Editor’s note: Glenn Conway and Bob Broda are partners with Visage Solutions. “Managing Risk” is a regular feature on Wednesdays in LTW.A significant number of companies are working diligently in following the letter of the law with regard to being in compliance with the Sarbanes-Oxley Act of 2002.

The stated purpose of the Act is “–to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws–.”

This “letter of the law” strategy is employed for two basic reasons: to minimize the costs of compliance and to meet the government mandated dates. However, does this strategy really position companies to meet the intent of Sarbanes-Oxley Act of 2002…i.e., to restore investors’ trust?

It will take more than mapping and documenting processes to ensure that policies and procedures are followed; that all transactions and communications are governed by integrity; and that ethical values are upheld throughout the organization, from mail clerk to CEO. The foundation for effective management is the culture, formal and informal, of the organization; this includes the values and the behavior of the people who create, administer and monitor management processes.

The stated ideal behavior and the actual behavior can either be highly ethical, in which actions are transparent, consistent, and honest…or there can be discrepancies at the top, which may permeate down into the organization. It is a combination of highly ethical leadership at the top setting a tone of integrity for the organization plus a strong system of internal controls, well known throughout the organization and fully implemented throughout the organization that creates a culture of corporate integrity. If the tone is not set at the top, in word and action, then it is unlikely that highly ethical behavior will occur at other levels in the organization.

Although government mandates, such as the Sarbanes-Oxley Act of 2002, can pressure a company to be ethical in how it states its financials, makes disclosures, and deals with whistleblowers, only a culture of corporate integrity that is internalized by the entire organization will ensure high ethical standards are met. The relationship between corporate governance, internal controls, and the impact on compliance, specifically with SarbOx and generally with other laws and regulations, is depicted in the chart at our web site.

(Follow this link: www.visagesolutions.com/pdf/Corporate_Governance.pdf )

The culture is referred to as “Management Process Effectiveness.”

The management process encompasses the judicious use of means to accomplish the company’s value objectives. This management process is comprised of several components, the collective sum of which dictates the culture of the company. These components include: management philosophy, management style, decision making process, conflict resolution process, organizational mindset, management control and review process, and the internal and external communication process.

The COSO Internal Control –Integrated Framework (1992) is recognized by the SEC as one framework that satisfies compliance under Section 404 of the Sarbanes-Oxley Act of 2002.

The purpose of such a framework is to ensure the transparency, integrity, and reliability of financial reporting and statements.

With the COSO framework in mind as the business standard in the US, the impact of corporate governance on the ability of a company to meet SarbOx compliance requirements can be reflected in the above diagram:The quadrants: A look at each

The lower left hand quadrant (“Failure”) reflects a company with weak management process effectiveness and weak internal control. This company would not meet compliance requirements.

A company in the lower right hand quadrant (“Imminent Danger”) would be approaching stronger controls, but still have a weak management process. This company’s management process will place the company in imminent danger of not meeting compliance standards. Either the controls will weaken due to lack of a strong ethical culture or the management process must change to support the existing internal controls. In this case, the internal controls should be strong enough to detect certain types of fraud, however, the weak culture may allow the circumvention of the established internal control system. Therefore, to keep the controls strong, the management process should be strengthened.

Those companies in the upper left hand quadrant (“Potential”) have a strong effective management process; the controls, though relatively weak, will be driven by the strong, ethical culture to become stronger. The company, with such strong governance, has the potential to satisfy compliance.

Companies in the upper right hand quadrant (“Ideal”) have a strong management process and strong internal control process. This is the ideal situation in which the company environment is conducive to its becoming a leader and leveraging itself into a strong competitive position. The strong corporate governance culture will drive the internal controls process to continually improve, ultimately raising the odds for greater success.

Strong culture, governance ethic are crucial

The existence of a strong culture and governance ethic is key to making any system work. A culture with strong ethical values can make up for deficiencies in a company’s internal control system. Over time the strong culture will compensate for such deficiencies, correct them, and strengthen the control system from period to period, gradually increasing the reliability of results.

On the other hand, a weak corporate governance culture, where management does not put a premium on ethics or integrity, could lead to the circumvention, bypassing, or atrophy of even a strong control system. This scenario could set the scene for intentional fraud by circumventing reporting systems. When a weak culture is combined with weak internal controls, intentional fraud might be indistinguishable from negligence or oversight as the systems are incapable of effective control.

The “Ideal” (strong culture/strong controls) quadrant is most likely the environment eliciting unqualified auditor opinions and effective internal control attestation. The “Potential” (strong culture/weak controls) and “Imminent Danger” (weak culture/strong controls) quadrants are ones for which the auditor could issue qualified opinions or disclaim opinions given specific findings. Finally, the “Failure” (weak culture/weak controls) quadrant is the de facto adverse opinion quadrant (e.g., internal control not effective and/or financial statements with material weaknesses).

Section 404 of Sarbanes Oxley is mandating companies put in place processes that allow them to shift to the right in the governance quadrant…i.e. a stronger system of internal controls. However, without a concomitant strong, effective culture, the company and its stakeholders will be in imminent risk of having a material weakness. A strong culture of integrity is essential to comply, not only with the letter of the law, but, most importantly, the intent of Sarbanes-Oxley.

Visage Solutions are results-focused operation assessment and risk management consultants who offer extensive real-world executive management experience. Visage Solutions offers a suite of services that provide a strategic approach to operations to improve business processes that affect the bottom line. Sarbanes-Oxley related services include OpsAudit• and Compliance Process Improvement Services supporting Sections 301, 302, 404, 406, 409, 802 and 806.

See www.visagesolutions.com for more information and important links.