⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Sarbanes-Oxley for the Severely Disinterested

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

March 01, 2005
Special Section | From an Operator's Viewpoint
Michael Schubach, CHTP - michael.schubach@pinehurst.com

View Magazine Version of This Article

© 2005 Hospitality Upgrade. No reproduction without written permission.

The SEC has long required that the officers of publicly traded corporations certify that their information is accurate. But SOX attempts to grapple with a concept that many of us outside the U.S. Senate have been aware of for quite some time: some of the captains of industry who swear they’re telling the truth aren’t.

I will admit it -- there was a time that I, too, was genuinely apathetic toward Sarbanes-Oxley, or SOX as it has come to be known by those with higher levels of interest. My disinterest sprang from the first fact I learned about Sarbanes-Oxley. It was legislation that applied to the accounting practices for companies that file publicly, and especially those that are publicly traded. Although the company that I work for does indeed file publicly, our stock is not publicly traded so it appeared as though we would be spared the rigors of Section 404 compliance, the most demanding aspect of the SOX legislation. Sure, our accountants had to deal with new legal requirements, but it was Mini-SOX -- one-third the effort of regular SOX. We could file late and light -- my two favorite criteria in governmental reporting. I spent a summer basking in blasé indifference; little did I suspect that my reverie was nearing its end.

Our accountants determined that the structure of our employee stock plan was enough to subject us to the Full Monty of the SOX legislation -- we would in fact be required to file in accordance with the dreaded Section 404. Like the Starship Enterprise, we went to red alert; Sarbanes-Oxley was no longer a drill. Now, as our company hurtles through time and space toward uncharted corners of compliance, I’ve decided to share a few SOX notes from the observation deck for those who have no need to travel this path. What follows is a brief glimpse at the color of the sky over here in the far reaches of the galaxy.

Sarbanes-Oxley is the body of legislation named for the senators who authored and sponsored it. This legislation was passed in response to the Enron scandal (among others), and is designed to prevent further such scandals by making certain that the financial information being published by captains of industry is, on the whole, reliable and accurate. The Securities and Exchange Commission has long required that the officers of publicly traded corporations certify that their information is accurate -- nothing really new there. But Sarbanes-Oxley attempts to grapple with a concept that many of us outside the U.S. Senate have been aware of for quite some time: some of the captains of industry who swear they’re telling the truth aren’t.

At first glance, the SOX legislation is imbued with great common sense. It’s really quite simple, and there are only four little steps you have to take:

Step 1: Determine which sources of revenue for your business are material to the total revenue stream for your company. I’m certain you can guess what sorts of revenue are material to a hotel or resort’s revenue stream: rooms, food and beverage, and incidentals. For resorts, add in the retail sales and activities and services such as golf, tennis and spa. In other words, it’s everything that’s between here and the minibar, as well as all of the stuff inside it.

Step 2: Determine which information systems are involved in the production and assembly of the material revenues. Again, for hotels and resorts, that would be the accounting system, the property management system, the food and beverage system, the retail systems, and, oh yes, everything that connects to them.

Step 3: Document the processes and procedures that your company follows in order to generate and/or assemble financial information, making certain that the processes and procedures conform to reasonable standards and generally accepted practices of care and control. This is a very simple request to diagram, flow chart and explain… everything.

Step 4: Be able to produce adequate documentation and the paperwork trail to prove to your outside auditors that your company is, in fact, following its own documented policies and procedures.There might be a little bit of paperwork involved in this step, and it’s conceivable that we would need all of it when the auditors show up.

So really, the post-Sarbanes-Oxley world isn’t that different from the pre-Sarbanes-Oxley world, except that in the past your outside accounting firm checked your math. Under Sarbanes-Oxley, they will now be checking out your calculators as well.

And how does one prepare for SOX compliance? In that arena the first step is to ask your outside audit firm what sorts of materials they would like to see in order to certify that you are playing by the rules. That step is pretty simple, except that you can’t ask your own auditors what to prepare for the audit, as auditors auditing their own system would be a conflict of interest. So now you need two kinds of auditors: those who audit and those who don’t so that the auditors who don’t audit can tell you what to do for the auditors who do audit. Although that seems as though it might be a little expensive and redundant, it wouldn’t be all that complicated provided that the auditors who don’t audit can tell you what the auditors who do audit will be auditing. But seeing that this is new legislation, the auditors who do audit haven’t audited very many accounts yet, so the auditors who don’t audit don’t really know what the auditors who do audit will be auditing. Since the auditors who don’t audit are guessing what the auditors who do audit will audit, naturally, the auditors who don’t audit reserve the right to tell you that what they told you might not be completely accurate in an audit done by the auditors who do audit. Other than that, the rest of the procedure is quite straightforward.

Besides the accounting and operational impact, SOX compliance has tremendous implications for information technology (IT) as well. Since systems are a great part of the focus, there is a tremendous need to be able to document precisely who has access to what functionality, who is empowered to generate or change revenue postings, and upon whose authority one might have the capability of making software and configuration changes. Since documentation is neither a bad nor an unreasonable thing, one might wonder why there aren’t vast piles of it lying around for auditors to dig through today. The answer is that full documentation demands time and resources, both of which are finite and, typically, fully committed. As a result, most operations produce adequate or mandatory rather than superior levels of documentation. Sarbanes-Oxley raises the minimum requirement high enough to have tremendous workflow implications for those of us who are becoming SOX bound.

Making changes to a property management system, for example, will never again be as easy as asking your vendor to get on your system and install the newest software update. Under Sarbanes-Oxley you can certainly update your systems, but you need adequate lead-time to document and certify changes before you actually put them into production. That’s just a good business practice, but hidden in it is a myriad of unintended consequences. I can foresee that SOX locations will be slower to make changes, including corrections, patches and service packs, simply because of the new standards of documentation and certification. Another predictable side effect is that the fast-and-simple low priority fixes will drop to no priority; with all the paperwork and testing required, there’s no such thing as a SOX slam-dunk. Resources will be dedicated to the higher priorities, and yet the overall rate of change is likely to become significantly slower, more expensive, or both. (It’s not completely clear to me which method is worse under the SOX legislation -- having software internally developed or having an outside third-party deliver it. But either way, as you might suppose, there are plenty of SOX hoops to go through, all of which require intensive jumping.)

From outside the Sarbanes-Oxley perspective -- the one typically held by those exempted from the process -- my observations could just sound like a lot of whining from someone who is not used to reasonable and adequate controls and business practices. You might suppose that someone running a tight ship should have no problem with legislation that specifies that the ship must be tight. In perfect theory, you would be correct, but I hasten to remind you that the subject at hand is not perfect theory, it’s governmental specification. To those skeptics in the crowd, I issue this challenge: if you believe that there is nothing easier than documenting and following reasonable accounting and IT standards, then by all means, forego the luxury of disinterest and book voluntary passage on the good and tight ship Sarbanes-Oxley. Dress warmly, have fun and, oh yes, please drop me a note from the bridge… if you should happen to be able to find the time.


Michael Schubach, CHTP, is vice president of resort technology for ClubResorts, the destination resort division of Dallas-based ClubCorp. He offices at the legendary Pinehurst resort, the site of the 2005 U.S. Open golf championship. As the property prepares for that event and SOX compliance, Mr. Schubach wishes you a happy and productive 2005, and expects to see you all again in 2006. In the meantime, you can try e-mailing him at michael.schubach@pinehurst.com.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.