SOX compliance is not just a matter for your financial and IT departments Larry Cucchi believes that human resources are important too.

In their role as coordinators, communicators and consultants, many of the risk managers of large multinational businesses are focusing on pulling together all the organisational strands that contribute towards achieving compliance with the Sarbanes-Oxley Act (SOX). They should not overlook the importance of the human resources (HR) function here.

What SOX requires

European companies listed on the US stock exchange have been breathing a sigh of relief following the decision by the US Securities and Exchange Commission (SEC) to give them an extra year (extending the deadline to July 2006) to comply with new corporate governance regulations.

SOX, passed by the US Congress in 2002, was introduced as a reaction to financial scandals involving US companies such as Enron and Worldcom, and aims to make companies more financially transparent and more accountable for handling business risks. Section 404 of SOX requires all publicly-traded companies to submit an annual report of the effectiveness of their internal accounting controls to the SEC. A recent US survey of corporate boards found that it cost them an average of $16m last year to comply with SOX regulations, representing a 77% increase over 2003.

SOX has far-reaching consequences for publicly-traded companies in the US, including all wholly-owned subsidiaries and all publicly-traded non-US companies doing business in the US. The regulations are complex and require significant resources for full compliance. All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

HR's pivotal role

Until now, the burden of SOX compliance has sat squarely on the financial and IT departments, but companies are increasingly realising the importance of HR - especially when it comes to reporting on labour costs and their transactional history. Accordingly, HR must have systems with adequate controls and audit trails in place for specific processes related to payroll and other compensation.

Beyond the obvious monitoring and transactional control, HR also has a pivotal role as the driver of internal communications and organisational change. How can HR take the lead in ensuring that SOX compliance is part of organisational culture? How can HR ensure the appropriate resources are on hand to make full compliance possible? If improper activity is occurring, how can HR ensure that whistleblower protections and other non-retaliation policies are in place and working?

Most importantly, HR has the opportunity to use SOX compliance to streamline processes, implement improved procedures, and emerge as a strategic leader in an organisation's SOX compliance efforts. HR can play a key role in several areas.

Controlling labour costs

Most companies spend 40% to 60% of their budgets on staff-related costs, including salary and wages, benefits, training, stock plans and personnel administration. Reining in these costs, clarifying existing policies and instituting new ones, and creating a close collaboration with finance departments is clearly within the purview of HR.

HR led the way in introducing technology to personnel functions such as payroll and benefits administration. These mature systems already have reporting and business intelligence capabilities that drive decision making.

Systems that automate and streamline talent acquisition are proven to introduce additional efficiencies that lead to cost reduction. The use of repeatable processes has the added benefit of yielding audit trails that are documented and defensible - because they are built right into the system. HR can now use this information to provide full visibility and metrics around the critical areas of labour cost and tracking for the salaried workers. But what about contingent spend?

As reliance on contingent workers - contract staff, apprentices, seasonal and temporary labour - continues to grow, it often represents an area of uncontrolled spending, with few checks and balances. This is an area where HR can apply its expertise in solving personnel challenges with appropriate technology in a way that adds significant value to compliance efforts. Solutions such as a vendor management system help consolidate and control such spending, while providing detailed transactional documentation and financial reports, similar to the information provided by payroll and benefits systems for salaried employees.

Similarly, a recruitment management system can introduce new levels of process consistency that cut costs for hiring salaried and hourly workers.

Not only does this aid with SOX compliance for financial reporting, but it ties into a variety of regulations surrounding diversity initiatives.

Avoidance of legal penalties, lawsuits and other actions in the area of hiring or employment discrimination is a clear gain.

Many such systems already include the process control, analytic, auditing and reporting functions that comply with SOX requirements. Implementing automated technologies that tie in with existing financial systems can eliminate the burden of manually compiling information on labour spending for compliance reporting. The documentation and audit trail features make it possible to proactively monitor compliance, rather than finding problems after they have occurred.

Establishing consistent practices

HR business processes clearly have a significant impact on the company's financial position, and, in particular, consistent and defensible employment practices are important safeguards for minimising risk exposure, especially in the area of executive compensation, benefits and perquisites. The ability to demonstrate consistency in such practices will ease reporting and reduce any appearance of impropriety.

In the area of recruitment, HR must be proactive in avoiding compensation inequities and diversity issues. Proactively implementing diversity initiatives can help companies stay clear of government audits and lawsuits - both of which can result in significant financial losses.

In retaining employees, HR should have clear pay structures that are in line with market salary levels. Performance management or appraisal systems must be administered effectively and consistently. HR should take an active role in planning leadership succession, thereby avoiding gaps in the executive team that could lead to lapses in corporate responsibility.

Protecting personnel data

HR data integrity must be factored into security policies and internal controls. HR systems contain sensitive information, and an important aspect of SOX compliance is to ensure that this data is secure and adequately protected. Adding to the challenge, even the most sensitive HR data must be available to the finance departments for reporting.

Beyond SOX compliance, European businesses already face many regulatory challenges affecting HR, such as the employment directive and race directive.

Failure to meet these regulations can affect corporate reputation and result in significant fines. Questions surrounding the organisation's ability to adhere to its stated code of ethics could also arise, casting a pall on its commitment to compliance.

Companies must make efforts in all good faith to comply with data protection principles and data security measures. HR can take the lead in implementing systems and policies that protect sensitive personal information and guard against inadvertent disclosure.

Driving organisational change

Perhaps nothing is more important in SOX compliance than having a culture of integrity and honesty that permeates the organisation at all levels.

With transparency as a critical component of SOX compliance, it is crucial that changes of personnel, roles and processes are communicated to employees, shareholders and other stakeholders.

HR professionals can help instill these values through focused communication, training programmes, policy manuals and other methods. HR must particularly ensure that all senior managers champion compliance and the corporate culture of openness that surrounds it, and executive management must set a tone of responsibility and demonstrate commitment to reporting structures and rules. HR must work with corporate governance to establish a code of ethics and communicate it and accompanying practices throughout the company.

This means creating an environment where employees can safely and confidentially raise questions about ethical issues. SOX specifically contains whistleblower provisions designed to protect employees from retaliation if they report wrong-doing. HR must make it possible to question corporate actions without fear, and must communicate proactively and frequently on the subject.

Being an active partner

Non-compliance with SOX is not trivial and can result in significant damages to a company's value and reputation. HR plays a crucial role alongside the financial and IT departments in managing the risk involved in working towards compliance.

By aligning HR objectives with finance and the business, HR can readily support the company's compliance efforts. HR organisations that succeed in this area will see SOX as a catalyst for improving efficiency and effectiveness, rather than an administrative burden. HR can take the lead in implementing new technologies that introduce process controls and ensure accuracy and integrity.

In addition, HR must lead organisational change and promote the strict standards of corporate behaviour, responsibility and ethics that will ultimately drive shareholder value. Organisations with a corporate culture based on openness and honesty with employees, shareholders and regulators will reap the benefits that compliance will bring. HR must lead this charge by instilling trust at all levels.

- Larry Cucchi is international managing director at Peopleclick. E-mail:, WHISTLEBLOWER COMPLAINT PROCEDURES

Holly M Robbins, a partner in the Minneapolis office of Faegre & Benson LLP, warns that a SOX whistleblower complaint carries with it the potential to escalate into a full-scale investigation of the underlying issues raised by the complaint, as well the potential for criminal liability, individual liability, and civil liability in conjunction with the whistleblower claim itself. Writing on the firm's website, she suggests a five step approach to avoiding a Sarbanes-Oxley whistleblower charge. In summary, this comprises:

- adopting a policy
- providing training and facilitating communication
- managing employee performance
- conducting an effective investigation
- preserving and making accessible documents and records.

Robbins also gives a useful guide of five things companies should know if an employee files a SOX whistleblower charge, in respect of: process; charge responses; employee's burden of proof; defending the charge, and discovery.

To read the full text, visit: