With the sixth anniversary of Sarbanes-Oxley upon us, many public companies—both accelerated and nonaccelerated filers—found their SOX-compliance initiatives have produced unexpected improvements in their financial and operational controls. While some companies continue to struggle to meet the arduous demands of SOX, my observation is that each anniversary has brought a more fine-tuned approach. For one thing, amendments and guidance from the SEC as well as the implementation of AS No. 5 (PCAOB) have provided much needed guidance and more streamlined requirements, especially for small to middle-market companies. In addition, the industry has shifted from a “let’s just comply” attitude, and has begun applying tried and true management models, tools, and practices to tighten up their approach and squeeze out some impressive cost savings.
No matter the stage of a company’s SOX compliance initiative, it is worthwhile to consider one, or a combination, of the following:
1) Make it "lean"
To simultaneously reduce costs and ensure compliance, many corporate finance departments are employing lean techniques, a practice used by manufacturers for decades. By eliminating non-value-added activities, a lean approach can free staff to focus on more value-creating activities, including business analysis, often resulting in more robust financial controls benefiting SOX compliance efforts.
Lean concepts can be used when defining a company’s key controls. With a little effort, evaluating key controls can result in identifying associated core business processes that could be streamlined or even eliminated. Benefits include improved cash flow, profitability and transparency, while also rationalizing key controls.
2) Make it "real"
Although dashboards and enabling analytics technologies have been available for some time, recent advances and easing costs have made their usage more feasible and widespread in a company’s governance, risk, and compliance oversight. Based on the principle that each transaction leaves a mark, access to real-time numbers and controls-based metrics enables timely and highly focused insights into transactions that may be suspect when viewed through just the filter of controls and financial reporting. Management can track progress of the SOX compliance process and create an effective early warning system giving CFOs confidence in the supporting data that feeds financial reporting. Controls-based metrics can provide the CEO and CFO with real-time support for their sign-off on the quarterly Section 302 certifications. Compensation committee members can see, 24/7, options that have been exercised while the audit committee portal shows what is really happening to the numbers.
3) Make it “fit”
Use a top-down approach to the audit of internal control over financial reporting to select the controls to test. Begin at the financial statement level with an understanding of the overall risks to internal control over financial reporting. Then focus on entity-level controls and work down to significant accounts and disclosures and their relevant assertions. Next, look at the processes that drive the numbers. Verify your understanding of the existing risks that could result in a material misstatement and select for testing those controls that sufficiently address those risks.
For any company, the complexity of the SOX compliance process is directly related to the complexity of the organization itself and its underlying processes. However, the SOX process is clearly a scalable activity, and by focusing on a top-down approach, you will find the right “fit” for your organization.
4) Make it “integrated”
Per AS No. 5: “In an integrated audit of internal control over financial reporting and the financial statements, the auditor also can use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements.” This allows your external auditor the option to rely on the internal control work done by management as long as those doing the work are both independent and judged competent by the external auditors. One key necessary component that must be present to maximize the level of integration is communication. Although your external auditor has to maintain independence, it is in everyone’s best interest to communicate frequently during the fiscal year so that your external auditor can develop the basis on which to maximize reliance on management’s internal control work.
In addition, a terrific opportunity exists for management to internally integrate all of its governance, risk, and compliance (GRC) activities to create an enterprise-wide view of the company from the boardroom to the cubicle, from strategy to tactics. There are so many activities undertaken in a public company relating to governance, risk, and compliance, and all too often, each is done in a silo. By integrating the often fragmented GRC activities, an organization can find relief in meeting the demands of regulators, while satisfying customers and shareholders and eliminating redundancies across the enterprise.
5) Make it “ethical”
Tone at the top is a cornerstone of SOX and of good internal control. Up until now, too many public companies have marginalized their ethics programs which were more focused on “let’s just comply” versus “how can we make our culture not only ethical, but also a competitive advantage.” A good ethics program should include:
* A timely fraud risk assessment
* An evaluation of the control environment/activities (should include a significant “feedback” loop between the control evaluation and your ethics program)
* Ongoing communication and information exchange, including ethical training, for all employees
* Time monitoring for unusual activity that may be a fraud indicator
Recent studies have clearly shown a direct link between how employees and customers view a company’s ethical culture and how they feel about the company as a whole. Employees who are proud of their company and deem it to be ethical will work harder and smarter. Similarly, customers will reward companies they deem to be ethical with more business.
Tone at the top is more than an ethics policy on your website.
6) Make it “last”
To ensure your SOX program is both sustainable and robust, incorporate knowledge obtained during past audits of controls over financial reporting into the decision-making process. Per AS5, when looking at previous audits, consider:
* The nature, timing, and extent of procedures performed in previous audits
* The results of the previous years' testing of the controls
* Whether there have been changes in the controls or processes
To improve the robust nature of your SOX program, consider:
* Testing controls at a different interim period and timeframe
* Increase or reduce the number and types of tests performed
* Change the combination of procedures used and test differently
* Continually rationalize key controls to make sure the focus on key controls is laser sharp
Sustainability is another aspect to consider. How can you create a model that is sustainable and focused on continuous improvement? Sustainability very often results in lower cost and in a more effective overall SOX process. Consider these steps:
* Continue to focus on rationalization of key controls each year to focus efforts in areas with largest payback
* Make sure your SOX team is trained in all aspects of SOX, including risk assessment, fraud assessment, and controls
* Expand the focus of the effort each year to reach into more operational areas to look for process improvements in order to create an ROI on the SOX effort, which will create buy-in from more employees.
Sustainability requires careful planning and teamwork, but it will create a more effective SOX process.
We all now have five years of experience with SOX, whether we are management, SOX consultants, external auditors, audit committee members, or regulators. We have learned some valuable lessons, and I believe have evolved to a strong and appropriate understanding of what the intent of SOX is and how to make SOX a beneficial process instead of a headache. Think about what is discussed above and implement the ideas in your company. You will not regret it.