The Sarbanes-Oxley Act (SOX) of 2002 brought about sweeping changes for corporate America. In an effort to restore the integrity of the markets, rebuild the faith of investors, and create a new way of doing business, the federal government is asking U.S. corporations to go back to square one and review the intricacies of their financial reporting and control practices, and ensure they're preparing financial statements and recording transactions in an accurate, fair, and ethical manner. Among the many requirements needed to achieve compliance are internal control "certifications" issued by management pursuant to SOX rules 302 and 404.
While not-for-profit organizations aren't currently required to issue financial reporting and control certifications, many are assessing the costs, risks, and benefits of doing so. Without a mandatory compliance deadline, not-for-profit organizations can structure their control assessment activities over more than one fiscal period and work toward a state of certification readiness in a less compressed time frame than that faced by corporations.
Despite the lack of a directive, higher educational institutions have much to gain from voluntary compliance with rules 302 and 404. A university that does so can significantly improve its competitive position with rating agencies, donors, lenders, and government funders. Voluntary compliance can reinforce strong board governance, strengthen management practices, and inevitably strengthen a university's reputation.
However, there is a downside to publicly issuing certifications by management on the design and effectiveness of controls if a sound process has not been followed by management in its assessment of the adequacy of the control structure for financial reporting and compliance. In order to both mitigate this risk and to help manage the cost of compliance, a thoughtful, proven approach to control assessment and documentation is necessary.
Because corporate America has already gone through the first rounds of SOX readiness and testing, universities that begin the process today can benefit from the lessons learned by their corporate brethren. University management will also find that, despite the hype, the process is not unmanageable. After all, controls are nothing more than actions designed to reduce risk. And well-managed risk is a sign of a well-run organization.
By beginning the process slowly, perhaps tackling one or two of the most challenging processes the first year and additional processes the next, a university can gain insights into its control "orientation" and can modify its processes before the entire control structure has been documented and assessed.
A university can begin assessing the adequacy and documentation of its internal controls by identifying the processes that are either the most problematic, present the most compliance risk, or that have the most significant impact throughout the organization. Once the university has identified the business processes to be addressed, the control structure must be considered across all the departments and functions that impact those business processes. Every department that carries out parts of the identified business processes also impacts the control structure that drives accurate financial reporting and compliance management. Consequently, it is important to pre-identify business tasks within the business process and map these tasks to the related financial reporting and compliance risks, the associated control objectives, and ultimately to the various control procedures being performed.
This approach allows tracking of control activities performed by staff in various departments to the risks being mitigated. It also allows management to gain an institution-wide view of the control design. This view supports a clearer assessment of the adequacy of controls, gaps in the control design, and redundant control activities. The process may also reveal where a university can make its business processes more efficient.
University activities, such as Student Financial Services, often span multiple institutional boundaries (finance, accounting, academic, and administrative departments) and the processes can quickly become fragmented.
As processes and their control objectives are committed to paper, risks become apparent, as does the lack of consistent written control procedures. Many universities have tremendous oral histories of their control procedures but inconsistent approaches to documenting these procedures across the various departments. Furthermore, many inconsistencies in controls are the result of old, unresolved governance, business process, and technology issues. By putting these lingering problems in writing, they become more obvious, and solutions become more tangible.
As financial reporting and compliance risks and the related control procedures are documented, the university can reassess the linkages between computer and manual controls and whether efficiencies can be achieved by redesigning certain control activities.
Next, the university should determine whether its control procedures are preventive or detective controls. This perspective allows management to decide if the balance between preventive and detective controls is appropriate for the circumstances. Many universities find their control designs are primarily detective in nature, which is more labor intensive and fails to prevent problems from occurring. Culturally, the emphasis on detective controls may be driven by the fact that initiators of transactions or the primary reviewers of third-party financial data may not be financial analysts, accountants, or finance professionals. Many departments in a university that conduct business tasks are primarily focused on academic and research activities or students and donors. The staff's core competencies may not add to effective preventive controls. As the university weighs preventive versus detective controls, it may need to consider redeploying human resources in order to bring the equation into balance.
Working toward SOX compliance can serve to increase the board's level of awareness on business processes and the complexities of the control design. It can also facilitate implementing the changes in controls and business practices that have been identified in the control assessment.
The 302 and 404 certifications can also drive a greater awareness on the part of all levels of management of the role they carry in the control design and execution. Their personal knowledge that those controls have functioned effectively during the year is essential. To that end, many universities require "management sign-offs" on controls from various departmental, academic, and administrative personnel.
If a university begins with reasonable steps, a game plan, knowledge of what it is trying to track, and good templates and tools, it will, over time, build more efficient and effective business structures. And, while better business practices--not compliance--are the ultimate end goal, should SOX compliance become mandatory, the university will be well positioned to meet the requirements.
Mary Foster, a partner with Deloitte & Touche, LLP, leads the firm's Higher Education and Not-for-Profit practice.