|
|
|
Features
< Back
Sarbanes Oxley : Thought Leader
Is Your Company Entering The 4th Year Of SOX Compliance?
From Project to Process.… Building and Maintaining a Sustainable SOX Compliance Process
By
Alyssa Martin
|
|
Alyssa Martin
Executive Partner
Weaver
|
With little and late guidance, many of the accelerated filing companies initially approached Sarbanes-Oxley (SOX) compliance as a massive project, a project with an undefined scope, a project that presented numerous unforeseen difficulties, a project that consumed considerable effort and expense.
While such a project approach can work for a finite effort, SOX is a continual mandate whose requirements must be met year after year. Sustaining compliance without overextending available resources requires approaching SOX as ongoing process that is maintained - and not redeveloped - each year.
Taking a process approach requires identifying needs for remediation to promote continuous improvement, and to ensure that the same weaknesses do not keep presenting difficulties. Taking a process approach requires devising strategies and implementing tactics so that compliance efforts can be sustained without continual strain. Taking a process approach also requires planning scalable compliance activities that accommodate growth and other organizational changes.
For corporations that take a process approach, SOX compliance can become an imbedded element of normal business operations, an element whose benefits extend beyond greater financial reporting accuracy and continual compliance.
Exceptions Illustrate the Needs for Improvement
Approaching SOX as an ongoing process entails examining past compliance efforts and identifying needs for remediation. Such examination highlights areas where manual controls can be replaced with automated controls and where duplicate controls can be eliminated. That evaluation should also address ways controls can be structured to operate as a normal part of business. Examining exceptions and considering external auditor feedback reveal additional opportunities for improvement.
Whenever possible, manual controls should be replaced with more reliable and efficient automated controls. Automated controls operate continuously in a preventative role and serve as a deterrent against human error or intentional misconduct, whereas detective controls only provide after-the-fact evidence of improper activity. Automated controls require less frequent testing than manual controls and can be evaluated any time, giving internal and external auditors greater scheduling flexibility.
Segregating incompatible duties also establishes a system of preventative controls by eliminating circumstances where one person has too many responsibilities with too little oversight. For example, segregating accounts payable duties among three individuals for invoice approval, payment preparation, and check signing greatly reduces the possibility of unauthorized payments being made. Such segregation needs to be reflected in IT user provisions and access restrictions, too.
During initial compliance efforts, corporations faced uncertainty in determining how many key controls were needed to provide assurance. Amidst such uncertainty, usually a layered control environment was established and duplicate controls may have been identified. Eliminating redundant key controls lets the organization focus more attention on deploying a top-down, risk-based approach in which processes and controls that pose the greatest risk of a misstatement receive the most oversight.
Standalone control activities require extra attention and are more prone to neglect. Structuring controls to operate as a normal course of business alleviates those concerns. Such structuring can include incorporating prompt reconciliation activities within the monthly close processes. In addition to other benefits controls placed into the routine transaction processing cycles also ensure that safeguards function routinely within various processes.
Annual evaluation and testing of controls may generate exceptions. Effective remediation requires determining whether or not deficiencies in control design or control-related training contributed to those exceptions. Addressing such underlying potential causes enables the organization to take effective corrective measures.
Feedback from the external auditor should also be considered for any questions regarding the effectiveness of controls, and any adjustments made for financial controls. That expert, objective perspective helps the organization determine which activities present the greatest risk of a misstatement, and which controls or processes are most vulnerable to mistakes or misconduct. The corporation can then implement appropriate remediation. Remediation focused on the root cause of an exception will provide long-term improvement to the internal control structure.
Compliance Needs to be a Sustainable Process that is Maintained Each Year
Initial SOX compliance efforts placed considerable strain on many organizations. In some companies, the Internal Audit department devoted a disproportionate amount of attention toward SOX compliance. Other companies incurred substantial expenses for hiring additional staff, implementing new technology or contracting external expertise. Corporations cannot afford to keep doing that. To continually attain compliance, SOX needs to be a sustainable process that can be maintained from one year or another.
Making compliance a sustainable activity means defining uniform practices and processes for significant activities across various business units. Various divisions of an organization, for example, may treat accounts receivables in different ways, with each division setting its own credit, invoice and payment terms and following its own policies for collecting on overdue accounts.
Such inconsistencies in the overall corporate processes create complexity and expand the number of key controls to be evaluated. Additionally, these disparities make it difficult to evaluate data for financial reporting purposes. Establishing uniform policies and processes reduces that complexity and enhances financial reporting accuracy and control effectiveness.
Initial compliance efforts may have also revealed that various business units or divisions rely upon different applications, operating systems and hardware for IT-supported processes. The number of critical applications also increases the overall scope of the SOX compliance. Such differences can make transferring or consolidating financial data difficult and often require manual intervention, along with manual controls.
Making the necessary investments to establish IT uniformity and compatibility promotes greater accuracy and efficiency, and further reduces the need for IT control evaluation and testing. Relevant documentation must also be readily accessible to individuals or units with SOX responsibilities. For future reference and to provide necessary audit trails, that documentation also needs to be archived.
For some smaller organizations, conducting all SOX related activities in-house might not be affordable or practical. In such instances, work for developing a compliance plan, assessing related risks, devising controls, maintaining documentation or other necessary activities can be outsourced to attain efficiency and optimize internal resources.
SOX compliance efforts include mapping the processes and controls that have a significant impact on financial reporting, compiling a library of controls, applying version control to crucial files, establishing test schedules, recording and evaluating test results, and managing all required documentation. IT resources make it easier to accomplish such tasks. Applications designed specifically for SOX compliance are available. Existing software for enterprise resource planning, human resources management, report writing and other functions may also be appropriate for addressing an organization’s compliance needs.
Compliance Efforts must be Scalable
Organizations grow and compliance efforts must be scalable to accommodate that growth or any other changes. With such an emphasis, monitoring and refinement eliminate the need for wholesale revisions or restructurings of compliance plans.
Making compliance a scalable process requires imbedding controls and accountability for compliance throughout the organization. The entire organization then participates in the compliance process and shares the responsibilities associated with continual compliance.
Each process should have an identified process owner, an identified key control, and an identified owner for that control. The control owner oversees execution of the control, while the process owner monitors and assesses the effectiveness of the control, with additional periodic effectiveness testing performed by the internal audit department.
Processes evolve to meet changing business needs. Through regular self-assessments and walkthroughs, the process owner needs to evaluate whether or not an actual process still conforms to its original documentation. If the process has deviated from that original documentation to meet changing needs, its control and related documentation need to be reevaluated and revised to ensure that effective oversight remains in place.
In any given year, individuals will leave an organization or take on new responsibilities, while others will be hired or reassigned to take their places. Workforces also expand or contract to reflect company growth or economic constraints. To maintain continuity amidst such change, SOX duties need to be documented in job descriptions, with sufficient explanation and training provided. To emphasize accountability, evaluation of SOX duties also needs to be included in performance reviews.
While such practices address organic growth and internal change, corporations often grow through acquisitions or evolve by outsourcing various functions. Whenever a company is acquired, its financial reporting functions and related controls must be closely integrated with the parent organization’s operations. Whenever a corporation out sources data processing or transactional process work, it needs to require annual assurance from the service provider that any related risks are mitigated. A SAS 70 Type II report typically provides that assurance.
Technology improves rapidly and companies must regularly upgrade various elements of their IT systems to enhance productivity and remain competitive. Maintaining effective change management controls amidst such migrations enables companies to realize such benefits without placing them at risk for a material weakness.
Taking such a scalable approach toward SOX compliance provides organizational continuity. Lower compliance costs typically accompany that continuity, too.
The Long-Term Benefits of Remediation, Sustainability, and Scalability
By focusing on remediation, sustainability, and scalability, SOX compliance becomes a process that is maintained – and not redeveloped – from year to year.
The benefits of taking that approach extend beyond SOX compliance, too. The reliance of financial reporting processes upon IT functions prompts organizations to examine how technology can be used more effectively. That examination leads to more efficient use of technology throughout the corporation.
SOX requires identifying and evaluating processes that support financial reporting. Such examination drives process improvement efforts throughout the organization. Companies also face other regulatory compliance and certification requirements, and the methodology and processes deployed for SOX may be applicable to meeting those other measures as well.
Amassing and maintaining accurate information provides a basis for improved decision-making, while embedding responsibility for SOX compliance throughout the organization promotes individual accountability, discipline and ownership. Those qualities nurture a corporate culture that values accuracy and ethical behavior. That culture itself then becomes a general control or first line of defense against errors and improper conduct.
That culture and the continual attention for meeting the requirements of SOX lead to not only greater accuracy in financial reporting, but greater confidence in the organization’s financial reports, and greater trust in the organization itself.
Alyssa Martin
Executive Partner
Weaver
Alyssa G. Martin, CPA, MBA, is the Dallas executive partner and the firm-wide Partner in charge of the Risk Advisory Services group at Weaver and Tidwell, LLP. With offices in Dallas, Fort Worth and Houston, Weaver and Tidwell is ranked the largest independent certified public accounting firm in the Southwest by Practical Accountant. Martin can be contacted at 817.332.7905 or 972.448.6975. You may learn more about Weaver and Tidwell by visiting www.weaverandtidwell.com.
|
|
|
|
|
