|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
Putting Business First
How to Manage SOX Requirements with Everyday Business Changes
By
Tami French
|
|
Tami French
Risk and Controls Practice
Percipio Consulting Group
|
Change is a given in the business world. Indeed, to keep pace with competition and keep customers, as well as obtain them, businesses have to be open to changing methods, technology—and laws. For public companies the legal requirements of Sarbanes-Oxley (SOX) compliance can be especially daunting. If this particular change is not properly initiated and managed, companies may wind up suffering a blow to their economic vitality. The question on executives’ minds is: How to manage needed business process changes and still be SOX compliant, and where to start?
Companies can handle both change—say, the need to implement an ERP system or even a merger with an accelerated filer— and SOX with the right level of priority and focus by beginning at the beginning. That is, by putting business first and making business decisions that focus on viability and competitiveness. Companies should not avoid change because they are worried about the SOX implications of the change.
How to avoid “SOX freeze”
When they focus on SOX implications rather than business, companies are subjecting themselves to “SOX freeze” – they’re either avoiding or delaying any kind of decisions regarding changes. This unwillingness to decide, risks missing growth potential too. The impulse to freeze stems understandably from fear of veering off the compliance course they worked so hard to achieve. But business shouldn’t forget that, before SOX was established, companies made business decisions based on the business. Management should continue to initiate and manage change like they did in the pre-SOX era. Compliance with SOX should not drive business decisions, but rather follow. In other words, forget about SOX for just a moment and focus on the change that the company wants and needs.
When should SOX come into play?
Once a change initiative has been agreed upon, the processes, people and technology affected by the change must be clearly defined and understood before focusing on SOX. If SOX is initially the sole focus, companies should expect rework, higher costs and frustrated control owners. Conversely, clearly defining processes and designing controls into areas affected by the change, businesses will reduce costs, use already over-allocated employees’ time more efficiently and keep auditors unruffled. It will also enable companies to clearly identify needed improvements in control and operational efficiency from the outset. The benefit for this type of planning is management will know what they are up against and how quickly they need to tackle improvements, so the business change can be successful, processed efficiently and well-controlled.
When businesses make changes nowadays, it’s vital for them to thoroughly document the well-defined, efficient and controlled processes. The most important elements are those that give management comfort that the business is run efficiently and cost-effectively with processes that are repeatable, are owned and managed by capable employees and avoid fraud or misstatements to the financials. An added benefit of good documentation is the establishment of necessary buy-in at all levels within the company. If these areas are covered, the company is well on its way to SOX compliance.
Once the processes are successfully implemented, SOX efforts can be further expanded. Remaining SOX control documentation, operational testing and self-assessment SOX procedures can be introduced at this time. Remember, the ways in which change was initiated and managed before the days of SOX should be the initial focus of change in the SOX world. SOX by itself shouldn’t direct business change decisions.
Tami French
Risk and Controls Practice
Percipio Consulting Group
|
|
|
|
|
