When Congress hurriedly passed the Sarbanes-Oxley Act of 2002 (the SOX Act or SOX), it wanted to combat the type of creative accounting and fraud that led to the much-publicized collapse of companies such as WorldCom and Enron.
Many companies saw SOX as imposing the same compliance burden on them as was imposed on the companies that had been fraudulent or negligent and didn’t look past the short-term pain to see the longer-term opportunity.
“Meeting the requirements of SOX during the first two years proved to be the resource drain that many companies feared. Significant resources were consumed documenting and testing internal controls,” says Allen Harris, president of Compliance Technologies, the software and technology solutions business of Avvantica Consulting LLC. “Companies are now looking for ways to leverage that investment.”
Smart Business spoke to Harris about the ways companies can leverage their investments in SOX compliance to derive additional organizational value while simultaneously driving down the total cost of compliance (TCC).
How can a company leverage its investment in SOX?
The idea here is that, when you’re doing the work necessary to comply with SOX, you should gain a holistic view of the financial controls across the organization. This holistic view, or road map, often exposes areas where you can significantly improve operations. If you are going to spend the money to comply with SOX, you might as well get value in other areas, as well.
For example, sometimes when you test a control for an organization you find out that the control fails the test; not because of the control itself but because existing polices aren’t being enforced. In other cases, companies are able to identify controls that are unnecessarily complex and should be simplified. When you can see the controls laid out for the entire organization, you see everything come together in a view that you don’t readily see unless you go through the kind of rigorous documentation and testing of controls that is necessary for SOX compliance.
There are also cases where a control is manual that should be automated. One of the things that auditors hate the most is a manual control because it’s subject to human error. It’s preferable to have an automated control that you can test once and you know will always work the same way. If it’s a manual system, then you are relying on people to run it. You look at your manual controls and try to figure out which ones you can automate.
Finally, many companies lack a standard approach for similar controls.
It’s more efficient and effective to develop a standard approach so that everyone operates a particular type of control the same way, as opposed to unnecessary variations in different divisions or locations.
How can a company reduce its TCC?
An effective SOX technology platform provides a compliance road map for identifying opportunities for improved operations. Forward-thinking companies are moving beyond just SOX compliance to bring operations under better control while also reducing their TCC.
We first recommend that companies invest in a high-quality, effective SOX technology platform with a robust executive dashboard to manage the ongoing SOX process and to reduce their TCC. It’s very difficult to reduce your TCC without an effective technology platform, since you don’t have ready access to the necessary information.
Once the SOX technology platform is in place, the focus shifts to identifying appropriate key performance indicators, which might include total number of controls; percent of controls that fail testing; and the cycle time to collect evidence, complete tests and address controls remediation.
Next, companies should focus on optimizing the total number of controls defined for existing processes. Many companies have defined too many controls over areas that have limited materiality while not defining a sufficient number of strategic controls.
Finally, companies should focus on redesigning or re-engineering the underlying control processes in order to implement improved operational control.
How can a company take advantage of a compliance road map?
You want to move from non-standard controls for a given process to standardized controls to reduce the cost of controls documentation, maintenance and testing. And you want to migrate away from performing ‘back office’ processes on a local basis by moving to regional or national processing centers. For smaller organizations, centralization often provides a side benefit of helping a company address control issues such as segregation of duties.
A company can leverage the road map provided by an effective SOX compliance technology solution to identify significant areas for operational improvement and to attain process improvement and cost optimization. It can be used to transform the business by making SOX compliance an integral part of ongoing operations and by implementing identified operational improvements.
ALLEN HARRIS is president of Compliance Technologies, the software and technology solutions business of Avvantica Consulting LLC. Reach him at (214) 379-7924 or [email protected].
