Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Remediation Center: Tying SOX Compliance to Compensation

Barken Lee | April 15, 2008

At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week's editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.


A business unit has tied individual performance goals for its division controllers to zero deficiencies for the annual SOX testing; failure to meet performance goals may result in a reduced salary increase for the next year. I see this as an indirect control issue with potential positive and negative consequences—much more negative than positive.

For example, would a policy like this lead to a greater focus on internal controls with a reduced rate of SOX test failures? Or would there be pressure to cover up control deficiencies that may still exist because of the greater focus?

The COSO framework warns of “pressure to meet unrealistic performance targets … and the extent to which compensation is based on achieving those performance targets.” Well, I'd expect that the scope of testing could be expanded or curtailed depending on the perceived impact of this type of incentive. Are there any studies, standards, or best practices on this?


To your question about how division controllers might be influenced by financial rewards or penalties, consider two cautionary factors. First, how material is the reward? A 50 percent salary bonus will probably be more influential than the promise of a celebratory lunch with wall plaques for everybody on the team. Second, how realistic is the goal? Your leadership team likely subscribes to the “Management by Objectives” (MBO) philosophy, as outlined by Peter Drucker in his 1954 book, “The Practice of Management.” Setting goals can be a great management tool. But at your company, are zero deficiencies even a realistic objective?

As an auditor, I can tell you that any time an incentive-based system is discovered, we tend to look a little closer. For example, if a sales manager receives a bonus for achieving certain sales goals, we dig a little deeper to see if the sales process has appropriate segregation-of-duties controls in place.

Ultimately, your question boils down to one of ethics and integrity; it may even call into question the “tone at the top” of your company. Poorly chosen incentives have the unfortunate byproduct of placing additional stresses on corporate internal control structures. At some point, the people in your organization will be faced with a challenging crossroads where they will choose to flex their ethics muscles or succumb to lapses in judgment. In your case, when faced with a performance goal of zero deficiencies, a financial incentive will either encourage employees to work extraordinarily hard to achieve zero deficiencies, or work extraordinarily hard to circumvent controls and create the appearance of achieving zero deficiencies. Will your employees feel pressure to work the extra hours, or will they feel pressure to fabricate evidence and lie to auditors?

In 1987, when a judge sentenced Barry Minkow, founder of ZZZZ Best Carpet Cleaning, on 54 fraud convictions, the judge pointed to a stack of some 22,000 painstakingly manipulated documents and told the young entrepreneur that if he had spent half as much time focused on growing his business instead of forging documents, then he might not have found himself facing a 25-year prison sentence.

Sadly, there is no foolproof audit test to determine an employee's inclination toward honesty or his ability to resist temptation. Since each individual reacts to incentives differently, it's important to tread carefully in your situation. Still, just because an employee gets a paycheck and therefore has an incentive to get out of bed in the morning, that doesn't automatically mean that the employee is predisposed to act unethically.

To some extent, every CFO has pressure to manage earnings (with or without formal bonus plans in place). Therefore, as auditors, it is our duty to exercise professional skepticism in everything we do. That's not to say that we think everybody is acting unethically just because there is a financial incentive. An environment with unrealistic and unusually aggressive incentive structures, however, will certainly warrant further scrutiny.