October 2006

Global Compliance

One consultant's experience with multinational firms sheds light on meeting the unique challenges of achieving Sarbanes-Oxley compliance internationally.

Imtiaz Hussain
Consultant, Jefferson Wells International, London

The U.S. Sarbanes-Oxley act of 2002 recently extended its reach to the shores of Europe, the Middle East, Africa, Asia Pacific, and Latin America, as non-U.S. multinational companies with listings on U.S. stock exchanges were required to comply with the act for the first time starting July 2006. Many overseas subsidiaries of listed U.S. parent companies have been required to comply since 2004. Achieving compliance in multiple countries is no small feat. As difficult as it has been for strictly U.S. companies to tackle Sarbanes-Oxley requirements, the challenges are multiplied when conducting business internationally. Not only must companies satisfactorily answer the inevitable question, "why do we have to comply with a U.S. law?" but they must overcome the additional hurdles of language and cultural barriers, resource constraints, local regulations, and individualized systems and procedures. Although each organization will face its own unique set of challenges, there are some basic guidelines that can help internal auditors involved in Sarbanes-Oxley projects prepare for their formidable task. Following these practical steps can lead the way toward success with international compliance efforts.

1. CHOOSE THE RIGHT LANGUAGE FOR DOCUMENTATION

Should Sarbanes-Oxley workpapers be documented in English or the local language? Strong arguments exist for both.

Proponents of using English workpapers argue that the chief executive officers (CEOs) and chief financial officers (CFOs) who have to certify the effectiveness of the financial statements are typically well versed in English, and they may be less comfortable relying on foreign-language documents. Some also argue that it makes sense to use English as the language for Sarbanes-Oxley documentation simply because global Sarbanes-Oxley initiatives are most often driven from the United States, where English is the language of business. Moreover, the top risk and control owners are often based in the United States, and their preferred language is English.

On the other hand, proponents of documenting Sarbanes-Oxley workpapers in the local language argue that this approach enhances ownership of the Sarbanes-Oxley initiative among the local team members who live and breathe processes and controls at the grassroots level. In fact, documenting in English may discourage team members and create barriers for accepting and embedding Sarbanes-Oxley into their processes. Additionally, in some parts of the world, local management may have limited English-language skills.

As a solution to the language-documentation dilemma, one heavy-equipment manufacturing company with subsidiaries in 50 countries in Europe, Africa, and Asia decided to document Sarbanes-Oxley workpapers in English during the first year of compliance and use both English and the local language during year two. This approach enabled the establishment of a consistent format, helped the champions of Sarbanes-Oxley — the CEO and CFO — to understand local processes, and created ways for foreign subsidiaries to buy into Sarbanes-Oxley and embed its core concepts into local operations. 

At a multinational automotive parts manufacturing company with operations in France, Germany, and Poland, management opted for documentation in English and later translated the documents into local languages using language translation software. This type of software may not represent the best solution, however, because often the software does not translate documents accurately, and the true meaning gets lost.

Although Sarbanes-Oxley does not require documentation to be in the English language, English is often considered the "universal language of business." For this reason, it makes sense for Sarbanes-Oxley documents to be in English. Still, it's important that management and operations staff in remote locations around the world buy into Sarbanes-Oxley processes and concepts and embed them into their day-to-day business operations. For that purpose, translating the English documents into local languages may be beneficial, providing local staff enhanced visibility of the controls they own or operate and the risks they mitigate.

2. PREPARE FOR RESISTANCE

It's not uncommon for a foreign subsidiary's management and staff to resist formalizing their business processes or implementing new controls for complying with U.S. legislation. This tendency toward resistance often stems from corporate management's failure to communicate its expectations to local personnel. Moreover, management may show inadequate sponsorship and buy-in for the project, and this attitude can trickle down to local offices. If management lacks commitment or does not understand the project's end goal, then it will not be able to articulate requirements to local offices effectively. Failure to understand local work cultures may also foster resistance.

At a U.S.-based multinational firm, for example, the Sarbanes-Oxley compliance project manager received significant push back from a French subsidiary when the organization began working on a Section 404 readiness project in France. The resistance he encountered was attributable to several factors. First, the project manager assumed that Sarbanes-Oxley is considered equally important to the subsidiary's operations managers as it is to those in the United States. Secondly, he assumed that subsidiary management and staff were knowledgeable about Sarbanes-Oxley requirements. 

The project manager soon realized that these assumptions were incorrect. He took several actions to overcome the resistance, including:

  • Visiting all plants in France that fell under the scope of Sarbanes-Oxley.
  • Explaining to key managers who accompanied him on the trip the importance of Sarbanes-Oxley to French operations and the overall organization.
  • Making presentations to employees of the French plants, during which he illustrated how compliance with Sarbanes-Oxley will help the business comply with Loi Sur la Sécuritié Financière (the French requirement for internal controls), and the European Union's (EU's) 8th Directive (the EU's Sarbanes-Oxley equivalent).
  • Inviting members of the U.S. parent company's management team to accompany him on the site visits and letting staff hear directly from these executives that Sarbanes-Oxley is here to stay.

These actions raised the level of Sarbanes-Oxley awareness among French staff and management significantly. The leadership team was able to convey the importance of compliance to the overseas offices and communicate the project's objectives to the local staff. The team also emphasized project benefits, including a better-controlled business, enhanced processes, and global standardization.

3. MAKE THE MOST OF LIMITED RESOURCES

Sarbanes-Oxley compliance projects are time-consuming and require skilled employees. Although every organization is limited by resource constraints, implementing Sarbanes-Oxley projects in Europe, the Middle East, Africa, Asia Pacific, and Latin America increases the demand for skilled staff. 

Workers in some countries may not be familiar with the concepts of risk and control, let alone Sarbanes-Oxley. In fact, due to cultural differences, risk and control ideologies are less accepted in some parts of the world. In many countries, bribery is a common practice. Therefore, the U.S. Foreign Corrupt Practices Act of 1977, Sarbanes-Oxley's whistleblower policy, and other anti-fraud provisions may be of less importance to staff.

Although the level of accounting education in many of these countries is improving, some have been slow to adopt modern practices. The key recommendation when implementing a Sarbanes-Oxley initiative in such countries is to begin documentation early and to be patient with local staff. Hands-on partnership and rigorous training of staff members should be key elements of the project.

4. BE MINDFUL OF LOCAL LAWS AND REGULATIONS

Multinational firms need to understand any laws or regulations that may affect Sarbanes-Oxley Section 404 readiness projects in the regions where they conduct business. In the United States, for example, there are no legal restrictions associated with having employees sign a code of conduct or blow the whistle on company wrongdoing. But this is not the case in all parts of the world. 

At a U.S. automotive manufacturing company, for example, management faced a dilemma when it tried to implement U.S.-based standard policies and procedures across continents. The company realized that its whistleblower policy could not be implemented in its entirety in France due to legal limitations, and that the code of conduct needed to be translated to French so that it could be enforced in France and Belgium.

In Spain, employees are not required to sign a code of conduct. Therefore, although the code of conduct was available in Spanish, the company was also unable to get the employees in Spain to sign the code's acknowledgement slip to evidence that they had reviewed the code (evidence is a key element of Sarbanes-Oxley compliance). The organization had to maintain a register of attendees at a code of conduct training session to evidence that all Spanish employees had been issued a code booklet. 

Failing to recognize the law of the land can devastate even the best-laid plans. Companies that recognize potential legal conflicts early can save a great deal of time and expense.

5. DOCUMENT AND STANDARDIZE BUSINESS PROCESSES

Organizations that use differing procedures and methodologies across global operations can face considerable difficulty with Sarbanes-Oxley compliance. Lack of consistency prevents standard processes and controls from being shared. 

At a U.S.-based information technology firm, for example, the business made acquisitions in South America and Europe over time, but let the local management run their operations autonomously. The result was that each entity outside of the United States had its own processes, procedures, and management cultures. Some had informal and unwritten procedures.

Although corporate management previously had not paid attention to harmonizing processes and procedures, the necessity for uniform and consistent procedures across continents became obvious when management was faced with the hefty cost of a Sarbanes-Oxley Section 404 readiness project. Informal policies and procedures and lack of evidence of controls raised significant Sarbanes-Oxley issues across the organization, and management used the readiness project as an opportunity to standardize practices.

6. STANDARDIZE THE IT ENVIRONMENT

Many U.S.-based mid-size companies have subsidiaries overseas that operate on stand-alone information technology (IT) systems. They may have grown overseas through acquisitions and perhaps did not focus on standardizing business processes or having systems under one single platform. One U.S.-based automotive parts distribution company had five European locations, each with stand-alone systems — and some were legacy systems with no support provided. Although all of the company's U.S. sites ran under one enterprise resource planning system, the European subsidiaries ran on isolated systems. This sort of unintegrated IT environment can increase the cost of compliance with Sarbanes-Oxley significantly. Although standardization comes with significant up-front costs, it helps establish a better control environment, makes business processes more efficient, and adds value in the long run by establishing synergies across locations.

7. DEVELOP A ROBUST PROJECT CHARTER

A project charter is vital for any Sarbanes-Oxley project that spans multiple continents. The purpose of the project charter should be to establish a framework for the Sarbanes-Oxley project and to provide direction for all project tasks. The charter should provide an overview of the governance structure, including the participants in the project's organization chart and their roles and responsibilities. It may indicate, for example, that the project manager is responsible for establishing the project plan, tracking progress, coordinating resources, and ensuring remedies are implemented in accordance with the design and time frame approved by the appropriate remediation and steering committees.

Sample Org Chart

A sample international Sarbanes-Oxley project implementation organization structure appears at right (see "Sample Organization Chart" — click to expand). The chart strives to identify all the key stakeholders in a global Sarbanes-Oxley project and assigns clear responsibilities to each. It also gives key executives ownership and the responsibility to oversee the project and set expectations for the project management team and the steering committees in multiple regions. This is not a one-size-fits-all model, and it may need to be tweaked for individual organizations.

FORGING AHEAD

Global Sarbanes-Oxley compliance projects present a variety of challenges that require significant preparation and creative thinking. Most importantly, it's critical to get an early start, have a robust charter and well-planned project management structure, send consistent messages, emphasize the importance of the project, provide country-specific training on Sarbanes-Oxley and risk and control concepts, and perform adequate planning up front to identify project-related risks. 

The project team should work closely with the process owners and educate them about embracing the requirements of Sarbanes-Oxley and embedding compliance efforts into their processes. In fact, the team should take the opportunity to "plant the seed" early and get process owners to start assuming responsibility for risks and controls and recognizing how the two are linked at various levels within the organization. Moreover, the importance of entity-level controls should be emphasized and understood. Otherwise, cracks in those foundational controls can have severe consequences for the project, as well as the entire organization.

To comment on this article, e-mail the author at imtiaz.hussain@theiia.org.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP