Sarbanes-Oxley and Internal Auditing for Construction Companies

No recent law has received as much attention as the enactment of the Sarbanes-Oxley Act. Although it was passed in 2002, the financial transparency issues it raises are still being discussed and debated three years later. Every industry has had its problems with interpretation and certainly, construction is no exception. Sarbanes-Oxley has cast a new light on the function of the internal audit department in any publicly held construction firm.

The center of all the controversy is Section 404. It requires companies that file annual reports with the SEC to discuss management’s responsibilities to develop and maintain adequate internal control over the company’s financial reporting process. As if that weren’t enough, the law also requires management to perform a self-assessment of the effectiveness of those internal controls. The process of scrutinizing financial reporting mandates that internal audits go beyond the usual definitions of loss prevention to take a much broader view of the company’s financial health.

This broader vision actually breaks down into a few different areas. The first is recognizing the growing demand for management’s accountability regarding capital stewardship. Internal audits should assume a more proactive role when it comes to providing decision support data. Accurate project scope definitions and cost/effort estimation models that are completed before a contract is finalized, and exemplify a project’s real cost and schedule to complete, will provide management the ability to make an informed decision about whether or not to proceed. Completing a scope definition midway through a project with a change order is an expensive fix for perceived risks that only weaken the firm’s financial state.

Internal audits need to have a watchful eye when it comes to assessing a project’s risk impact on the company’s capital reserves. It is no longer sufficient to assign a standard percentage of the contract’s value to allow for unforeseen events. There needs to be real transparency as to what the perceived risks are and their potential impact on the company’s finances in dollars and cents.

Along with the assessment of risk comes the allocation of risk. One of the biggest hindrances to management’s capital stewardship is inadequate contractual allocation of risk. For example, the firm failing to assign risks to those projects best suited by virtue of their operating margin or the nature of the firm’s expertise. An internal audit is needed to verify the firm’s contractual risks are well within its ability to maintain them without seriously impacting the firm’s capability to complete the project within budget and on time.

While these areas are not really new to internal auditing, the one area of uncharted waters is the company’s potential risks and costs associated with environmental, health, and safety issues. This is the area where Section 404 has made the biggest impact, by requiring increased transparency in reporting these risks.

Any activity the firm undertakes, whether a new project, retooling to become more competitive, or modifying a facility to accept a more diverse range of projects, will have some environmental, health and safety issues attached to it. Ensuring that solid internal controls are in place can minimize the potential impact of these issues. When internal audits consistently monitor these controls, company profitability is protected by reducing environmental, health and safety liabilities.

To that end, internal auditing needs to fully understand the company’s environmental, health and safety policies and how they are integrated with internal controls. Audit teams also need to review compliance documentation. Such documentation includes environmental, health and safety policies, procedures, checklists and training programs. Audit teams need to take a proactive stance by observing the system of controls to see if they work and making recommendations to management about areas that need improvement.