Steven Schlarman Chief Compliance Strategist Brabeion Software

Companies over the past two years have spent an extraordinary amount of time and money preparing and responding to Sarbanes Oxley (SOX). The estimates of spending on Sarbanes related projects are incredible and there has definitely been a significant impact on the performance and profits. Between SOX preparation and remediation, IT organizations have learned much about building controls frameworks. Those IT shops that were not control oriented have most likely improved processes from a control perspective and those IT shops that already had controls integrated into processes hopefully have fine tuned those controls. Unfortunately the main byproducts of SOX – piles of papers with spreadsheets of control information, lists of financial-related systems and invoices from consultants – are not the return on investment many companies are looking for. Gaining a return on this investment may take time but it is obtainable with a proper mindset that not all return is going to be quantitatively measurable. Here are some steps necessary to gain return on your effort.

Take control of your controls
During SOX, many companies found themselves relying almost exclusively on consultants to tell them what controls to have in place. This is generally not true of companies that had controls already integrated into their IT management practices. However, many companies with limited resources defended themselves against an ambiguous regulation and unknown audit requirements with consultants’ knowledge. This may work for that initial assault but will not be cost effective or sustainable in the long term. Consultants move on and without a clear knowledge of controls within the organization, the work that was put in place will crumble.

Companies should ensure that internal resources are driving controls now that the initial onslaught has subsided. A continued reliance on consultants to identify and design controls does not build the internal knowledge necessary to continue a controlled environment. Knowledge transfer and control ownership are critical during this transition. This follows the old adage of ‘don’t just take the fish, learn how to fish’.

Use the “control consultant” wisely
Resources in IT are always stretched thin. I have yet to hear a CIO say “I have too many people to do the work I need to get done.” During SOX preparation, many companies relied on consultants to help identify, design and document controls. These consultants, from boutique companies to the large audit firms, provided context around controls in general and helped companies navigate through the vague requirements of SOX. This work was necessary to meet the requirements of the initial SOX audit and there are certainly cases for continued use, such as ongoing management testing, that are applicable for these types of resources. However, companies should now transition that “control consultant” spend to a more long-term contribution within the organization.

Consultants generally provide an external perspective and skills or knowledge base that is not readily available within the organization. During the SOX process, controls have been identified and instituted within the organization. Companies are now streamlining, improving, integrating or consolidating controls and processes based upon what they learned during the SOX prep and audit. This is an excellent example of how, if you are using consultants, to turn these “control consultants” toward efficiency and streamlining. Leveraging consultants for recommendations and perspective on how other companies are streamlining SOX related controls is an excellent way to use that spend more wisely.

Extend into “business as usual”
Companies sometimes fall into building “bricks of controls” while the mortar around the bricks crumbles. In other words, regulations like SOX drive control activity around one portion of the organization. Controls are implemented around that portion but risks outside that immediate are not properly managed. This can lead to a breakdown that will ultimately affect the areas of regulated systems.

The ultimate goal of a controls infrastructure is to improve processes and provide assurance across regulations and business requirements. Controls that have been identified for SOX systems should be evaluated and extended to other critical systems within the organization. There is a difference between SOX compliance and protecting a critical business application. Generally, SOX compliance is a subset of the overall controls necessary to truly protect a critical piece of the business. However, for organizations that found SOX as the first external impetus to identify and document controls this knowledge can be leveraged to improve general controls.

Leverage controls to promote business benefit
Many CIOs think of the SOX efforts as lost revenue or just a plain ol’ pain in the neck. There are, though, definitive business benefits for improved controls within the organization. While some processes may now include some added steps or bureaucracy, the improvement or benefits of adding controls to processes should be tangible. Any control that is performed simply for “control sake” should be evaluated and modified to add business benefit.

Many general IT controls should impact not just the financial systems but the IT management environment in general. If the general controls are just impacting financial systems, then the controls should be expanded to help improve the overall control environment. If the controls are restricted to only the financial systems, then the controls should be evaluated to see why they are too onerous, labor intensive or restrictive to add value to other business processes. If there are reasons that restrict the broader business applicability of the control, then the control should be evaluated for true benefit to the organization.

Build the ROI to automate
Many times controls implementation is a cyclical process. The control starts off as a manual effort. When the activity becomes too labor intensive or time consuming, automation is then looked at to improve the implementation. Manual hardening of systems evolves into hardening scripts which evolve into automated configuration management. This is a natural progression.

Controls owners should track what controls are causing the most pain. Many times this is intuitive. However, with the typical fight for budget and prioritization, it is necessary to track and quantify effort so solid ROI arguments can be presented. Therefore, control owners should explicitly track the time and effort spent on individual controls. This is not necessary for every control but is critical for those that are targeted for automation. With this knowledge in hand, the ROI calculation and business case for further investment is clear.

SOX efforts don’t have to be written off as a loss. Leveraging your investment is matter of positioning the organization to move forward.

• Your internal resources should now be more cognizant of controls and be in a better position to drive control oriented work within IT.

• Consultant spend can be throttled back and focused on strategic benefits – not just tactical delivery.

• Extending controls throughout the business will improve the overall environment.

• Identifying business value outside of the financial reporting world will help validate control structure.

• Tracking time and effort on specific controls will build the business case for automation leading to quantifiable ROI.

Getting a return on an investment as vast and expensive as Sarbanes Oxley efforts will take time. Understanding controls, implementing better management reporting and improving visibility into the processes within the organization are intangible benefits. Tangible return will come through reducing or better utilizing spend for external assistance and identifying savings through automation. Through a combination of these benefits, organizations hopefully will look upon SOX efforts as an impetus to put better processes in place rather than just a huge drain on resources and an impact to the bottom line.