|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
Compliance in the Fast Lane
How to Quickly Navigate SOX Success
By
Luc Brandts
|
|
Luc Brandts
Chief Technology Officer
BWise
|
With SOX compliance due dates looming ahead, companies need to quickly implement reliable solutions to address their governance needs. One of the biggest challenges financial executives face is how to effectively cull information from disparate sources to ensure proper evidence collection and documentation. In many cases, companies are not only being asked to streamline their financial reporting ? but essentially their entire enterprise ? if they are to truly and accurately address compliance. In particular, Section 404 requires significant organizational wide information sharing to produce the proper auditing results.
One of the most critical roadblocks encountered by public companies as they seek Section 404 compliance is an effective integration procedure to enable them to collect the corresponding evidence. In fact, as companies come to recognize the critical nature of a fully automated and replicable testing process, they realize that integration can be a huge barrier to success. A lack of coherent and effective information sharing strategies can cause significant and potentially costly delays and undermine compliance strategies.
To better understand these issues, it is important to first address the changing nature of documentation requirements, second look at some tips on breaking down information silos and related behavioral change, and finally discuss the most important technology features to look for that will help ensure integration and hence, SOX success.
Documentation as a Win-Win
Companies are spending lots of energy, resources and money on documentation due to the stringent compliance requirements of the Sarbanes-Oxley Act, and more specifically, Section 404. Most companies would agree that this huge effort is indeed something they should already have done previously, but other priorities have prevailed. Still, the benefit of knowing and understanding the full range of a company?s activities can hardly be seen as a luxury. Sarbanes-Oxley is asking for this information in its most explicit form, as senior management needs to have confident agreement on the authenticity of the data, and external auditors need to have the ability to thoroughly review it to sign their attestation.
When managed properly the documentation effort will also provide companies with a great cost saving opportunity. For example, it will reveal important trends - showing how different entities work entirely differently, with totally different processes, using totally different controls. As a result, many companies find that applications cannot be standardized, resulting in many different sets of data.
People cannot easily be transferred between different locations; reporting and benchmarking is not possible; and best practices cannot be used throughout the organization. Process automation is not possible, and in some cases not beneficial, as each process automation (workflow) needs to be implemented in many different ways. The primary reason for the difference is often historical data, acquired companies, decentralized application management, local preferences, and so on. Documenting these types of processes and controls will clearly show all intentional and unintentional differences, allowing managers to take responsibility and implement the right best practices.
For example, it may reveal that with all the positive attributes of a decentralized model, many companies would benefit from standardizing select activities such as administrative processes. As a result of these types of discoveries, organizations can improve economies of scale ? with more simple and standardized applications, workflow improvements, and cost effective maintenance.
Breaking Down Information Silos
With or without standardized processes, companies that need to comply with Sarbanes-Oxley need to prove effectiveness of their controls. For this effort to be successful, evidence needs to be collected and safely stored in an evidence database.
Collecting evidence is the greatest challenge companies face with respect to Sarbanes-Oxley, after the documentation burden. Unlike documenting, which is largely a one-time effort with limited maintenance, testing and collecting evidence is a continuous process, quarter after quarter, year after year. As with documentation, however, companies are looking at how to maximize the efficiencies of this effort.
What companies typically face are many different applications, many different databases and information stores, with poor quality of data. In addition, the large diversity in processes means that similar data is stored in many different ways.
Changing this into an integrated environment with all of the obvious benefits requires companies to change. Change is never easy, as it involves a lot of different people, for whom change might not necessarily mean an immediately realized improvement.
Therefore, change itself is never the objective. The end goal is improving company performance and minimizing risk, including compliance at the lowest possible cost, with the largest possible benefits. A methodology for effective change includes these actions:
- Define objectives
- Define processes
- Define risks and key controls
- Define optimization opportunities
- Determine cost of control effectiveness
- Standardize processes
- Standardize information gathering and evidence collection
Report on compliance and performance
This will ensure top management commitment, and will also make certain that all investments can be tied back to the original objectives. When considering the standardization of processes and optimization of information access, companies should ask themselves this question: Do the benefits of standardizing, such as reduced costs and improved performance, outweigh the burden of change? In most cases, the answer will be an unequivocal ?Yes.?
This also means that organizations, whose change culture is geared towards agility, will have lower cost of change, and better opportunities in standardizing and cost reduction. Although it may seem somewhat contradictory, standardization efforts are likely to succeed in an environment of change. Companies need to keep a good balance between which processes to standardize and formalize on a corporate level, and what to keep more nimble. Processes in which a company will not find its competitive differentiator should be standardized. Processes that define a company, making it competitive, can be standardized, but at the expensive of (some) rigidity.
The process of breaking down information silos and making information accessible for various purposes is strongly influenced by the Sarbanes-Oxley Act ? not because it is in section 404 or section 409 or elsewhere, but because it forces companies to reconsider their processes, their information flow and information sources. This is the true blessing in disguise of the Sarbanes-Oxley Act.
Technology Considerations for Success
Based on the understanding that the Sarbanes-Oxley Act can move business to becoming more effective, not merely compliant, a company now needs to examine the technology considerations necessary for success. Here are some recommendations based on our significant experience ? from local implementations in the US and Europe, to global implementations in over 80 countries in the world, involving those ranging from 25M dollar companies to multi-billion dollar global corporations.
In order to be able to go beyond standard documentation, look for these elements in a SOX-documentation solution:
|
Functionality
|
Rationale
|
|
Importing existing documentation
|
Many companies have spent thousands of hours in documenting processes and controls in spreadsheets and accompanying documentation in Visio diagrams, Word documents and others. This information should be re-used as much as possible.
|
Templates
• based on COSO
• based on COBIT and/or ITIL
|
Organizations that don?t have full documentation or would like to compare their documentation with industry standards, should be looking for templates.
|
|
Re-use of information
|
Information tied to many processes, with the same controls throughout the organization or in parts of the organization, should be maintained only once.
|
|
Support of company standards
|
In order to support a fast rollout, company standards should be centrally maintained
|
|
Documentation of different entities in one single database
|
Look for a solution that helps structure documentation in such a way that standardization opportunities follow automatically.
|
|
Benchmarking possibilities
|
Look for a solution that has been designed to support best practices and offers benchmarking possibilities to gain more than just compliance.
|
|
Multiple frameworks
|
Governance and compliance involves more than SOX. Many other regulations, risks and performance issues apply to the very same processes. Make sure the solution is very capable of dealing with multiple frameworks. Note that this is a fundamental design issue, not a feature.
|
|
Flexible reporting
|
Look for a solution that offers both out-of-the-box as well as flexible reporting possibilities.
|
Documentation is the fundament of any proper compliance solution. Without it, the rest of compliance is cumbersome and unscalable. Likewise, a lack of scalability means that another risk management or compliance effort will require the very same actions, leading to enormous additional investments.
The testing of Key Controls is also a critical requirement. This process consists of two major components: first, the collection of adequate evidence and second, the actual professional judgment on whether or not a state of control is effective. Testers spend a significant amount of time on the first element - collecting the evidence, whereas their professional judgment takes relatively little time. Therefore, companies are looking for an automated solution to streamline the testing process. The automation of the professional judgment is possible but difficult, as most of the testing rules require human interpretation. E.g.: reading an actual signature and comparing it with a signature in a database is technically possible; the question is whether it is economically sensible to automate this when it may be done only four times a year in a Key Control test. However, collecting the evidence itself, which typically requires enormous time and resources, can more easily be automated. For example, sampling a set of 50 scanned contracts and presenting it as evidence to a tester is a task that can (and should) be automated.
Collecting the evidence automatically is a good trigger to have a second look at information systems as well. Look for the following elements in a state-of-the-art testing solution:
|
Functionality
|
Rationale
|
|
Integration with the documentation solution
|
The integration between the two is crucial; in fact it should be a single solution.
|
|
Involvement of business users
|
It should be possible to have both experts as well as business users utilizing the testing solution, with extremely intuitive user interfacing in a web-environment.
|
|
Integrated reporting
|
Reports should be available for all management layers, including consolidated reports
|
|
Evidence database
|
The solution should have a secure, authorized and versionized evidence document database
|
|
Automated testing evidence collection
|
The system should be able to automatically retract information from various sources.
|
|
Open and standard interfaces
|
The system should be able to retrieve data from any source.
|
|
Workflow support in evidence collection
|
Some evidence will need to be collected with human intervention, using automated workflow steps.
|
|
Workflow support in control automation
|
Some controls will greatly benefit from process automation, because of automated segregation of duties. The evidence of the effectiveness of the particular control results from the workflow system logs.
|
|
Scalable solution
|
Some organizations working worldwide will have to automate many thousands of controls, necessitating a scalable approach.
|
Summary
Many opportunities exist to use Sarbanes-Oxley and similar regulatory requirements for the betterment of a company ? far beyond compliance. Choosing the right technology is not a guarantee for success, but it will lay the necessary fundaments. Structure the documentation such that re-use of best practices and proper standardization are encouraged and even enforced. Many different solutions exist and it is hard to choose. The bottom line: Look for a solution that has been designed from the word ?go? for process improvement ? and compliance will follow.
|
|
|
|
