For a company that has gone public three different times—both before and after enactment of the Sarbanes-Oxley Act—food-service giant Aramark certainly brings a unique perspective to the growing pains of SOX compliance and the lessons learned along the way.
Aramark, with $14.4 billion in revenue in 2016 and operations in 22 countries, first went public in 1959 and then went private in 1984 to thwart a hostile takeover. Then it went public again in 2001. But at that time, Congress had not yet passed the Sarbanes-Oxley Act of 2002, and so when Aramark went public a third time in December 2013 (having privatized again in 2007), it was a bit of a rude awakening from a SOX compliance standpoint.
“Management wasn’t used to the scrutiny of the external auditors in this area,” Patrick Morgan, Aramark assistant vice president of financial controls, said during a recent Webcast. The dramatic increase in the level of documentation required by the control owner, in addition to having to suddenly reevaluate its risk and control matrices, made Aramark’s first year of SOX compliance in fiscal year 2015 a “bumpy ride,” he said.
As Morgan candidly put it: In a private-company setting, keeping risk and control matrices up-to-date and making sure they are widely distributed, generally is not approached with the same rigor as a public company. “Reinstalling that rigor was a process and a journey,” he said.
Compliance with SOX Section 404, specifically, has proven arduous and costly. Section 404 requires, among other things, that external auditors attest to the effectiveness of the company’s internal control over financial reporting in accordance with the Public Company Accounting Oversight Board’s broad interpretive standards.
“I don’t think you’ll ever see SOX go away,” Morgan said. However, he said, the amount of pressure being placed on companies today needs to be toned down. “From my audit experience and what we are doing here at Aramark, companies are doing a lot and investing a lot to do the right thing.”
“I don’t think you’ll ever see SOX go away. From my audit experience and what we are doing here at Aramark, companies are doing a lot and investing a lot to do the right thing.”
Patrick Morgan, Assistant VP of Financial Controls, Aramark
For chief audit executives and internal auditors, the real pain point comes from the pressure that the PCAOB puts upon external audit firms, “which they then press upon their clients about the accuracy and completion of reports,” Morgan said. Aramark’s external auditor, KPMG, “relies on a significant amount of our testing,” he added, and so having confident and independent testers is invaluable.
Aramark, for example, has a financial control team whose members include former public accountants. At a high level, this team is a subset of the internal audit group for purposes of independence. For other public issuers, Morgan recommended having in place a team of experts who know the audit standards inside and out, who can speak the lingo of external audit partners, and who can work with external auditors to resolve any type of internal control matters.
For multinational companies, specifically, a significant compliance risk intrinsically comes with the number of people who are performing testing globally. For example, Aramark is both a food company and uniform business, each with its own business processes and IT controls in every country of operation, including in Chile, China, Germany, and the United Kingdom, among others. Each location has a corporate controller and/or a SOX leader responsible for maintaining the risk and control matrix and providing access to the audit group to go and assess the accuracy and the implementation of those internal controls.
Such disparate controls, however, made Aramark’s first go-around with SOX compliance not as exacting of a process as it needed to be. Sending out requests for status updates on control assessments would elicit responses like, “We’re 30 percent done with testing,” Morgan said, but it was different to validate the accuracy of those status reports for each line of business and location.
“Getting access to testing in a spreadsheet environment isn’t easy,” he added. Nor could it be clearly determined whether risks had been addressed or even assessed. Meanwhile, the company was devoting internal resources to the effort and incurring significant cost with its co-source partner, PwC, which supplements Aramark’s control testing.
SOX compliance automation. That’s when the decision was made to move away from manual processes and invest in an integrated risk management solution to help streamline the cost of SOX compliance. So, in 2015, Aramark invested in Riskonnect’s SOX technology.
SOX SECTION 404
Below is a direct excerpt from Section 404 of the Sarbanes-Oxley Act of 2002.
(a) Rules required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the board. Any such attestation shall not be the subject of a separate engagement.
Source: Securities and Exchange Commission.
The first step in Aramark’s SOX compliance automation journey was deciding what needed to be automated. Morgan said that required incorporating Aramark’s risk and control matrix into the SOX solution itself, to get a holistic picture of the company’s risks, its controls, and how those link together.
The next step was to automate workflow by creating the roles of testers and managers. It was also important to ensure that control owners could see their risk and control matrix and be able to submit their supporting documents, without also seeing the testing. There needed to be that segregation of controls.
Issues management was another focus for Aramark when building its SOX integrated risk management solution, ensuring that managers could automatically receive notification from control owners when issues arise, documenting the acceptance of those issues, and then being able to update the status of remediation efforts. Being able to track the status of internal control testing was also a necessity.
At a broader senior-management level, having dashboards available—whether daily, weekly, biweekly, or whenever necessary—also has its benefits. In this way, the chief accounting officer, for example, can clearly see how the lines of business are performing in terms of SOX: “Here are current deficiencies that need to be [addressed]. Here is who we should be talking to. Here is where you should be putting the pressure,” Morgan said.
Cost savings. Through automation, interaction with Aramark’s external auditor, KPMG, has been reduced significantly, due to the quality and consistency of testing, Morgan explained. “The work is cleaner. It’s more timely, and it’s easy for [KPMG] to access,” he said. “Auditors can reduce their touch on the business. That’s the real value.”
Furthermore, external auditors don’t have to constantly ask about the status of reports. “We can now have real conversations on real issues,” Morgan said.
The same benefit—having real conversations about real issues—has been realized from a corporate governance perspective; instead of dedicating what seems like the entire year to SOX 404 testing, now tests are performed at targeted times of the year. This has allowed the team to devote more time and energy into thinking about how they can make process improvements and become a better business partner.
Finally, in addition to making the process more efficient and accurate, SOX compliance automation also helps build accountability by providing a window into how the performance levels of control testers stack up against one another, Morgan said.
Together with processes, policies, and procedures, every company—public and private—needs to have robust internal controls to effectively prevent material misstatements and prevent SOX 404 compliance violations. “If you have that,” Morgan said, “you’re going to be more effective.”