The Sarbanes-Oxley Act (SOX) of 2002 is a congressional act passed to prevent future scandals of Enron proportion, and is considered to be one of the most significant changes to federal securities laws in the United States. The Enron scandal, and other similar scandals, damaged investors' confidence in the accuracy of all public corporate financial statements. Among the major provisions of the act are criminal and civil penalties for securities violations, auditor independence/certification of internal audit work by external auditors, and increased disclosure regarding executive compensation, insider trading, and financial statements. In layman's terms, the SOX act essentially says that you will go to jail if you are signing off on the veracity of certain documents in a public corporation and they turn out to be incorrect, even if it wasn't really your fault. It requires certain executives at the top to sign off on the financial statements that stockholders typically examine before buying a stock. This potentially exposes those top executives to the risk of jail time.
As you might expect, the CEOs, CFOs, and other executives of publicly-traded companies take SOX very seriously. When a CEO takes something seriously, it typically means finding some other person in the company, or several, and requiring them to take the issue even more seriously than he/she does. And that's just what CEOs have done with SOX. Some call it "delegation of responsibility," "buck-passing," or "things rolling downhill" — all depending on your point of view.
This is probably where you come in.
How does it work?
With the help of certain very large and expensive consulting companies (who love SOX, as you might imagine), a model called COSO (Committee of Sponsoring Organizations of the Treadway Commission — for more information see www.coso.org or http://en.wikipedia.org/wiki/COSO) was invented to spread the responsibility of SOX across organizations evenly, which ultimately leads to total corporate buy-in for obtaining accurate financial statements. COSO centers around the idea that fraud and mistakes are much less likely to occur if the company follows effective processes, so that there is a procedure in place for documenting and testing processes.
SOX describes a control matrix with processes, sub-processes, objectives, risks, controls, tests, and results in a dependency tree like the following:
Processes have sub-processes, which have objectives, which have risks, which have controls, which have tests, which have results. These are all one-to-many relationships.
There is an HR/payroll process by which people are hired, paid, fired, given benefits, etc. One sub-process (of which there could be many) of the HR/payroll process is "payroll calculation."
An objective of this sub-process is that people are paid correctly for what they actually worked and were authorized to work. Another objective might be to keep the payroll data secure.
There could be a number of risks to the objective of correct pay for actual authorized work, such as unauthorized hours being worked, or a discrepancy between claimed and authorized hours. Buddy punching (where someone lends his badge to a friend for illicit system login to get free money) is another potential risk.
Risks have controls, which are methods by which you ensure the process is working, or that the risk is being avoided. For example, a control might be that you only pay employees for hours authorized by the timesheet software. Or you manually compare authorized hours to paid hours each pay period. Or you install a security camera at the badge reader.
Controls have tests. For example, a test would be to compare your timesheet software reports to bank records. Tests have results, which are the stored records of those comparisons. A test for buddy punching prevention is to look at the video tapes from your security camera, the result of which might be a log book describing what you saw. Tests can be performed on a weekly, monthly, or quarterly basis as part of scheduled testing (by payroll professionals), or as often as needed by internal auditors.
All of these processes, objectives, risks, controls, tests, and results can be put into a SOX control matrix. Here is a sample of what one of these would look like:
|Payroll Calculation||Accurate||Buddy Punch||Hand scanner used by all hourly employees||Compare paychecks to scanner records manually||Records of use compared to payroll records|
|Payroll Calculation||Accurate||Unauthorized work||Timesheet software||Compare authorized hours to paid hours||Records of report comparisons|
|Payroll Calculation||Accurate||Wrong salary used||Separation of duties for salary entry vs. time data entry||Examine signatures on certain forms||Records of examination|
This can go on and on. I've given some payroll-oriented examples but many SOX concerns may have nothing to do with payroll. In your company, the terminology may be different. For example, some consultancies refer to process/sub-process and others to cycle/sub-cycle. An objective may be termed a control objective. Companies like Openpages specialize in software to track all of this.
How does SOX affect payroll?
Essentially, the bottom line for payroll professionals is that if you allow payroll checks to be calculated incorrectly to the degree that it affects your company's financial statements enough that it would confuse stockholders, then you will be causing problems for your company.
There is nothing inherent in SOX that dictates that all of your company's processes must be automated. However, automated processes are more likely to be consistently performed. And when the auditors come calling, it's nice to be able to point to a piece of software (such as a timesheet software) which provides audit trails (an easy test result), separation of authority (a natural control), and a capable reporting system (some SOX tests). This gives SOX auditors something to look at besides just you.
Does anyone really expect payroll administrators and managers to understand SOX?
Absolutely. The SOX act is now a part of the way America does business; being able to handle SOX environments is critical to the future of payroll, and that future is a complex thing. Increasingly, payroll practitioners have more than just SOX to worry about.
When payroll executives implement time and attendance systems to automate payroll, they often miss the chance to facilitate greater profitability throughout the entire company. These payroll executives are, of course, payroll experts. They are usually not, however, experts at project accounting or billing automation.
However, the time data, if collected appropriately, can also be used to automate project management, project accounting, project tracking, and project estimation improvement, as well as for internal, external, and reverse billing automation — and any of these can become SOX concerns. Most payroll and HR executives know little about these subjects, but increasingly, they are being asked to rise to new challenges with SOX being just one of these.
Time and attendance, SOX, and the new people business economy
These new challenges are being caused by the tectonic shift from capital businesses to people businesses. This is a shift of valuing time as much as money. About 50 years ago, when most people twisted bolts in a factory, workers were not considered volunteers, they were not empowered, and managing the money of the company (i.e., the capital) was much more important than maximizing the time and knowledge of the worker. Such businesses are called capital businesses because power and wealth flowed from the capital.
Today, capital businesses are on the wane and companies are becoming people businesses. Simple manufacturing has moved overseas. Software, entertainment, consulting, design, and architecture exemplify people businesses, but increasingly, even traditional manufacturing businesses, like GM and Ford, win through design and intellect rather than through excellence in bolt twisting on the shop floor.
People businesses, like software companies and architecture firms, don't track employee time to minimize break times, if they track time at all. They do it to understand costs and automate billing, and to a lesser extent, to track salary, paid time-off, or to pay hourly knowledge workers correctly. These areas are rife with potential SOX compliance issues. The rise of the people business is challenging news for payroll and HR executives — and it makes their function more critical than ever. Furthermore, it may be our inexperience as business people in measuring creativity and other "soft" people-oriented assets that has led to some degree to scandals like Arthur Andersen, Enron, and WorldCom.
How time management software is changing
If an executive team running a company is really a team, then the responsibility of a payroll or HR executive on that team encompasses more than just payroll. Systems implemented must serve the entire company, not just automate payroll or hiring processes, and they must be SOX compliant.
In many cases, automating billing or project management provides a much higher ROI to the organization, and this can make the case that automation is both necessary and economically feasible. Many large organizations have employees fill out more than one timesheet: one for project management, one for customer billing, one for payroll, and sometimes another for vacation/leave tracking. This is unnecessary and can damage morale. The right time management system can replace multiple systems.
Time management systems that historically have automated payroll are an outdated concept for people businesses. Time tracking is now a core business process. It should automate payroll, billing, and project accounting. If SOX compliance efforts lead your company in the direction of replacing or upgrading your existing time tracking automation system, you should consider one that helps in all of these areas, particularly in project accounting, which has enormous SOX implications in its own right.
The SOX act is not only relevant to time tracking software, or to payroll, or to HR, but to all the financial processes in your entire company. It is your responsibility as a payroll professional to ensure your company's processes are the best they can possibly be.
About the Author
Curt Finch is the CEO of Journyx, a provider of web-based software located in Austin, Texas, that tracks time and project accounting solutions to guide customers to per-person, per-project profitability. Journyx has thousands of customers worldwide and is the first and only company to establish Per Person/Per Project Profitability (P5), a proprietary process that enables customers to gather and analyze information to discover profit opportunities. In 1997, Curt created the world's first Internet-based timesheet application — the foundation for the current Journyx product offering. Curt is an avid speaker and author, and recently published All Your Money Won't Another Minute Buy: Valuing Time as a Business Resource.