SOX compliance is important, but so is managing a business. An inefficient and ineffective SOX compliance program can monopolize management’s time, diverting precious time and resources away from critical operational and strategic tasks.
Within this CFGInsights, we will be discussing tried and true ways to improve your SOX compliance program.
#1: Promote strong tone at the top
A successful SOX compliance program begins with buy-in from management and the Audit Committee. It is imperative that buy-in and support from management outside of the Finance department is obtained. It is a common misconception that SOX is solely a Finance responsibility, when in reality, SOX impacts groups outside of Finance as well, including Legal, Operations, Human Resources, and Sales. Management must be a champion of SOX, encouraging others within the company to take their SOX compliance responsibilities seriously.
Suggested action items:
|
#2: Perform a SOX diagnostic
Many SOX compliance programs do not adequately evolve with changing audit requirements and industry trends.
Having an outside party review the current SOX compliance program can provide valuable insight to management. A new perspective can detect control redundancies, unmitigated risks, and operational inefficiencies. Further, an outside party can provide feedback and offer unbiased commentary on audit requirements and industry trends.
Suggested action items:
|
#3: Select the right person to oversee the SOX compliance program
SOX compliance programs often fail due to poor project management and oversight. When selecting a SOX compliance champion (someone from the company who serves as the main SOX point person), it is imperative that he/she possess strong project management skills and has sufficient time to devote to this responsibility. Project management training and mentoring is important and should not be taken for granted.
Suggested action items:
|
#4: Align all stakeholders
It is not unusual for multiple audits to be performed at the same time (for example, by both internal and external auditors). Further, it is not uncommon, unfortunately, for different groups to operate in silos, executing audits autonomously, with minimal communication and coordination with others. It is imperative that all parties communicate and coordinate throughout the year (most importantly during the planning stages of an audit) to align on the project plan, timeline, etc. This will ensure that duplicative work is not being performed and that audits are being executed as efficiently as possible.
Suggested action items:
|
#5: Reassess risks
A control environment that does not evolve with changes to the business, processes or personnel can lead to control inefficiencies or, even worse, control deficiencies. Risk assessments establish a SOX compliance program’s scope and focus. Performing robust risk assessments is time well spent as they can recalibrate management on new and emerging risks and the key controls needed to mitigate such risks. On the flip side, in cases where risk rankings are demoted (for example, from “significant” to “low” or “non-existent”), reassessing the need or criticality of the controls related to those risks is also suggested. Focusing extensive time and resources on areas of low risk may not be appropriate.
Suggested action items:
|
#6: Educate control owners
The SOX compliance programs of today are a lot different than the SOX compliance programs of the early 2000’s. A lot has changed since the Sarbanes-Oxley Act was passed in 2002. External auditors are expecting more of control owners: more documentation and more evidence. Proactively educating control owners on what is (and is not) acceptable documentation and evidence is an absolute must. Providing concrete examples of “good” versus “bad” documentation or “sufficient” versus “insufficient” evidence can go a long way.
Suggested action items:
|
#7: Utilize technology
The world is changing and so is the way companies are managing and monitoring their SOX compliance programs. For smaller, less complicated companies, the use of spreadsheets and word files to document, test and report on controls may be appropriate. However, for large, international companies with complicated operations, simple tools like these may be ineffective. There are a variety of governance, risk and control (GRC) solutions available in the market which can assist companies in improving, streamlining and monitoring their SOX compliance programs. GRC solutions not only reduce the administrative burden of managing a SOX compliance program, but also provide real-time, dynamic reporting to assist management in assessing the efficiency and effectiveness of the company’s system of internal control.
Suggested action items:
|
#8: Actively monitor control deficiencies and remediation plans
Waiting until the end of the year to commence remediation efforts is a recipe for disaster. Proactively assessing the root cause of control deficiencies and audit adjustments and implementing remediation plans to address such deficiencies is a must.
Suggested action items:
|
#9: Establish ownership and accountability
SOX compliance programs succeed only when people own and are held accountable for their assigned areas and responsibilities. In general, control owners who are given the opportunity to provide commentary on, and suggest enhancements to, the design and execution of their controls are more likely to own their assigned areas than control owners who receive no such opportunity.
Suggested action items:
|
#10: Create flowcharts
When control owners do not truly understand the flow of a transaction through a process and how they fit into the bigger picture, SOX compliance programs can fail. When control owners can visualize a process, they are better able to understand the down-flow impact of their actions. Consider, for example, when a sales representative enters into a revenue transaction with non-standard terms; he or she may not be aware that those non-standard terms can impact revenue recognition or establish certain legal obligations for the company. When there is a clear understanding of the flow of a transaction and the various parties involved in a process, a stronger control environment will exist. Plotting out the flow of transactions in a flowchart is highly recommended since flowcharts are easy to comprehend and digest.
Suggested action items:
|
Conclusion
Inefficiently-run SOX compliance programs can be a drain on resources, time, money and morale. Implementing all, or a sub-set, of the recommendations discussed above can have a significant, positive impact on a company’s control environment. CFGI is well-positioned to assist companies with all of their governance, risk and internal control needs.