John Wheeler's previous title -- relationship manager -- also describes his current compliance mission with SunTrust Banks Inc.
As senior vice president of financial reporting risk management, Wheeler is responsible for elevating the Atlanta-based, $1.7 billion bank's Sarbanes-Oxley compliance program from "sustainable" status to ongoing "improvement" mode. To execute that board-level mandate, Wheeler educates and empowers process owners to understand, monitor and improve financial-reporting internal controls.
"To do this successfully, you have to embed the compliance process within each of the company's businesses," says Wheeler. For example, formal control review meetings are now conducted quarterly among a SunTrust division head, the risk manager assigned to that division, and the "owners" of internal controls within the division to ensure that the controls are operating effectively. Another division includes the detailed control test results within a process/control owners' area as a formal portion of the annual performance management review document.
The organizational structures, technologies and processes that fuel SunTrust's compliance empowerment effort provide useful guidance for companies striving to sharpen their compliance efforts and to integrate compliance with risk management and governance processes.
An Over-Scoping "Ah-Ha"
The seeds of SunTrust's move toward integrated governance, risk management and compliance were sown before the Sarbanes-Oxley Act became law.
In 2000, SunTrust adopted a strongly risk-based internal audit strategy. To do so, the function required a more project-based approach than it had previously employed. "If we didn't make that shift, we could have languished in one area for a long time," Wheeler notes. The new approach altered the nature and extent of internal-control testing in many areas. Rather than working through all areas of the company, the internal audit function focused more time and resources on areas of higher risk. For example, the function reduced the sample sizes and shifted testing to inquiry/observation in low-risk areas such as fixed assets, and it increased sample sizes and performed more detailed testing in higher-risk areas such as derivatives.
Internal audit's successful transition to a project mindset and risk-based approach resonated with executive management and the board of directors nearly four years later when the company's initial stab at Sarbanes-Oxley compliance began to languish. "Both our audit committee and executive management realized that we had over-scoped the effort," notes Wheeler. At that time, the year-one compliance team had identified roughly 12,000 internal controls that required testing. The audit committee asked the internal audit function to drop what it was doing to re-scope and take over Sarbanes-Oxley compliance, but only for one year.
Wheeler, who occupied the number-two spot within internal audit as a group vice president and relationship manager, was assigned to lead the effort. "It was a massive undertaking," he recalls -- and a successful one. The new team of 70 internal auditors immediately began reviewing the 12,000 internal controls and the large number of associated deficiencies, most of which were unrelated to financial reporting. For example, situations arose where a control required proper safeguarding of nonfinancial documentation. Work in progress left on an employee's desk in a secure area but not properly stored in a locked file cabinet was deemed a control deficiency by the initial compliance team. "Those sorts of deficiencies were creating so much noise that we couldn't get at the core issues that we may or may not have had with our financial reporting," Wheeler says.
The internal audit team re-scoped and ultimately whittled down the number of meaningful financial reporting internal controls to about 1,000. The primary method used to distinguish meaningful vs. immaterial internal controls involved mapping the controls to the financial statements through the use of significant account assertions. Significant accounts were identified using a quantitative materiality threshold and qualitative factors to determine the risk of material misstatement. Once the significant accounts were identified, the controls that supported the assertions required for the corresponding account were identified. The controls that did not support an assertion were not included as a key financial reporting control. The assertions include those described in Significant Account Assertions, below.
This more-focused scrutiny bore immediate, if unsavory, fruit; a genuine material weakness in internal control over financial reporting was uncovered. The associated accounting error, which stemmed from inadequate controls related to a newly implemented loan loss reserve calculation methodology, required SunTrust to restate earnings (upward by roughly $32 million) for the first two quarters of 2004. The audit committee quickly launched an independent investigation, led by an outside legal firm, that resulted in the firing of the bank's chief credit officer and two other finance executives.
A Risk Manager for Every Business
SunTrust's Sarbanes-Oxley compliance improvement effort coincided with the creation of a corporate risk management program, in support of the company's move toward a more integrated approach to managing risk across the enterprise. Robert Coords oversees corporate risk operations including anti-money laundering (AML), operational risk control, Sarbanes-Oxley compliance management, model validation, and a new Basel II capital management function. Coords previously served as the company's chief quality and efficiency officer and currently reports directly to SunTrust CEO James M. Wells III as senior executive vice president, chief risk officer. He quickly made changes designed to cultivate a more integrated approach to managing risk throughout the enterprise.
On the corporate governance front, the bank formed a board-level risk committee consisting of five directors. Risk managers were assigned to each of the bank's five businesses and to each major corporate function. An operational risk forum that monitors risks throughout the bank based on reports from risk managers was also established, together with a financial reporting control committee which consists of the CIO, the controller, a top HR executive and other senior executives with vested interests in internal control. The members of the latter committee are a subset of the corporate disclosure committee, which provides guidance to the CEO and CFO to enable those executives to certify financial statements in accordance with Sarbanes-Oxley Section 302.
On the compliance front, the internal audit team successfully achieved its mission of year-one Sarbanes-Oxley compliance. At that point Coords asked Wheeler to establish a more streamlined and permanent Sarbanes-compliance infrastructure. Wheeler's financial reporting risk management (FRRM) group of 16 full-time, dedicated employees now resides in the corporate risk management organization. The staff members possess varied backgrounds that include both financial reporting and accounting expertise as well as an understanding of business processes and the controls around them. Specifically, the staff includes former external auditors, internal auditors, financial analysts, controllers, assistant controllers, financial reporting directors/managers and information technology specialists.
Wheeler regularly attends the operational risk forum and ensures that the financial reporting control committee reviews all deficiencies and control issues that his group identifies. The FRRM group's specific responsibilities include monitoring and assessing financial statement risk on a quarterly basis; maintaining standards that involve internal control documentation within the company and among vendors (including regular SAS 70 reviews) while monitoring entitywide controls and IT controls; and managing the internal-control deficiency classification process and remediation effort.
The Compliance MissionObjectiveElevate "sustainable" Sarbanes-Oxley compliance program to a compliance approach that integrates more deeply with business and enterprise risk management processes. Keys to Success1. Create a lean financial reporting risk management group that reports to a financial reporting control committee and participates in an operational risk forum. 2. Transfer internal control monitoring responsibility to process owners via integrated training (compliance software usage and internal-control monitoring), links to incentive management programs and "championing" by business-unit risk managers. 3. Leverage the internal audit function's independence and expertise to test internal controls. |
Execution Through Ownership
When an internal control problem crops up, Wheeler's group seeks to understand and classify the severity of the issue. Depending on the severity, the matter is reported to the financial control reporting committee, which, if necessary, relays the matter to the disclosure committee.
After a significant deficiency or a material weakness is reported, FRRM resolves the problem. "We work with the risk managers and the process owners to make sure appropriate action plans are established and then tracked," Wheeler explains. "And then internal audit comes back in and tests those controls once they've been remediated."
That process requires the transfer of ownership for monitoring internal controls to the areas of the business in which the controls reside. "We knew that once we cleared the hump of our initial compliance implementation, people would return to their 'day jobs' and it would be difficult to maintain the necessary compliance focus," says Wheeler. So SunTrust made compliance part of its employees' day jobs.
FRRM and the bank's training and development group created an integrated Sarbanes-Oxley compliance training program. This Web-based platform simultaneously teaches process owners about their internal controls and shows them how to monitor and document those controls using compliance software from OpenPages. The training concludes with a test to ensure competency. "We made an investment in making sure that the training was portable, easy to maintain and integrated," says Wheeler.
To reinforce the ownership of compliance monitoring responsibilities throughout the business, the company requires most employees to incorporate risk management objectives into their annual performance goals. The achievement of those objectives is evaluated in formal year-end performance reviews. The goals, along with other objectives, are tied into incentive programs. "We realized that to make this thing fly, we've got to incorporate [risk and compliance management responsibilities] into our incentive plans," Wheeler emphasizes. The risk managers who work within each business reinforce the importance of ongoing compliance monitoring. For example, an individual's incentive payment can be negatively affected by the failure to complete deficiency remediation action plans within an agreed-upon timeframe.
These structural, training and performance management mechanisms have strengthened compliance and risk monitoring among process owners and freed up internal auditors to do what they do best. "People throughout the organization now understand what it means for a control to be effective," says Wheeler. "Our risk managers champion our efforts. They help us educate the various process owners in their businesses about compliance and continuously reinforce their understanding of how best to meet our objectives related to implementing financial controls and ensuring that they are operating effectively." Wheeler's former internal audit function has created a group dedicated to testing internal controls. Those internal, but independent, evaluations can be relied on by SunTrust's external auditors, which helps strengthen and improve the efficiency of their Section 404 audits.
Those gains would not have been possible without the ongoing business-relationship-management efforts of SunTrust's financial reporting risk management staff and the leadership of an efficiency- and quality-minded CRO.
SunTrust Banks Inc. COMPANY PROFILETotal Assets: $183.1 billion; U.S. 7th largest bank by assets Banking Locations: 1,699 Full-time employees: 34,293 GRC Case Study at a GlanceAt Atlanta-based SunTrust Banks Inc., a comprehensive, multi-year governance, risk and compliance (GRC) restructuring -- with substantial involvement from the finance function -- is currently under way to identify and quantify operational risk. This best-practices approach to managing GRC includes the creation of a board-level risk committee in addition to the bank's existing audit committee. SunTrust also created an operational risk forum to oversee operational and compliance risk as well as financial reporting. Based on the enterprise risk management (ERM) principles laid out by the Committee of Sponsoring Organizations of the Treadway Commission, SunTrust's operational risk forum provides a holistic view of risk for the board and executive management. Using an organizationwide information technology platform, SunTrust integrates previously disparate compliance and risk management activities for an integrated GRC model. Ultimately, the goal of effective GRC is improved compliance and lower cost of capital. |