IN-HOUSE MEETING planners be warned: If your internal auditing department hasn't yet taken an interest in your meeting spend documentation, it's only a matter of time. That's because section 404 of the Sarbanes-Oxley Act — a bill enacted in 2002 to increase U.S. corporate responsibility and curtail accounting scandals — recently became law for some large public companies.
The upshot of SOX section 404, says David Kaufman, a partner in New York-based Acquis Consulting Group, is that planners will need to show not just that numbers are correct, but that processes are audited and controlled. Kaufman is a former auditor who for the past 10 years has been working with large and mid-sized companies in the areas of strategy, process improvement, and cost reduction, with a specialization in corporate travel and meetings.
Why should corporate America be concerned about SOX compliance?
David Kaufman: SOX is new, and it is having a snowballing effect. As companies become more involved in SOX compliance, it is hitting various departments and employees hard and creating a large impact that affects everyone in the company. What's different about SOX compared to other industry regulations is that it will also focus on areas traditionally considered non-core — such as meeting planning.
How does section 404 of SOX affect meeting planning departments?
This section — which requires companies to provide a report that demonstrates appropriate internal controls and control effectiveness, and also requires that registered external auditors attest to the controls report — will have the most impact on meeting planners. It requires documentation not only of the processes, policies and procedures that are in place, but companies must relate the controls to the policies and procedures.
Meeting planners need to focus on areas where there are risks of error, fraud or noncompliance with policies, and document the controls that are in place to mitigate those risks. This covers the scope of the planner's job description, including site-selection criteria, requests for proposals, planning and organization of activities at meetings, post-meeting activities and contractual agreements. SOX doesn't state what the approval process needs to be for booking a vendor such as a hotel, but planners should have a documentation process for each expenditure with a provider, and it should lay out what type of approval they need, and in what form. The documentation should also point out what controls are in place to ensure compliance with corporate policies.
The SOX legislation applies to publicly traded companies in the United States. Why should private companies also be concerned about compliance?
Two reasons: First, SOX is based on best practices. Concepts such as documentation, auditing and controls should be in place in all organizations. Second, most private companies work in some capacity with public companies. Those public companies are going to want to work with companies that are SOX-compliant themselves.
Do you think there is any danger that the kind of corporate scandals that led to SOX could lead to investigations of travel incentive programs?
Because of SOX, there will be a focus on high-risk areas within companies, travel and incentives being one of them. Companies will need to make sure they can justify their expenditures for incentive programs and document that the programs are appropriate for the business, are justifiable and are consistent in the way they are awarded. That said, unless incentive programs are repeatedly found to be at risk, or are specifically targeted by the media, I don't foresee a large-scale focus on them.
What can planners do to set up a compliance road map?
Companies can vary so much in a direct comparison of their processes and technologies that each compliance road map would be specific only to that one company. That said, planners should begin with a comprehensive assessment of the controls and documentation they currently have in place. Then they should identify all areas of risk, including fraud, errors or inconsistency between policies, and mitigate these risks with controls, or with documentation on why the risk is acceptable. One of the most difficult jobs for a meeting planner is going to be choosing a format for documentation. While planners should be soliciting feedback from their accounting or auditing departments, some companies are even setting up internal SOX teams. Planners should ask these internal departments for basic documentation templates.
For SOX compliance, some experts say that senior management should sign off on meeting objectives and even meeting contracts. Do you agree?
What auditors look at, more than the actual rule, is that a procedural rule on contracts is put in place and is followed consistently. Having senior management sign off on meeting objectives and contracts could be helpful to planners, but this doesn't mean you should get the CFO's signature for every meeting expenditure — that would be burdensome and counterproductive. Planners need to maintain control of their responsibilities without taking on too much personal risk. It's about balance. If you typically sign vendor contacts and something unique to a contract comes up that hasn't been written before, even if it seems minor, you might want to get someone senior to you to sign off on that contract to protect yourself.
Can you give any advice on what external auditors will be looking for? Any red flags?
Auditors, like everyone else, appreciate it when their job is made easier. Their task is to highlight risks and show controls. Planners would be better off admitting risks and their mitigation upfront, rather than denying that risks exist.
The documentation of processes needs to be detailed but clear and easy to follow. Use process flow charts, outlines and lists to help with the organization. If you can't easily explain it, or someone can't pick up the documentation and understand it, you haven't successfully completed the task. Also, auditors will be focusing on control lists. These should be tied in directly to the process flows. I like the idea of putting a symbol for controls within the process documentation, so the auditor can easily match the process to the control.
If I were asked to give just one piece of advice, it would be: Protect yourself. Document, communicate and don't make decisions that could be deemed inappropriate.
TOP 10 LIST:
WHAT PLANNERS CAN DO NOW TO JUMP-START SOX COMPLIANCE
Clean your house. If you have been doing something in the “gray area,” stop now.
Document your processes in a clear and consistent manner.
Create or update your corporate travel and meeting management policies.
Admit control weaknesses, but document how to fix or mitigate them.
Work as a team with appropriate colleagues in your company, such as internal auditors.
Use this time as an opportunity to improve processes, systems and documentation.
Don't overcompensate by putting in unnecessary controls. For example, having a policy that states four people need to sign contracts rather than one or two can open up the company to more risk if the policy is not followed.
Realize that this is a continuous change in your job, not a one-time thing.
Speak to others in your company about what they are doing for compliance.
Protect yourself by having documentation on any changes to, or departures from, policy.
Regina Baraban is editor of Special Events' sister publication Insurance Conference Planner, where this article first appeared.