|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Continuous Auditing
SOX Section 404 ?Year Two? and Beyond Are You Ready?
By
Margaret Brooks
|
|
Margaret Brooks
Vice President
CA Technologies
|
November 15, 2005 marks the one year anniversary for compliance with Section 404 of the Sarbanes-Oxley Act which requires internal controls over the creation of financial reports.
In the past year or more, companies have approached compliance with Section 404 as a project, but have not leveraged this to improve business efficiencies, reduce risk and improve effectiveness. In many cases, companies have implemented manual methods, which have led to significant costs.
SOX compliance overall is costing businesses millions of dollars. A March 2005 survey by Financial Executives International shows that first year SOX 404 compliance costs averaged $4.36 million per company, and large companies with more than $5 billion in revenues spent
more than $10 millions per company.
A Corporate Executive Board survey indicated that 87% of CFOs feel that the costs of Sarbanes Oxley 404 costs outweighed its benefits.
As we approach the next year of ensuring the internal controls are in place for SOX compliance, hindsight is always easier. That said, many companies still do not have a clear picture of the direction needed to deal with SOX and other regulations in a sustainable manner.
If companies could go back almost two years and redefine what is needed for SOX efforts, would they be able to state a clear vision today? Many companies have found that they documented too many controls, that testing was inefficient and too costly and that the processes were not repeatable.
Many companies have found that they still lack the proper visibility into the control program, and that dealing with controls manually on spreadsheets is simply unmanageable.
Compliance Challenges
Compliance challenges were abundant over the last year. The high cost of reactive compliance created ?emergency investments? since many companies did not have the money readily available to pay for SOX Section 404 compliance. The SOX investments were allocated from other planned business investments, putting valuable business projects on hold.
Due to the reactive mode of many companies, complex fragmented processes created many manually intense procedures, which are expensive and prone to failure. Some companies used tools to store the efforts of the manual work, but all in all, it was dedicating people to the problem in order to develop the solution.
SOX efforts were typically driven by a SOX Project Management Office (PMO), but with so many manual processes and a limited amount of precedence and guidance, inconsistent application of controls resulted. Some companies took a very conservative approach, resulting in excessive control documentation and testing.
The scope, timing and resources were often another challenge. Many companies did not anticipate the massive effort so in order to complete the work they hired a significant number of consultants to assist with the documentation and testing, which resulted in higher costs.
The end result: a fragmented, unsustainable, high-cost compliance model. To effectively mitigate these compliance challenges, a sustainable compliance strategy and operating model is required.
Building Sustainable Compliance
A compliance strategy is important to run the business more effectively, but also to adhere to the Federal Sentencing Guidelines. In addition to the previous sentencing guidelines, new guidelines were initiated in 2004 including the requirements to (1) assess the compliance program and (2) complete a risk assessment of laws impacting the business.
The implication of these new imperatives is that companies must address both compliance and risk from a holistic approach across all business units and regulations with a sustainable compliance and risk operating model.
The core foundation for building a sustainable operating model is to implement integrated processes and technology. First of all, upper management must ensure there is executive support when it comes to the integration of both business and IT processes as well as controls.
Similar to many new initiatives, behavior changes are also needed. For example, there is a need to extend change management to the business and make sure that the appropriate business process owners are accountable for the ramifications of changes made to the business and IT environments.
A process driven environment must be created to identify clear ownership and responsibility within the control environment, not just on paper.
An enterprise or global viewpoint needs to be taken so that there is consistency and a holistic approach to achieving the sustainable model. Auditing must occur regularly, which will require changes to the typical mode of operation.
In addition to just testing controls for effectiveness, organizations need to take a more risk focused approach to understand what happens to their business when there is a control failure. They need to have capabilities to do self-assessments and automate the compliance audits from the current manual processes.
Lastly, this requires integrated technology to provide an enterprise view of controls so there is visibility into the processes with dashboards and alerts and to eventually provide automated metrics to point out actual control failures or potential control failures.
In addition to the cultural changes, other key focus areas in building a sustainable model are:
? Simplify processes and key controls
? Standardization
? Proactive risk assessment and mitigation
? Automation through technology
? Independent long-term organizational process and technology infrastructure
As stated by many companies, too many controls were documented. A sustainable model requires that the company identify the key controls needed to operate the business effectively, which will reduce the on-going cost of testing the voluminous number of controls.
Eventually, to improve business efficiencies, this exercise should be completed for all major business processes, not just the key business processes in scope for Sarbanes Oxley.
For example, how many times is the same control documented and tested independently and inconsistently across the company? Taking an enterprise approach to managing controls will provide better standardization of the controls and help the company understand the actual controls across the organization.
The enterprise controls need to be linked to the geographic locations that are applicable and be able to ensure that the control is effective across the organization. This rationalization of controls will help reduce the number of controls that actually need to be managed moving forward.
Managing the controls is not merely ensuring they are documented and tested. As you build a sustainable model, the organization needs to be able to proactively assess the risk and ensure that mitigating controls or actions are identified.
This requires that the company identify the risk exposure for the key controls, in other words, what is the impact to the business if the control fails. This will vary for every company. For example, if the network goes down, the risk exposure or impact to the business is much higher than for a company whose business is not run on the Internet.
Each company needs to determine the controls and risk thresholds relative to their business needs. Part of the proactive risk assessment and mitigation phase is to identify the risk classifications, the financial impact of an exposure, the likelihood that it will happen, the regulatory impact, and the impact on the customer.
Using these factors will provide the risk matrices and thresholds needed to identify risk events. By implementing regularly scheduled self-assessments as well as monitoring key risk indicators, the organization will be able to take a proactive approach to dealing with the controls, risks and remediation efforts.
As an organization advances in their risk and compliance maturity toward the sustainable compliance and risk operating model, automation of controls is essential to be successful in improving efficiencies as well as more advanced monitoring capabilities.
The potential control automation capabilities are numerous, but where should the company start? There are a few options to consider. First, consider automating, where appropriate, the controls in which there were SOX deficiencies identified. Remediation is required anyway, so if it makes sense, start with the deficiencies.
This decision should also be supplemented with the determination of the control risk exposure and business impact. If this control fails, what is the exposure to the business? If there is very little risk exposure, reconsider the cost of automation for that control.
Secondly, consider automating the controls that address the high risk areas such as financial close and consolidation, change management, segregation of duties or identity and access management.
Thirdly, consider the controls that would show a quick cost savings if automated from current manual operations.
Another approach is to adopt standard control frameworks. For example, within the IT area, frameworks such as the Control Objectives for Information Technology (CobiT) help organizations work toward not only compliance, but good overall IT Governance.
Taking this approach, you need to understand which controls are the most relevant to your business, and have the highest risk exposure, and understand your current technology investment and the controls that already have automation. That knowledge will help determine the most appropriate controls to automate.
A key method to ensure that the compliance efforts are sustainable is to implement a centralized means to manage both business and IT controls, risks, incidents and action plans across multiple regulations.
Controls for compliance and risk are pervasive across many parts of an organization including areas such as independent business units, the IT department, audit department, the privacy office and the compliance office.
A sustainable model needs to provide similar capabilities to support all of these constituents, not just the SOX PMO. The result needs to be an independent long-term organizational process supported by a technology infrastructure that spans across the entire organization.
SOX Section 404 ??Year Two? and Beyond
For SOX Section 404 ?year two,? companies need to make sure that the resources, including people, money and time are all focused toward building a sustainable compliance operating model and leveraging technology to automate controls.
Companies need to consider building the model to deal with many types of both business and IT controls. By implementing the proper technology, you can easily know which controls relate by regulation and which controls relate to other control categories; for example, IT security.
So when the next regulation comes along, you need to complete an analysis of the existing controls, note the current controls that relate to the new regulation and implement only new controls required by the regulation.
For companies that are not mandated to comply with SOX, this sets the stage for good governance; however, in many cases adherence to SOX is also being mandated by the Board of Directors. To accomplish this model requires leveraging existing technology investments and understanding where the most appropriate technology investments make sense.
To derive the most value and benefits from compliance efforts beyond SOX ?year two,? companies need to move in maturity beyond simple compliance toward an integrated and holistic risk management approach.
That approach delivers a single solution for managing automated self-assessments and audit programs; global aggregation of control failures and risk exposure; global management of controls and action plans; global transparency by risk area, process, business unit and geography; more effective and consistent management of risk exposure; and affordable enterprise compliance.
A holistic risk management approach gives companies the global transparency needed for better visibility into the business. This helps prioritize risk, make better business decisions and improve operational efficiencies and develop a sustainable compliance model and risk strategy.
By implementing a sustainable compliance model, organizations will be ready for the next wave of regulations.
Margaret Brooks
Vice President
CA Technologies
Margaret Brooks serves as Computer Associates' (CA) Vice-President Strategic Solutions, HQ Research. With over 20+ years experience is many aspects of Information Technology; Margaret Brooks leads the Integrated Risk and Compliance Solution Team and is responsible for delivering the solution to the market.
She has been involved with compliance solutions at CA for over two years, leading the team that developed CA?s initial Compliance Management Framework. Prior to her full-time role in Integrated Risk and Compliance, Margaret was the Vice-President of the Technology Partner Group, handling the solution and technology partners for several of the business units within CA.
In her role, she interfaced with the CA Business Unit Executives and product management teams regarding partner interactions.
Prior to joining Computer Associates, Margaret has held management positions in the areas of Data Warehousing and Information Resource Management focusing primarily with companies in the healthcare and insurance areas.
Margaret is a graduate, with honors, of the University of Alabama, having received a bachelor of science in Health Education.
|
|
|
|
|
