The Sarbanes-Oxley Act of 2002 introduced major changes to the regulation of financial practices and corporate governance. Much debate ensued about whether smaller companies and their external auditors would also have to follow SOX. Thus, a lighter version of SOX was introduced in 2007.
“This was the go-ahead to take a top-down approach and focus on the larger risks,” says Tom Powers, CPA, director, assurance and business advisory services, GBQ Partners LLC.
Smart Business spoke with Powers about some of the lessons learned from SOX and how to increase efficiency during SOX audits.
What are some lessons that companies have learned from SOX?
Before diving into the control risk matrix for purchase-to-pay or order-to-cash cycles with 10, 15 or 20 controls, visit with the controller, CFO and other upper management and ask the simple question: ‘How do you know when there is a material error in your monthly, quarterly or annual financial statements?’
It may have been a while since you’ve heard what happens, because Jane approves the general ledger account distribution or Joe makes sure all invoices were prepared for all shipments sent out. Yes, these are important process level controls to help run your business, but may not be what management is ‘banking on’ to catch the material mistake that prevents the material weakness. Typically, management has a number of analysis, comparisons, trend reports or other dashboards that send up the red flags. Think about putting more effort into understanding and testing those more powerful controls and less time and effort into the nitty-gritty process level controls.
How can you increase SOX efficiency?
It’s time to think about internal audit getting back to performing operational reviews and special projects on targeted areas to identify value. You need to turn over SOX to process level owners. One tool that is helpful to increase operating effectiveness is to create a dashboard — a spreadsheet that lists your company’s key controls, along with the individual responsible for performing or reviewing the control procedure, with check-off boxes for each month or quarter.
Sort the overall dashboard by individual and create a one- or two-page dashboard for each individual. Have them post it at their cubicle or desk to constantly serve as a reminder of the responsibilities required to be completed each month or quarter. Have the individuals complete the periodic dashboard initialing each periodic performance box and submit those to designated corporate accounting personnel who reviews and takes actions when the boxes are not checked off.
A number of deficiencies occur simply because people forget. The individual dashboard serves as a friendly reminder of to-do’s, increases accountability and provides a place for people to positively indicate that they have performed the control procedure, especially if there is not a paper trail.
