independence and other standards relating to the preparation of audit reports for issuers. 3

4 In October of 2003, in one of its most impactful rulings to date, the PCAOB proposed a new auditing standard entitled An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Reporting. This auditing standard, which was also accepted by the SEC in October of 2003, mandates that auditors review and establish that proper internal controls exist over all financially significant business processes as part of any effort to certify the financial reports themselves. This ruling is significant for incentive compensation processes, which for many companies can involve millions of dollars. Despite their high cost and importance, many companies still manage these processes through manual spreadsheets and , or through legacy systems that are not optimized for Sarbanes-Oxley compliance. The Need for Sophisticated, Computerized Controls According to Sarbanes-Oxley, auditors are required to attest to the design and effectiveness of a company s internal controls. Many incentive compensation plans that are administered with spreadsheets and/or homegrown systems do not have the advantages of data management, flexible rules engines and Web-based results reporting. These systems will have limited effectiveness in the 21st Century. Sales-related fraud or even simply user errors that go undetected (which can occur in the absence of a proper system) can lead to understating expenses and overstating earnings which can undermine the reliability of financial reporting and investor confidence in the results. Since sales and cost of sales are two significant items on the P&L, the accuracy of both numbers has a major impact on the statement of earnings. Companies that do not have sophisticated, computerized controls over their compensation processes-the kind that can pass a rigorous audit-are open to significant exposure. If a restatement occurs and an investigation is initiated there will likely be a request to provide compensation details in a timely manner. If details concerning incentive calculations are trapped in spreadsheets or reside in a system that lacks a proper audit trail and security, this poses a red flag to auditors. To establish sufficient internal process control over compensation management, a company should: Provide an archive of all transaction details for several years, Provide audit trails of all interactions within the compensation process, Be able to enforce/support policies and procedures through workflow and security, and Have established event-based alerts that notify management of potentially non-compliant transactions. Identifying and Addressing Problems Prior to Audit While all accelerated filers have now gone through the audit process once, many of these companies are now looking to not just meet the minimum standards but also to be more efficient and improve upon the ways they meet those standards. To do this job properly, many of the larger, more complex organizations are finding they need more powerful and versatile internal control applications that can be integrated with their other corporate systems. 4

5 In the absence of more specific direction from regulators, the companies and auditors have turned to the Enterprise Risk Management Framework, first published by COSO in 1992, as their guideline for Sarbanes-Oxley related risk assessment. COSO, or the Committee of Sponsoring Organizations, is a group established in 1985 in an attempt to establish self-regulation over corporate governance issues for the Financial Services industry. COSO s framework has been approved by the SEC as an appropriate method for establishing internal process control assessment. The COSO framework comprises five interrelated components to simplify management s task of administering and supervising all of the activities that go into a successful internal control structure: Control environment Risk assessment Control activities Information and communication Monitoring This means that compliance with Sarbanes-Oxley requires comprehensive review, documentation and testing of the internal controls that support significant financial statement line items. The Industry Standard To achieve this level of control over the incentive compensation process, many companies are turning to Callidus Software s TrueComp, which automates, standardizes and documents the business processes that result in sales and channel compensation. Among other things, TrueComp: Provides the data transparency that CFOs need to comply with the new corporate governance requirements, Establishes significant process control, reliability and audit trail, In many cases provides return on investment in less than a year, and Is fast becoming the industry standard for sales compensation as it relates to Sarbanes-Oxley. Callidus Software s TrueComp supports compliance with Sarbanes-Oxley rules on internal controls and helps create a better overall corporate governance environment by adding security, reliability, predictability and the audit ability of the incentive compensation management business process. Specifically, the system provides: End-to-end commission and incentive payment processing, from sales transactions to GL and payroll system integration. Secure workflow for processing, administration and approval of sales credits and compensation, including dispute resolution processes and exception handling. Detailed documentation of sales plans and compensation rules. Auditable records of changes to compensation plans, covering when they were made, who provided the authorization and the like. The capability to audit compensation history even if compensation plans change. Role-based security that controls access to information. Tracking and processing of special bonuses and other exception (one-off) payments. 5

6 Callidus TrueComp is being used by many Fortune 500 companies to establish internal process control over incentive compensation management, thereby reducing their risk of non-compliance with Sarbanes-Oxley. In conjunction with our customers, Callidus is working to fulfill the on-going requirements of compliance with Sarbanes-Oxley, and ultimately deliver the benefits of tighter process control, reduced incentive compensation costs, and better alignment of incentive expenditures to shareholder interests. Role of the CFO The Sarbanes-Oxley Act of 2002 is changing the role of the CFO, who going forward will play a greater role in establishing tighter process control over all financially significant business processes. Even though Sarbanes-Oxley does not single out particular business processes for scrutiny, internal control over compensation management is directly relevant to compliance. Securing the process of paying people who are directly responsible for revenues lessens the chances for Sarbanes-Oxley related scrutiny by removing concerns about process control, fraud detection, and accuracy of reported information. This means that incentive compensation management should be a corporate governance priority for every CFO and every organization. If the SEC should conduct an investigation, disclosure of complete and auditable incentive compensation records could go a long way toward alleviating any suspicion of wrong-doing. Finally, establishing control of the compensation management process offers the added benefits of reducing overpayments, decreasing compensation administration costs, cutting the time it takes to resolve disputes and most important of all driving the appropriate behaviors to maximize growth which should have a healthy effect on the bottom line and improve the overall corporate governance environment. 6

7 Addendum Sarbanes-Oxley establishes many other new rules and regulations. Most attention has been and will continue to be focused on sections 302, 404 and 906. Section 302 requires CEOs and CFOs to personally certify their company s financial statements and filings. They must affirm that they have the responsibility for establishing and enforcing the disclosure controls and procedures in use throughout their companies. They must certify that they have evaluated the effectiveness of the controls at the time of each quarterly filing, and they must inform their audit committee of any significant deficiencies, material weaknesses and/or acts of fraud. Section 404 requires an annual evaluation of a company s internal controls and financial reporting procedures. The annual report distributed by publicly owned companies must include an internal control report stating that management is responsible for an adequate internal control structure. Companies must document controls that have a bearing on financial reporting, then test them and report on any gaps and/ or deficiencies. In addition, the company s independent auditor must issue a report, to be included in the company s annual report, attesting to management s assertion on the effectiveness of the internal controls and procedures. Section 906, which also involves the CEO and CFO, requires the two to certify that their quarterly and annual reports fully comply with key sections of the Securities Act of 1934, and that the information in those reports fairly presents the financial condition and operating results of the company. A CEO or CFO who knowingly submits a wrong certification will be subject to a fine of up to $1 million and imprisonment for up to ten years. For willfully submitting a wrong certification, the fine can be increased to $5 million and the prison term can go to 20 years. 7

8 About Callidus Software Founded in 1996, Callidus Software Inc. ( is a leading enterprise incentive management (EIM) provider to global companies across multiple industries. Callidus EIM systems allow enterprises to develop and manage incentive compensation linked to the achievement of strategic business objectives. Through its TrueComp Grid architecture, Callidus Software delivers the industry s only EIM solution that combines the power and scalability of grid computing with the flexibility of rules-based interface. Customers/partners include AOL Time Warner Corporation, AT&T Wireless, BMC Software, CUNA Mutual, IBM, SBC Communications and Sun Microsystems. Callidus Software is publicly traded on the NASDAQ under the symbol CALD. For more information about Callidus, visit or call Corporate Headquarters Callidus Software Inc. 160 West Santa Clara Street, 15th Floor San Jose, CA Tel Fax info@callidussoftware.com UK and European Headquarters Callidus Software Ltd Northfield House 11 Northfield End Henley on Thames Oxfordshire RG9 2JG United Kingdom Phone: +44 (0) Fax: +44 (0) Callidus Software Inc. All rights reserved. Callidus Software, the Callidus Software logo, Callidus TrueAnalytics, TrueChannel, TrueComp, TrueComp Datamart, TrueComp Grid, TrueComp Manager, TrueInformation, TrueIntegration, TruePerformance, TrueReferral, TrueResolution, TrueService and TrueSupport are trademarks of Callidus Software Inc. in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners. 04/06 PDF 8