This article was featured in Internal Audit 360.
The whole point of most children’s fairy tales is to teach life lessons Occasionally, these lessons can even be applied to our work lives and professional circumstances. Of course, the complexity and nuance of professional decision-making goes well beyond the broad moral brush strokes of most fables, but with a little imagination, these lessons can be illuminating.
There are many wolves in corporate America and internal auditors may encounter quite of few of them over the years.
A Strong Foundation
Remember the childhood tale about the Three Little Pigs? Once upon a time, there were Three Little Pigs who were finally old enough to leave home. The pigs kissed their mother goodbye and went out into the world to seek their fortunes. Without a well-conceived plan, the first and second pigs quickly built their homes out of straw and sticks, respectively. On the other hand, the third pig spent many sun-scorched days laying a strong foundation and building his brick structure based on carefully designed plans.
One day, along came The Big Bad Wolf, and we all know what came next…“Little pig, little pig, let me in!” he howled. “Not by the hair of my chinny chin chin!” came each pig’s reply. The wolf sang out, “Then I’ll huff, and I’ll puff, and I’ll blow your house down!” For the first two little pigs, down their houses went without much effort. However, we know that not only did the brick house not budge when The Big Bad Wolf attempted to blow it down, but the third pig had a contingency plan and already had a pot of boiling water in the fireplace to stop the wolf when he attempted to find another way in and climbed down the chimney.
Once upon a time, in the not-too-distant past, a similar scenario ensued in real-life. But the role of the Big Bad Wolf was played by greed and mismanagement and the Three Little Pigs were various organizations that had to survive this “super villain.”
Keeping the Wolves Out
In 2002, in the wake of several accounting scandals that brought down some of the world’s leading public companies, the Sarbanes-Oxley Act (SOX) was enacted to protect shareholders, employees and the public from accounting manipulation and fraudulent financial practices. In order to improve the reliability of financial reporting, boost investor confidence and increase management accountability, SOX calls for public companies to demonstrate a strong internal control environment and requires the CEO and CFO to attest to the effectiveness of these controls over financial reporting.
In this scenario, the Big Bad Wolf is the executive(s) or employee(s) who could blow the walls of the company down—like they did at Enron, WorldCom, Adelphia and Tyco—with accounting scandal, fraud and criminal negligence. The difference between these wolves and the one in the Three Little Pigs fairy tale is that they are already inside the house and they don’t tell you that they intend to blow it down. SOX requires larger public companies to build a solid foundation of internal controls, and to have it inspected by experts, to protect against these wolves.
However, most non-public companies, public companies that are considered non-accelerated filers (under $75 million market capitalization) and some newly public companies are not required to formalize and attest to their internal control environment. Since the law does not require them to, many of these companies don’t. It’s the equivalent of building their houses out of sticks and straw. Yet, more of these organizations know they need something stronger and are increasingly volunteering to adopt the provisions of SOX and, as a result, have realized valuable benefits, such as:
- Financial Reporting Validity – Since errors and fraud can and do occur, it is essential to establish safeguards to minimize the risk of errors and irregularities at various stages in the financial reporting process. As a result, organizations have discovered that the act of formalizing internal controls discourages fraud and flags errors before they can escalate, strengthening financial reporting reliability.
- Operational Effectiveness and Efficiency – Formalizing an organization’s control environment requires an assessment of its people, processes and technology. During this process, documentation is created or brought up to date, processes are optimized and much needed system enhancements are prioritized. Organizations that think beyond doing the bare minimum can see a significant reduction in the investment of time and resources required to maintain compliance over time.
- IPO Readiness – “Going public” is a transformative journey for an organization planning to open its doors to fresh capital and the public eye. IPO veterans note that functioning like a regulated public company prior to the IPO event remains a critical success factor. Part of this preparation effort entails establishing an internal control environment at the level required for SOX compliance. SOX readiness is a journey that usually takes four to six quarters, depending upon the organization’s size and complexity.
- Third-Party Assurance – Non-public and exempt public companies needing to assert their diligence with stakeholders and business partners are often required to adopt stronger governance and internal control structures. Prospective investors and lenders scrutinize an organization’s financial statements and financial reporting processes prior to making an investment. Additionally, as scrutiny over reliance on third-party vendors grows, many these organizations are required to substantiate their internal control environment to comply with external requests from customers.
Is your organization afraid of the Big Bad Wolf? You should be. The moral of the story is to build a robust control environment, brick-by-brick, not only to stand against antagonists but for the benefit of the entire organization. It’s now been nearly two decades since the morality tales of the likes of Enron played out and we can easily forget those lessons. Hopefully, the Three Little Pigs will serve as a new reminder. Don’t become a fabled tale.