The job of the CFO is to marshal the stakeholders and resources necessary — IT, business leaders, HR, legal, and C-suite, among others — to ensure that all of the technology and processes are in place and working flawlessly when the new rules kick in.
Experts note that a risk assessment is one of the most critical tasks when evaluating the impact of a new compliance rule. To be effective, the risk assessment team must involve business functions beyond finance.
“For lease accounting, for example, you need someone from the IT group as well as the legal team to assess the completeness and accuracy of the lease contract data, and people from operations who could help determine whether the leases include service arrangements,” according to David McKay, Partner, Edelstein & Company, an accounting firm. “You need to identify gaps and potential gaps in compliance and fill them, and that means involving people beyond finance.”
While subject-matter experts need to be on the compliance team to address specific areas that will be affected — such as operations for leases and IT for security-related compliance — the executive team needs to be represented. “Senior management needs to be directly involved because compliance concerns are intertwined with the health and future of the
business,” said Roy McDonald, Partner, McDermott Will & Emery, an international law firm.
Compliance is typically treated as something that is outside of the normal operational tasks, but there are risks associated with underfunding compliance efforts. Most compliance efforts remain fairly lean, as about half of all respondents to the Deloitte/ Compliance Week 2016 survey reported annual compliance budgets of $5 million or less. In addition, respondents didn’t hold out much hope for near-term improvement, noting that they anticipated modest budget increases in the coming year and had five or fewer fulltime staffers assigned to ethics and compliance.
“You need a robust compliance plan, but it becomes meaningless if you don’t set aside the resources, including staff, budgets, and systems, to fully implement it,” said Howard Scheck, Partner, StoneTurn, a forensic accounting and expert services firm.
Even the best laid plans can’t prevent every compliance misstep, so there needs to be a strategy for responding when internal controls or, worse, regulators, find something awry. “You not only need a compliance plan, you need to have a plan of action for assessing the severity of the issue and remedying it quickly,” Scheck said.
For public companies in particular, running afoul of regulators has serious consequences. There are stiff monetary penalties to be certain, but the damage can run even deeper. The company may be forced to issue an earnings restatement, seriously shaking confidence in the company and its executives. Investors could flee and bad press could make it difficult or impossible to recover.
While private companies don’t face the same level of compliance scrutiny as public firms, stakeholders and investors do
not have a positive view of companies that don’t meet compliance standards, particularly if they have plans to take the company public.
Download the full WHITEPAPER
A CFO's Guide to Compliance
With diligent preparation and the right team, companies can stay in the good graces of regulators in the wake of upcoming changes.