Jennifer Tharp CEO and President Mastodon Consulting

Keri Dawson VP of ComplianceOnline Advisory Services MetricStream, Inc.

While organizations have been managing SOX compliance for a few years now, many are not realizing the full organizational value from it, by leveraging the latest developments, opportunities and methods in enhanced SOX compliance. Integrating SOX compliance with other key organizational processes and implementing an ongoing, sustainable and cost-effective strategy supported by adequate technology can bring true competitive advantage.

A recent survey with 225 global executives indicates that about 35% of organizations have over 1000 controls for SOX alone. Almost 60% of those are key controls which need to be tested every year, and 62% of professionals spend at least five hours testing each key control. SOX compliance can be extremely costly for many organizations! 40% of executives agree that the major challenge in complying with SOX continues to be the cost factor. However, many companies still treat SOX compliance as a mere compliance exercise. Although automating controls can reduce cost, only 3% of companies surveyed have automated more than half of their controls. There is an opportunity to leverage innovative approaches, practices and technology solutions which can help companies build value through SOX compliance.[1]

Integrating SOX compliance with overall governance structure and ERM

SOX compliance is only one part of the bigger governance picture. Governance, risk and compliance (GRC) together can drive an organization’s strategy and risk management objectives and align the people, process and technology capability of the organization to meet those objectives. The SOX function can move beyond compliance processes and provide a comprehensive and integrated platform to manage financial as well as non-financial controls, helping other departments in the organization by providing valuable information.

Governance is how senior executives control the entire organization. Governance ensures that information is sufficiently complete, accurate and timely to enable appropriate management decision-making and to provide control mechanism to ensure that strategies are carried out systematically and effectively. Governance activities include setting business strategy objectives, determining risk appetite, establishing culture and values, developing internal policies and monitoring performance. By rolling up SOX activities to overall governance structure through enterprise risk management (ERM), SOX compliance can become less complicated and contribute to driving the business forward, adding transparency to business operations.

The bigger governance picture and SOX

Before integrating SOX compliance activities into the larger GRC framework, some fundamental questions need to be answered:

• What are the key business objectives of the organization and how does the management ensure that these are met?
• What constitutes the organization’s risk appetite and risk tolerances?
• What core values guide decision-making and how does the organization plan to build and strengthen a value-based culture committed to integrity and ethics?
• What events could help the organization achieve its objectives and how to leverage these?
• What events can pose a risk to achieving objectives and how to assess and manage these?
• Are the policies and organizational structure in place to ensure the management and mitigation of risks?

SOX compliance and enterprise risk management

ERM provides a framework which involves identifying specific events and circumstances relevant to organization’s objectives such as risks and opportunities, assessing them in terms of likelihood and magnitude of impact, and determining the response strategy and monitoring program. An early warning system can be established for emerging risks and for developing responses before it is too late to respond.

ERM is an important part of ‘tone at the top’ to ensure that the organization has a culture that is conducive to risk management with positive leadership  participation in decision making about risk, openness, accountability, organizational training, knowledge sharing and good internal communication. The objective is to create an aware, intelligent and responsive business. Everyone in the organization should participate, and the board of directors should remain fully informed about any developments from an early stage.

ERM must be regarded as a step towards achieving success, and not merely as an exercise to satisfy regulatory requirements. ERM is not about avoiding risk – risk is an essential element in running a business – but about choosing the risks organization accepts and managing them well. Risk management is about how an organization identifies, analyzes and responds to risks and uncertainties that may adversely affect the organization’s realization of business objectives or may bring positive opportunities for the business.  Risk management activities include identifying and assessing risks, managing them to gain competitive advantage, and determining the response strategies and control activities.

Risk identification

Risks that can impact organization positively or negatively can be identified based on different methods such as:

Risk assessment with top-down approach

Once risks are identified, they must be assessed for the potential severity of loss and probability of occurrence. The objective is to determine those threats to the organizational assets or practices that pose the highest possibility of disrupting organization’s continued operations. If risks are not identified, assessed and prioritized properly, time may be wasted in dealing with risks that might not occur or have a negligible impact on the organization’s operations. Therefore, assessing the risks and determining their potential impact is a critical component.

The steps involved in assessing risks based on a top-down approach are:

• Identifying the significant financial reporting elements (such as accounts and disclosures)
• Identifying material financial statement risks within these accounts and disclosures
• Determining the entity-level controls that would address these risks with sufficient precision
• Determining the transaction-level controls that would address these risks in the absence of precise entity-level controls
• Determining the nature, extent and timing of the evidence gathered to complete the assessment of in-scope controls

Risk mitigation

Strategies to mitigate risks can be diverse. Some risk mitigation strategies include:  

• Avoidance: This is often a cost-prohibitive strategy.
• Reduction or mitigation: This implies reducing the severity of the potential loss.
• Transfer: This includes the use of insurance or other strategies to transfer the risk to another party.
• Retention or acceptance: This is a default method to mitigate risks that cannot be avoided or transferred.

Risk metrics

For testing, the focus should be on the controls that adequately address the risks and material misstatement. Under Public Company Accounting Oversight Board’s (PCAOB) Accounting Standard 5 guidelines, organizations are required to determine whether an account is significant or not based on a series of risk factors related to the likelihood of financial statement error and the magnitude of the account. Significant accounts and disclosures are ill scoped for assessment; so the management includes this information in its documentation and generally performs the analysis for review by the auditor. This documentation may be referred to in practice as a significant account analysis. Accounts of large balances are generally presumed to be significant in scope and require some type of testing. The misstatement risk ranking is a key factor used for determining the nature, timing and extent of evidence to be obtained. As the risk increases, the expected sufficiency of testing evidence accumulated for control related to the significant accounts also increases.

Managing SOX compliance with innovation

Surveys and research indicate that very few organizations use technology and innovative tools and methods to manage SOX compliance. About 21% respondents use data analytics, 12% use predictive modeling and 65% do not use any third-party applications to automate continuous controls monitoring. About 90% respondents still use spreadsheets for their scoping exercise. Additionally, about 58% respondents do not use control self-assessment, 63% do not use peer reviews, and a large section of 48% do not incorporate SOX compliance into ERM.

Compliance is an outcome and not a function. In an environment where GRC is fully implemented, processes are in place to provide timely information to management and the board of directors on business opportunities and the most significant risks. While these risks are managed, employees need to understand the GRC roles and responsibilities and the importance of exercising due diligence in managing risk effectively.

Implementing a unified risk and compliance framework lowers the risk of non-compliance, improves performance, brings risks under the focus of the organization’s leadership and lay the ground for developing the general compliance-driven risk assessment model that could incorporate any set of regulations and specifications. This allows organizations to be not tied to only present regulations where processes need to change drastically with every new regulation or stipulations.

Rationalizing SOX controls

SOX controls can be rationalized by taking the following measures:

Raising materiality threshold and having a general ledger materiality review is important. As business progresses, the materiality of a particular account turns out to be less important as the organization goes through mergers and acquisitions, changes in the purpose of the business or expanse in general. So the new materiality threshold can throw some accounts out of scope.

De-scoping overseas entities and looking at regional scope is a crucial part. Subsidiaries and places with traditional strict regulatory regime such as Hong Kong and Japan may provide comfort to auditors due to their diligence in meeting the original regulatory requirements. So these may not be included in the SOX efforts.

Eliminating duplication of shared or parallel processes can make SOX compliance more efficient. In case of duplicated processes, the same controls can be defined differently by two process owners. Removing such processes will reduce the duplicated effort by 50%. Shared processes need to be recognized and owners need to focus on the commonality.

Automating SOX compliance is an important exercise. With embedded IT controls and automated processes in place, SOX compliance can become easier.

Examining SAS70 reports can tell organizations where else they can rely on for external reporting. Where substantial reliance is on an external service provider, organizations should confirm with external audit that controls related to the process should be documented by them at least partially through their SAS70 documentation.

Leveraging management efforts and internal audit work can contribute to SOX compliance. When internal audit function in organization completes testing, the possibility of the SOX project relying on internal audit findings should be discussed rather than conducting testing all over again.

Reviewing major business changes in the context of documentation and testing approach is a key step. If a material business change is expected to occur in next two reporting periods, the organization must ensure that the external audit is fully aware of the perspective change as the organization may choose to forgo testing until the change is implemented.

Taking a risk-based approach can facilitate SOX compliance. Conversion projects aggregate the findings of internal audit, SOX project work, management reports and often performance indicators to establish a quality reporting for overall risks to business lines. This helps streamline internal audit work and allows internal audit to focus not only on those areas with high and overall risk, but also understand which areas are low risk and do not need much attention.

Role of technology in SOX compliance

After 10 years of implementation, SOX is still treated almost the same way by organizations as it was in 2002 – as a complex compliance exercise. Many SOX programs are manual, use spreadsheets, are not streamlined and do not leverage technology and automation capability.

Organizations are slowly emerging out of the recent economic recession and as they start spending again, executives are looking at creating value. Automating key controls and moving away from human intervention and saving time and effort are important factors in increasing the value of SOX compliance. The time is right for organizations to integrate the ERM function and the SOX activities and share and collaborate more intensely.

In order to enhance the effectiveness of SOX, organizations need to

• Automate key controls
• Re-visit testing methods
  • Use top-down approach for risk-based assessment and for identification of key controls
  • Identify entity-level controls
• Integrate SOX activities with overall GRC structure
• Re-align risk management
• Leverage IT applications and IT controls
  
  

Conclusion

Integrating SOX compliance activities as well as other compliance, governance and risk management processes on a common platform is a significant step towards not only assured SOX compliance, but also towards stronger GRC capabilities of organization. Leveraging GRC activities at cross-organizational level and developing common risk and business framework can align the organization with its GRC as well as business goals and save duplicated efforts and unnecessary costs.

The ERM function needs to work in conjunction with the SOX and internal audit functions and ensure that the information flows as inputs for these groups so that the controls being tested and the mitigation activities being evaluated are shared and each group knows what the other group is doing. Shared issue management and remediation processes allow the leadership and management to see the potential exposure to risks which can be evaluated.  This way the management can either decide to transfer or mitigate the risk or take an informed decision to accept the risk and move forward. Organizations increasingly demand information real time in a harmonized way that allows senior leadership to understand the exact position of the organization and areas that need attention. Visual dashboards and quick reporting allows them to see critical information and prioritize decisions quickly.

While the integration of SOX with internal audit and ERM is easy to understand conceptually, it is a complex exercise to undertake. Identifying the success factors of these functions and aligning them with integration can lay the foundation for this exercise.

To summarize, focusing organizational energies on integrating SOX compliance with crucial organizational processes, such as internal audit and ERM, and on implementing a consistent, viable and cost-effective strategy backed by the right technology infrastructure can provide organizations with the necessary competitive edge as well as significant business value.