The SOX Generation

Tuesday, 23 April 2019 00:00 Nick Sanders
Print

I was having lunch with a colleague recently, and we both lamented the difficulties in finding new talent for our government accounting/compliance teams. He has had an opening for months but been unable to fill it. I don’t have any openings at the moment, but I have had my difficulties in the past finding the right person with the right mix of training, skills, and experience.

Historically, trained and experienced talent comes from DCAA. Give me an auditor with 3 – 5 years’ experience who has become frustrated with the agency, and that’s somebody I want to talk to. Another source for talent has been the Big 4 accounting firms. As I’ve written in the past, those Big 4 firms (and the next tier below them) are great places for young graduates to get prodigious amounts of training and experience. At some point, though, it becomes apparent that you are on partner track … or not. If not, it’s probably time to jump off the train and land at a corporate job—in which case, I want to talk to that person.

But as my colleague and I chatted, it became apparent that the way things are now is not the way things used to be. The talent that is coming from DCAA and the Big 4 doesn’t have the same level of training and experience that we have come to expect. My colleague asserted that we are now dealing with “the SOX generation.”

What does that mean?

Well, in 2002 the Sarbanes-Oxley Act was passed in response to several recent scandals involving corporate financial reporting. Section 302 of that Act requires the principal executive and financial officers of a public company to certify in their company's annual and quarterly reports that the reports are accurate and complete, and that the executive and financial officers have established and maintained adequate internal controls for public disclosure. Section 404 of the Act requires that company financial statements contain an assessment of the effectiveness of those internal controls and procedures. Section 404 also requires that the financial statement auditors attest to and report on their assessment of the effectiveness of the internal control structure and procedures for financial reporting.

Since then—nearly 17 years ago—auditors have focused on evaluations of companies’ internal controls. That is obviously not the only audit procedures that are performed, but it’s become one of the major concerns. And it’s not just financial statement auditors. For years, DCAA has been inching towards a SOX-based approach to business system and other audits. For example, in its FY 2015 report to Congress, DCAA stated—

DCAA has been working with an industry volunteer to explore how DCAA might leverage the information that contractors already prepare for Sarbanes-Oxley (SOX) corporate financial statement audits. Contractors assert that there is considerable duplication of audit effort between financial statement auditors, corporate internal auditors, and contract cost auditors, and we began this pilot to investigate how information prepared for SOX audits could be leveraged for DCAA business system audits. DCAA and Industry agree that SOX will not replace a DCAA audit, but both are committed to exploring actionable measures that can increase efficiencies.

In addition, the Section 809 Panel recommended that the 18 DFARS adequacy criteria associated with an accounting system be scrapped and replaced with “an internal control audit to assess the adequacy of contractors’ accounting systems based on seven system criteria.” (Recommendation 72) The Panel wrote—

An internal control audit framework based on a body of professional standards developed to address SOX 404(b) serves as a foundation to help meet the government’s objectives to obtain assurance that contractors have effective internal controls for their business systems. Starting with this framework eliminates the need to develop uniquely defined criteria and terminology, which in turn reduces the time needed to make this framework operational. … Internal control audits should be performed as the basis for assessing the adequacy of defense contractors’ accounting systems because these audits provide the following:


Thus, a focus on internal controls rather than (or in addition to, if you prefer) transaction testing has emerged. Auditors know quite a bit about controls and control activities and control objectives. They are experts in the “walk-through” of process steps. They know how to identify artifacts that document controls were exercised. They know how to determine control effectiveness. The other stuff? Not so much.

Auditors entering the aerospace/defense or general government contracting world from DCAA and/or the Big 4 seem to lack the same detailed knowledge of FAR and CAS that they used to exhibit after just a few years of experience. (Yes, I know that’s a generalization. I wasn’t talking about you; you are an exception.) As a result, senior people (such as my colleague and me) need to do more coaching and development than we used to. Or at least it seems that way.

Are you a part of the SOX generation? If so, do you want to escape? Here are some thoughts on breaking out of the trap associated with a sole expertise in internal controls.

First, read. There are a number of good books that talk about CAS and FAR. I’m not talking about the actual regulations themselves. I’m talking about commentary on the regulations. Find a book and read about judicial decisions that interpret the regulations. It used to be that the DCAA Contract Audit Manual was an important book to read. At least it gave you one point of view in solid detail. However, in recent years the CAM has been eviscerated. What’s left is still useful; but it’s not the comprehensive guide that it used to be. So find other guides.

Second, network. Find an industry association or professional seminar, and go attend. While there, make it a point to meet people and get to know them. Solidify your relationship by reaching out via LinkedIn. For those in government service who have difficulty in attending an industry meeting, you can use NCMA or AGA (and there are other groups) for the same purpose. Attend your local AGA meeting and follow the same steps discussed previously. You’ll be surprised by who you connect with.

Finally, don’t be satisfied with simply doing your job. Seek to understand why you are doing your job. Aim for the big picture. Seek the theory. If you are a DCAA auditor, don’t just execute the audit program you’ve been given; seek to understand how the audit steps integrate with the applicable CAS or FAR requirements. If you are in an audit firm, work hard to break out of the SOX work and into other firm engagements. Talk to your senior or manager or partner about what’s next for you, now that you’ve mastered SOX work. If your management team is anything like my management team (from a decade ago), I think you’ll be pleasantly surprised by how your conversation is received.

The bottom-line: don’t be part of the SOX generation. Auditors with internal control expertise are valuable, to be sure. But auditors with that expertise plus other skills are much more valuable to companies, regardless of industry.