by Mike Harreld, Southern Company
As a publicly traded company, Southern Company is required to comply with Sarbanes Oxley, or “SOX.” And like many companies, the initial outlay of resources for this task was challenging. However, in our third year of SOX compliance we have come to view it as an important business-process driver for the company, with benefits beyond mere compliance.
While complying with the legal requirements, we have found ways to use SOX to improve our processes and procedures. This may be a relatively new concept, as SOX is typically perceived as a legal obligation associated with many fees and time-consuming requirements. As a law that ensures proper auditing procedures for publicly traded companies, it comes with a lot of process changes and reporting requirements. In addition, along with that comes the need for consultants and technology to help get the job done right.
Southern Company’s overall approach to meeting SOX requirements is simple: We’re a legal entity, and we will comply with the law. Period. Without proper compliance, a company risks harm to its investors, its customers, its reputation in the marketplace and the strength of its brand. From the beginning there was no question that Southern Company would consistently comply with SOX. It’s simply something we must do.
Our greatest issue was in the documentation of it all. In the early stages of SOX, there was a lot of confusion about what exactly was required. We began our compliance process in 2003, very soon after the law was passed. While we already knew we had a good accounting control system, it wasn’t always documented in a way that auditors needed it to be in order to comply with SOX. We had to take an inventory of, and document, all of our controls. We found anything that looked like a control, and we nailed it to the wall and examined it carefully to see if it was working.
We also had to hire a lot of people, bringing in numerous temporary workers. We set up a Southern Company core team of folks to manage the overall project from a corporate perspective. In addition, we had a SOX team at each of the operating entities, and a SOX coordinator to facilitate all of the various projects. Each operating company team had a group of people who went out and basically documented everything manually. They took the financial statements and asked, “What is the account, how significant is it, what are the risks around that account, what could go wrong, what are the controls, and what kind of testing can we do to make sure it’s working?” We then had the external auditors come along and look at all of that to ensure we had the right controls in place. Anything that didn’t meet the strictest interpretation of the auditing model was considered a deficiency that required additional work until the requirements were met.
It was a massive, but necessary, effort. In 2004, the first reporting year, our auditors gave us a clean opinion on the adequacy of our internal controls. However, like anything done for the first time with somewhat unclear rules, there can be a lot of confusion. The first time I built a dog house, it kind of stood up but the dog wouldn’t even go inside. In this case, we were trying to figure out what kind of dog house to build, and we weren’t even sure how big the dog was.
When we completed that initial effort, we recognized that our team had done a good job. However, like many companies, we couldn’t deny that this hit us hard, washing over us like a gigantic wave. We realized that we had spent a lot of money and had documented too many controls. Our financial focus has always been on ensuring that we have a good control system. Doing all of this wasn’t necessarily improving our controls, but merely improving our ability to demonstrate them more effectively to the auditing world. So, we asked ourselves: “How can we get more value out of this process?”
This is where the turning point from compliance to business-process efficiencies began. In 2005, we received another clean opinion from our auditors. We knew we were accomplishing what we had set out to do, but at the same time we realized that this was an opportunity to ensure more consistency in the controls, processes and procedures across our whole company, which would lead to improved efficiencies beyond finance and into the operational side as well. To accomplish this, we divided the company into specified business cycles¿revenue, treasury, expenditure, payroll, etc. We brought together folks from these cycles from across our system and discussed the best ways to determine consistent key controls. We further identified the processes and procedures, and where they were different. Then we put consistent controls in place so that employees in these areas could easily move from one area of the company to another without having to relearn the processes. This also simplified the work of auditors moving from company to company within the Southern Company system.
We also reviewed all of our documented controls to identify the ones that were truly key. These were the ones that actually had to be tested to ensure they were working properly.
In addition, we had the company’s controls tested by our internal auditors. Since they were better trained on controls and how to test them, they were able to complete the testing much more efficiently.
We also took a different approach in our documentation. Initially, we used lots of spreadsheets, but we refined that approach by reducing those spreadsheets to specific control matrix test plans to document activities more efficiently. This worked fairly well, allowing, for instance, Gulf Power employees to access the same spreadsheet as Georgia Power employees. However, it was still awkward, so we pulled together a team of employees to find out what was on the market that could address our spreadsheet challenges. After several months, the team determined that BWise has the best solution to help Southern Company resolve this typical documentation roadblock. We purchased the Internal Control product from BWise and we believe this is going to make the process much more efficient.
SOX compliance is now a normal part of doing business. We comply with SOX just as we comply with hundreds of other laws every day. Southern Company has begun to realize SOX benefits that go beyond corporate governance to enhanced processes, which is simply good business. The framework we’ve established has helped us find ways to slim control operations and make our processes and procedures at our business units more consistent. Now, instead of a gigantic wave, SOX is just another day at the beach.
Mike Harreld is executive vice president of Southern Company Services. For more information, visit www.southernco.com.