Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Technology : Outsourcing

Beyond Initial Compliance


Managing Sarbanes-Oxley Year after Year

By Sukanta Kumar Acharya (and Ravikant Karra)
Sukanta Kumar Acharya (and Ravikant Karra)

Infosys
While the hypothetical scenario below seems to be extreme, it is representative of the chaos that would prevail in companies, given the short-term approach to compliance efforts. ?It?s been only 2 years since we spent millions of dollars in our compliance initiative. How come we are non-compliant today?? This question could be a reality for many CXOs in the days to come!

Year 2002:
The Sarbanes Oxley Act is passed into law.

Year 2005, February:
SKARK-Mart Incorporated, listed on the NASDAQ, publishes its annual results for 2004 which includes an internal controls report attested by their auditors. The annual report is delayed by a couple of weeks which is attributed to extra diligence on account of compliance requirements. But, well, this is the first year of compliance and is perfectly acceptable and understood by the industry, analysts and stakeholders.

Cut to Year 2006, February:
SKARK-Mart needs to publish its annual results for 2005. The management needs to reaffirm that internal controls are in place based on testing done during 2005. SKARK-Mart assumes this will be simple but suddenly finds itself facing a number of challenges in getting an assessment from the process owners:
  • There have been a number of changes in the processes related to financial reporting stemming from the introduction of new applications. The Corporate Accountant is struggling to identify the changes in internal control and processes with effective dates, vis-?-vis the last filing.
  • The Sales Head is unable to trace the latest version of assessment procedure applicable to the set of internal controls in his process.
  • The Global Procurement head faces an even more daunting task as different set of controls are applicable at different geographical locations for the same or similar process / activity. She is unable to consolidate the assessment without being certain that nothing is missing. A substantial manual effort seems to be mandated.
  • Head of stores and inventory is in a quandary since the person who had done this last year has quit. While he is ensuring year-end inventory reconciliation is done accurately, he does not have additional resources for compliance which he believes to be an entirely different set of activities.
March 2006:
The functional heads pull their act together with guidance from the internal audit team, obtain their assessment reports and submit for CXO assertion. With already a delay in the filing date, the CXO has limited time for review. Auditors, unimpressed with the report, perform a limited test only to prove that the assertions provided by the management is not backed by adequate testing. And, they state so in their attestation of the report.

The End of The Beginning
Since 2003, companies have invested a significant amount of time and money towards Sarbanes Oxley compliance. As per the Finance Executive International survey of July 2004, the average cost of compliance initiative in the first year itself is a staggering US$ 3 Million. Companies collectively have heaved a sigh of relief as they completed the documentation, design and operational assessment required by section 404. The end objective was clear: Get an unqualified attestation from the auditors on management?s assertion on internal controls. And the approach exemplified the objective: Do whatever is necessary to get to compliance. Very little thought was given to a process-driven repeatable approach.

We believe that first-year compliance was only a milestone in the compliance journey. We term this ?the end of the beginning? - It is only the learning curve on compliance requirements (the beginning) that will come to an end. Retaining SOX compliance will be as important, if not more, as becoming SOX compliant.

With our experience at global 2000 organizations, we find that with the focus on initial compliance, a majority of the companies are missing out issues associated with year after year ongoing compliance requirements. The Act itself requires companies to define, design, document, implement, assess and monitor the entire set of internal controls to provide reasonable assurance to the completeness and accuracy of financial reporting. While section 302 requires the CEO / CFO of the company to certify the effectiveness of the internal controls including a certification on disclosure controls, section 404 requires the evidence of such assessment on annual basis and requires attestation by external auditor to the management?s assertion on the same. And this is a recurring target which has to be met year after year. Companies have realized how massive the burden of compliance was in the 1st year - can they imagine having to repeat the exercise all over again? The challenge that designated compliance officers in companies face is, thus, not to be merely compliant ? but rather how to design a compliance mechanism which is sustainable and requires reduced effort.

Why Automate? Risk Of Compliance Failure
Business models and realities are not driven by regulations ? they remain dynamic and so also the set of internal controls. Treating each year of compliance in isolation would mean this: activities done on an ad-hoc basis, similar or higher levels of non-compliance risk for the company every year, and substantial manual effort. This would also mean similar high levels of costs incurred every year. Paradoxically, hence, both the cost of compliance and risk of non-compliance would be directly related.

It hence makes business sense to leverage IT that can provide automated compliance management at low cost of operation. While there might be a higher cost at the time of implementing the automated solution, we believe this will pay for itself through savings in the subsequent years.

Figure-1: Risk of Compliance Failure

Cost Of Compliance
Companies have spent an average US$3 Million* on Year 1 compliance activities. Normally, the cost burden would come down in year 2. However, since Year 2 would see a major consolidation of the effort that has gone in the year 1 and IT intervention, the dollar outflow would be comparable to that of the 1st year initiative. Companies have to spend on streamlining the documentation created in the year 1 to create a systems view in addition to meeting the requirements of quarterly and annual assessments. Implementation of external auditor?s suggestions, if any, on Year 1 assessment would also add to the cost.

While the learning curve would help companies benefit in Years 3 and 4, it is here that an IT enabled compliance system would clearly differentiate costs incurred. Also, in a continuing manual effort, the work-arounds would cause a drift in focus over the years resulting in an increase in costs in later years. Moreover the organic and inorganic (if any) growth of business and change of business practices in and around SOX would further complicate the matter and escalate the cost for effective observance. It would be an act of repeating year 1 and year 2 initiatives and the cycle would repeat itself.

 Figure-2: Cost of Compliance

What Does Automation Mean
It would be useful to understand the nature of compliance activities needed in subsequent years. Table below draws an analogy between the initial compliance activities and subsequent period activities.

Table-1: Repeat Compliance Requirements

First year compliance efforts Repeated compliance efforts
Form a steering group Maintain a core group
Identify significant Accounts and key business processes Assess and Identify changes to the significant accounts and key processes inventory
Map out Business Processes and document internal controls over financial reporting Identify changes and Modify documentation based on changes in internal controls.
Document IT general controls Identify changes and Modify documentation based on changes in internal controls.
Perform Design Assessment Re-perform design assessment based on changes to business, control structure.
Test and do Operational Assessment Continue Testing and operational assessment
Bridge significant gaps if any Bridge significant gaps if any
Provide audit trail Provide audit trail


Automation can take various forms such as:
  1. Processes can be workflow driven with exception management built in so that any changes are captured automatically
  2. A centralized repository of existing documented processes ? any change will need to be manually updated but this will then trigger off appropriate mailers to the process owners to revalidate the compliance status of the process
  3. Modifications of applications to automate most of the currently manual checks ? for eg: reports from 2 different sources being checked for consistency
  4. Automated triggers at defined time periods to the process owners clearly indicating:
    • Controls that need to be checked
    • Sample size to be collected for review
    • Testing procedures to be followed
The figure below shows a proposed logical architecture for an IT enabled compliance solution.

Figure-3: Automation of compliance management- Solution Architecture

Year-on-Year Compliance
There are various problems that companies grapple with when addressing year-on-year compliance requirements:
  • Geographic spread of operations ? the ability to consolidate control assessments from multiple locations
  • Multiple transaction systems ? extraction of data from various systems to be able to centralize intelligent analytics
  • Region-specific process flows with possibly different set of controls for similar activities
Figure-4: Control Maturity

Companies which meet the above challenges will see a significant reduction in compliance costs over the years while moving up the control maturity curve.

Also, companies can use the significant amount of data collected for automated triggers in compliance to generate actionable reports for business use. The use of technology to automate compliance and the re-use of such implementations to achieve business objectives through intelligent analytics should be the end objective of forward-looking companies.

Moving Beyond Compliance
Companies have done a tremendous amount of work in documenting processes and controls. However, they seem to be losing sight of the possible re-use of that work in keeping their focus on regulatory compliance.

Essentially, what the companies have achieved is this:
  • Following a business process right through its myriad twists and turns to understand the activities involved
  • A detailed process mapping across locations, applications and geographies
  • Documentation and checking of all controls in an application
Having done all the above, it almost devolves on each & every company to utilize the information effectively. Possible areas which could be explored are:
  1. A standardized process across locations ? a uniform process with minor documented deviations is easier to control, centralize or even outsource
  2. Clear Application documentation provides visibility into overlaps in functionality. Companies can lead a focused approach to reduce complexity and consolidate applications/instances of applications. This can lead to reduced maintenance cost for the existing applications.
  3. Business processes can be streamlined with removal of redundant activities ? process mapping can be the catalyst to ensure that best practices are incorporated into daily activities
Conclusion
While companies have mostly done well in meeting initial compliance requirements, there is clearly a need for a sustainable approach. Information Technology can be a major enabler in reducing the time and effort on a continuous basis ? the cost of such implementation being offset by the reduction in both manual effort and the risk of non-compliance.



Sukanta Kumar Acharya (and Ravikant Karra)

Infosys
 Sukanta Kumar Acharya
Sukanta is a Principal Consultant at Infosys Technologies Ltd (NASDAQ-Infy), one of the leading IT Consulting and Services firms in the world. He has over 11 years of experience in Business, IT and Process Consulting. He has been a key player in devising Infosys? Sarbanes Oxley Solution and instrumental in its deployment at various global clients. As a practicing consultant he has a rich experience in the Sarbanes Oxley world and has conceptualized innovative approaches to manage the regulation requirements. Currently he is with the Solutions Consulting for Automotive and Aerospace vertical in Infosys that devises innovative IT enabled business solutions.

Ravikant Karra
Ravikant is a Senior Consultant at Infosys Technologies Limited. He has over 9 years of experience in the CPG and IT sectors. Prior to Infosys, his experience was across areas of financial reporting & analysis, audits and risk mitigation. At Infosys, he has leveraged this experience and was a key member of the team defining the Sarbanes Oxley solution. He has participated in multiple compliance projects, both in the execution and approach definition phases.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY