In the latest of our conversations with compliance and governance executives, we catch up with Ross Williams, chief risk and compliance officer at Cognizant Technology Solutions. Readers can also visit our archive of Q&A interviews.

DETAILS

Williams

Ross Williams is vice president and chief risk and compliance officer of Cognizant Technology Solutions. Williams has more than 22 years of diversified accounting, finance, and compliance experience. He joined Cognizant in 1998 as the company’s corporate controller, responsible for Cognizant’s SEC reporting, corporate accounting, and tax functions. Williams is currently responsible for risk management, internal audit, Sarbanes-Oxley compliance, and code of ethics awareness and compliance programs.

Prior to joining Cognizant, Williams was director of finance at IMS Health where he was responsible for external financial reporting and SEC compliance. Prior to that, he was director of finance at the Dun & Bradstreet, where he provided finance oversight of D&B's Global Operations Division, which was established to promote business unit synergies in the areas of real estate, purchasing, facilities management, and technology. Previously, Williams held key accounting and finance positions at the operating and staff levels of Reuben H. Donnelley, a former Dun & Bradstreet subsidiary.

COMPANY BASICS

Company

Cognizant Technology Solutions

Headquarters

Teaneck, NJ

Employees

38,800

Industry

Information Technology

’06 Revenue

$1.4 billion

Tell us about your role at Cognizant and how long you’ve been doing it.

My current role is vice president and chief risk and compliance officer. That was recently expanded to include enterprise risk management. I’ve been in this role for about three years. Prior to that, I was Cognizant’s corporate controller for six years.

Who do you report to?

I report jointly to the CEO and the CFO.

How big is your team?

My team consists of approximately 10 resources based in the United States, United Kingdom, and India. We’re currently evaluating our staffing needs to incorporate ERM activities in 2008.

Do you outsource any of your work?

We outsource the documentation and testing portion of our Section 404 work. Since the majority of our accounting is centralized in Chennai, India, we needed to obtain local expertise, which we did not have when SOX came along. One of the Big 4 firms had an existing internal audit practice in Chennai so engaging them to do our SOX work was a logical extension of their core competency.

What are the questions the board and senior management are asking you most often?

Our senior management, the audit committee, and board of directors have been very engaged in our SOX efforts from day 1. During the first year of SOX, I had about 10 update sessions with the audit committee, which was an unusually high number. The most common questions have been:

“What is the status of our current-year SOX efforts?”

“What controls are in place to detect and prevent fraud?”

“What trends do you see in internal and external SOX costs?”

And most recently: “How are the external auditors changing their approach as it relates to SOX developments such as Auditing Standard 5?”

Since you mention it, what are you seeing for SOX cost trends?

Internally, costs have stabilized and we’re actually seeing some reductions due to efficiencies realized during 2007 as a result of AS5. That being said, we think there’s still more value and lower costs to be derived in 2008.

As far as external costs, the trend has been a flattening of fees as auditors have been able to become more efficient in applying an integrated approach and the concepts of AS5. The most significant changes have been their ability to reduce scope for low-risk entities or processes within the company and to increase their reliance on management for certain testing and walkthroughs.

How does your current position differ from your experience as a controller?

The compliance group initially was established to address SOX compliance. Over time it expanded to incorporate other compliance areas such as immigration, labor laws, privacy, FCPA, etc. Just recently the role was broadened to take a more coordinated and structured approach to the risks facing the company. This is a natural evolution that I’ve seen in many companies, who are looking to build on their SOX efforts and get ahead of the curve as it relates to risk.

My current job has a lot less structure than when I was the corporate controller. On any given day I could be dealing with issues related to SOX, internal audit, awareness programs related to our code of ethics, or whistleblower hotline issues. It’s more varied than my controller experience, when I pretty much knew what to expect in terms of the quarterly close and financial reporting.

Talk about the early SOX years under AS2. How did that go?

I think the first couple years of SOX were extremely difficult for all companies. No one really had a good handle on what was required—not companies, not auditors, and not consultants. The guidance and rules were evolving, and there was a huge incentive to be overly cautious and conservative; no auditor wanted to be the one that gave a clean opinion only to have a company report a restatement the subsequent year …

So I think that those early years by definition were destined to be difficult. I’m not sure that streamlining was realistic before the concepts of the integrated audit and risk-based approach were introduced or emphasized.

How do you think life under AS5 will differ?

Life has already improved under AS5, and I believe it helped to drive Section 404 more in line with what Congress originally intended. This was a swing in the pendulum back to something that was practical and realistic. In my view AS2 was asking too much of auditors and didn’t provide enough clarification. Accordingly, the auditors were ultra-conservative in approaching the integrated audit.

With AS5, I was initially skeptical about whether we would see a difference in the approach applied by our auditors. In the beginning it seemed like the same amount of focus was spent on petty cash as on revenue recognition, yet the two areas were on opposite ends of the spectrum regarding risk. Now there’s a heck of a lot more emphasis on revenue recognition than petty cash, and that’s the way it should be. In hindsight, I can say that AS5 has driven a significant change in their methodology.

You must be talking with your auditors about AS5. What’s being said?

We’re spending a lot of time with our auditors to understand how their approach will change under AS5. It’s in management’s best interest to make sure they’re closely coordinating with the auditors, since what a company chooses to do or not do can have a significant effect on the extent of work performed by the auditors.

“Life has already improved under AS5, and I believe it helped to drive Section 404 more in line with what Congress originally intended. ”

— Ross Williams,

Chief Risk & Compliance Officer,

Cognizant Technology Solutions

Our auditors have scoped out some of the lower-risk entities and processes that were previously in scope. That has reduced their time and effort and in turn has helped to keep costs stable. For certain processes, the auditors are relying more on management for their walkthroughs and testing results, which is very welcome. Now, instead of having process owners sit down with two separate groups, we can leverage one walkthrough. We’re also seeing a shift in the review of IT general controls to those that are really critical.

How about that management guidance from the SEC? Anything useful there?

I think that since AS5 is the “rule book” for auditors, it represents the essential guidance that companies must digest and incorporate into their SOX planning. While the SEC’s guidance for management was helpful, in the end management needs a thorough understanding of the requirements on auditors to effectively plan the extent of SOX scoping and activities. Otherwise management runs the risk of doing too little, or generally being out of sync with their independent auditors, which in turn results in them taking on more work than originally anticipated. Being out of sync with the external auditors is probably the biggest pitfall to avoid when implementing or administering a company’s SOX compliance.

What are some best practices that you would recommend for companies?

The first would be establishment of awareness programs. This comes back to educating the workforce. It’s not enough to have a code of ethics on your Internet or intranet site, and to have employees sign once a year or when they first join that they’ve received it. You really have to have a variety of ways of reaching associates and ensuring they understand what is expected of them.

In addition, soliciting feedback from the field is extremely important. Focus groups and surveys are essential. That’s the way you find out what types of compliance or ethical dilemmas the workforce is facing, and what the pressures are that lead people to violate laws, regulations, and policies, such as the code of ethics.

What are your goals for this year?

My most immediate priority is to build the ERM function, which is relatively new at Cognizant. This will involve becoming a partner to key stakeholders within the organization, to the point that they’re initiating discussions on compliance and risk-management topics. When people in the field are inviting you into discussions on governance, compliance, and risk-management matters, that’s when you know you are really adding value.

Thanks, Ross.

Topics