Categories
Management

Fiduciary Responsibility: SOX and Project Management

Abstract

Fiduciary responsibility of the project manager lies in the core responsibility to manage the project management activities around scope, schedule and cost.  The implications of the Sarbanes-Oxley Act of 2002 have increase the breadth and view of the project manager.  The responsibility to meet the requirements of the SOX act is inherent and represented through the mandate that corporations must increase their financial transparency and accountability.  The project manager will need to ensure all objectives in reporting, approvals, transparency, clarity and timeliness for financial activities are completed and aligned with the corporation’s strategic financial plan.  Through the use of key project management activities the project manager will mitigate the implications of the enterprise environmental factors and provide a project that has the framework for success.

Sarbanes-Oxley and Corporate Responsibility

Sarbanes-Oxley was passed by the United States congress in 2002 as a remediation and reactionary guide to the corporate financial scandals that plagued multiple large companies that not only impacted the companies as a whole but drove the country to install new guidance and regulations to mitigate these issues in the future (Ramos, 2008).  The purpose of the Sarbanes-Oxley Act was to improve the transparency and accountability of the corporation’s financial activities and how they reported those activities.  The act included an oversight board, much like a steering committee for a project, which overseas and implicates a level of accountability that was not inherent in the corporations’ activities previously.  In conjunction with the accountability of oversight there were also deep and integral repercussions for financial irresponsibility that was felt at not only the corporate level but was also placed on a personal, executive level of the corporations.  The Sarbanes-Oxley Act has built it premise on the fact that transparency is of the utmost importance.  This transparency of financial information is adhered to by meeting the reporting requirements set forth by the act and meeting the guidelines for submission of their information based on timetables established by and upheld by the oversight board.

While the Sarbanes-Oxley Act was not established for the purpose of implementing accountability and transparency into project management the implications of the act have resonating impacts on the fiduciary responsibility of the corporation and the project manager execute projects and report on their financial status and spending activities.  Part of the correlation between the Sarbanes-Oxley Act and project management begins with the implementation of becoming SOX compliant.  Section 404 of the Sarbanes-Oxley Act is the portion of the act that describes how a corporation can become compliant with the act and thus create a level of financial credibility that impacts the company’s perception of investors, other companies and the global economy.  Implementing Section 404 of the Sarbanes-Oxley Act of 2002, which requires management to acknowledge responsibility for maintaining an effective system of internal controls over financial reporting and report on the system’s effectiveness (University of Pittsburgh, 2012).  This implementation is not only a project within itself it creates a new set of guidelines and metrics that the project management team must understand and deliver upon to meet the requirements of the project, of the corporation and of the Sarbanes-Oxley Act.  This has a level of risk that resonates into the best practices of the project management and will need to be account for through risk management and financial reporting.

Strategy for Project Management

The project team has the responsibility to mitigate the impact of the Sarbanes-Oxley Act and to ensure the corporation meets the requirements set forth by the act.  The first step in ensuring compliance is building the understanding of what activities or actions need to be taken by the project team.  There are two areas of requirements that impact the project team.  The first area includes the strategic establishment of the core functions required by the Sarbanes-Oxley Act.  This includes increasing the levels of oversight the project has, documented approval processes, implementation of an Audit Oversight Board (AOB), executive level certification including accountability for the Chief Executive Officer and Chief Financial Officer and the corporate-wide integration of specific segregation of duties and conflict of interest activities bans.  These areas impact the project team in different ways to include increased response time for approval and the increase of reporting and tracking commitments that potentially were not present prior to the act’s approval.  There are also specific project based activities that will require a level of effort from the project team.  The tactical or operational activities include renewals of auditor’s sign-off on internal controls that must be updated and maintained yearly.  The auditor’s sign-off will require the project team to go through the approval process and receive the sign off by all key parties involved including leadership’s sign-off.  This impacts the project team because while this is not a key activity to the project’s deliverables it is required for completion and consumes resources that would need to be accounted for in the cost estimates and project schedule.  The reporting of financial information has also increased and the onus of reporting and ensuring the financial information is accurate, clear and concise falls onto the project manager to report that information to the financial manager in a timely fashion.  The level of reporting, detail and timeliness have all increased and in conjunction has also increased the level of effort required by the project team that draws away from the core project’s critical activities.

Risk Management and Mitigation

Risk in project management is the perceived implications of an uncertain event impacting the project or the organization as a result of the project’s deliverables.  Within each of the risks there are varying degrees in which the impact, severity and likelihood will occur.  Each of these factors plays a role into the risk mitigation plan of the organization.  These risk mitigation actions incorporate the risk itself as well as the tolerance of the organization and the benefits of accepting certain risk models to achieve certain objectives (Cooper, Grey, Raymond, and Walker 2005).  The level of risk associated with the impact of implementing the Sarbanes-Oxley Act’s requirements depend heavily on the proximity to the financial realm the project originated and the amount of time spent by the corporation implementing the compliance portion of the act.  The proximity to the financial realm goes from a level where the project is reporting their financial budgets, spending, investments and other financial activities to the closeness of implementing the compliance framework for the Sarbanes-Oxley Act.  When discussing the mitigation plan for any risk, and in this case it is the impact of the Sarbanes-Oxley Act on the project, the risk adversity or risk acceptance of the organization is interdependent with the goals and objectives that the organization wants to achieve as well as the activities that are necessary to achieve those deliverables.

The risk management process according to the Project Management Book of Knowledge (PMBOK) includes six processes that encapsulate how risk is managed and mitigated within a project.  This includes plan risk management, risk identification, qualitative analysis, quantitative analysis, risk responses and monitoring and controlling of the risks (PMBOK 2008).  Each of these areas plays a critical role in identifying, understanding, mitigating and sustaining risk mitigation activities.  Within every project there are many risk factors that can have a potential impact on the efficiency and effectiveness of completing the project within schedule, budget and achieving the quality of the deliverables outlined in the scope document.

Project risk is based on the uncertainty in projects and those risks come in the form of known risks and unknown risks.  The known risks can be identified, analyzed and a risk mitigation plan can be formulated around these risks.  The unknown risks do not have the same luxury regarding proactivity in mitigation and these types of risks are the basis for contingency plans that are built into the project by the project team.

SOX Impact on Project Management

As a project manager there is a responsibility to manage the enterprise environmental factors.  Examples of these factors include governmental laws and regulations which put the Sarbanes-Oxley Act at the forefront of project management responsibilities.  From the implementation of the project through project closure there are implications of the act.  While not all projects fall under the umbrella of a Sarbanes-Oxley compliance project it is imperative for the project manager to understand their role in providing the key information to ensure the corporation is conducting their due diligence including remaining transparent and ensuring accountability throughout the corporation.  The project manager has the responsibility to maintain the schedule of the project while also managing the cost and scope of the project (Highsmith & Highsmith, 2010).  Managing the triple constraints of the project is the core function of what any project manager must accomplish.  The inclusion of outside factors such as the Sarbanes-Oxley Act has signification impacts on all three of the constraints.  The schedule would have to accommodate the increased managerial and executive oversight that requires approvals and sign-offs while also including the amount of time and effort provided by the project team to develop and present the project information team to obtain those approvals and sign-offs.  It also increases the cost of the project by taking a limited resource and creating a new demand for that resource that is not directly tied to achieving the objectives of the project.  These extraneous efforts must be documented and allocated to the budget to ensure cost is effectively managed throughout the project.  As with the basis of the trip constraints and one side of the triangle is moved and altered the other points are impacted.  If the schedule has a greater demand to fit more effort into the same period of time and the cost to perform the same functions increase due to the extra efforts required to meet the requirements of the act increases the only other area is to decrease the scope of the project if the cost and schedule are not able to accommodate the increased demand.

The project manager has the opportunity at the beginning of every project to develop a project plan and cost estimate for a project.  In order to mitigate the risks associated with extraneous efforts to meet governmental requirements the project manager must incorporate those activities into the schedule and budget.  This includes additional time for approvals, reporting, compliance and other operational activities that ensure compliance for the project team.

The project manager will continue to utilize the best practices for project management to incorporate the requirements dictated by the enterprise environmental factors just as the project manager would have done with any other factor.  The goal is to manage the risk associated with these factors and incorporate the derivatives, such as cost, schedule and scope expansion, in to the project plan.  Relying on the best practice framework and incorporating the defined deliverables and requirements of the Sarbanes-Oxley Act into the project’s overall plan will allow the mitigation of the impacts, incorporation of the requirements and compliance with the governmental act.

References

Cooper, D. F., Grey, S., Raymond, G., & Walker, P. (2005). Project risk management guidelines, managing risk in large projects and complex procurements. John Wiley & Sons

Highsmith, J. A., & Highsmith, J. (2010). Agile project management, creating innovative products. Addison-Wesley Professional.

Project Management Institute (PMI). (2008). A guide to the project management body of knowledge. (4th ed.). Newtown Square: Project Management Inst.

Ramos, M. (2008). How to comply with sarbanes-oxley section 404: assessing the effectiveness of internal control. (3rd ed.). Hoboken, NJ: John Wiley & Sons, Inc.

University of Pittsburgh. (2012). University of pittsburgh; financial report fiscal year 2012. Retrieved from: http://www.cfo.pitt.edu/documents/FY%2012%20Annual%20Report.pdf