Ever since the Sarbanes-Oxley Act was introduced, investors and stakeholders have demonstrated greater confidence in corporate governance. With CEOs and CFOs being held responsible for approving regulatory filings, business accountability has increased, while internal controls around financial reporting have grown stronger.
On the flip side, SOX compliance has proved to be a major challenge for many companies – particularly from a cost perspective. This is where technology can help by automating SOX compliance management processes, minimizing associated inefficiencies and inconsistencies, and providing a consolidated and real-time view of the SOX compliance program.Download Factsheet
MetricStream SOX Compliance Management App
The industry-leading MetricStream SOX Compliance Management App offers you a set of advanced features to address complex SOX compliance challenges, and strengthen the compliance process. The app also enables compliance with other similar regulations worldwide, including Euro-SOX (EU), Law 262/2005 (Italy), Corporate Law Economic Reform Program (CLERP 9 – Australia), C-SOX (Canada), and J-SOX (Japan).
The MetricStream app enables you to design, assess, and improve internal controls under the COSO or COBIT framework. It also helps monitor SOX compliance processes at any level of detail. Through the app, you can streamline procedures for SOX surveys and certifications, while strengthening internal control documentation. The app automates and standardizes control testing and remediation workflows, thereby minimizing inconsistencies, as well as compliance costs. It also provides comprehensive visibility into the status of controls and SOX compliance across the enterprise, enabling you to proactively identify areas of concern or improvement.
Why MetricStream SOX Compliance Management App
The MetricStream SOX Compliance Management App provides the following benefits:
Consistent and Unified Approach to SOX Compliance
The app provides a unified approach to manage risk and control data across multiple SOX compliance requirements, thereby facilitating consistency and easy tracking.
Through a risk-based approach, the app helps prioritize and rationalize controls that are related to high risk areas, or have a greater material impact than others. This approach reduces the number of controls and the associated testing costs.
Improved Compliance Efficiency
The app enables you to streamline and automate control testing and remediation processes for greater efficiency.
Strong Financial Controls
With the app, you can strengthen control testing and monitoring. Timely, actionable insights on control test results and deficiencies enable you to make informed decisions on which controls need to be improved.
Centralized Data Management and Documentation
All important SOX compliance data, including plans and corresponding tests, surveys, and other details are consolidated in a central database, and arranged in a hierarchical tree-based structure for quick and easy reference.
In-depth Compliance Visibility and Timely Reporting
The app offers continuous and real-time visibility into SOX compliance, associated risks, and controls through graphical dashboards, reports, and charts.
Collaboration with Audit and Other Functions
The app helps implement a common risk and control repository, and supports easy information-sharing across assurance functions such as Internal Audit and Compliance.
The SOX compliance management app is built on the MetricStream GRC Platform, a robust and scalable infrastructure that provides the following core services and capabilities:
A Centralized Data Library
The platform integrates and maps risks, controls, processes, policies, standards, and other data elements in a single, cohesive library, improving transparency and accountability.
Adaptive and Flexible Approach
Configurable forms, fields, reports, and workflows in the platform enable you to easily model complex compliance projects.
Robust Security with Role-based Access
The platform maintains data privacy with role-based landing pages and tabs for initiating actions, responding to events, managing to-do lists, and viewing reports and dashboards.
A built-in reporting engine for analytics and business intelligence enables management teams to make decisions based on a sound understanding of compliance data.
Integration with External Systems
The platform provides the ability to retrieve, store, and deliver data to and from other systems such as audit management systems, policy management systems, and risk management systems.
The platform can be extended to add on other MetricStream GRC apps such as the audit management app, policy management app, and risk management app.
Automated Email Alerts and Notifications
The platform sends out automatic alerts and notifications on task assignments to the appropriate personnel, thereby helping ensuring timely task completion.
The MetricStream SOX Compliance Management App provides the following functionalities:
Process Design and Set-Up
The MetricStream app simplifies complex SOX compliance initiatives, and helps establish accountability in every facet, department, and function involved in the compliance process. Through the app, you can structure a logical SOX compliance and control hierarchy, including processes, sub-processes, objectives, associated risks, controls, and control activities. The app helps identify and map risks and controls, while also enabling associated policies and procedure documents to be attached for reference. In addition, you can capture the processes, associated financial accounts, and financial statement assertions for each business unit. Once the key risks are identified and prioritized, the MetricStream app leverages industry-standard frameworks to define a set of controls that mitigate the risks. On an ongoing basis, the app triggers surveys, certifications, and tests to monitor compliance. The app can also be configured to identify significant accounts (based on materiality, as well as qualitative and quantitative factors) for control test planning and scoping.
The app helps perform risk assessments to identify or highlight areas and associated controls that could result in a material weakness. Through the app, you can effectively identify the risks associated with an account’s sub-processes or sub-cycles (that may result in a material misstatement). You can then perform risk assessments (based on impact and likelihood factors) to determine the nature, timing, and extent of testing that must be performed in each area. You can also identify the significant risk factors that need to be evaluated for each process.
Risk Control Matrix
The MetricStream app provides best practice forms and workflows to create and modify a Risk and Control Matrix (RCM) for processes, sub-processes, and locations. A control can be mapped to many risks without duplication in the RCM. You can also filter the RCM based on risks and controls, or configure other views.
Control Testing and Evaluation
The app leverages the integrated COSO framework to help evaluate the effectiveness of SOX compliance controls. You can create or design test plans, schedule them appropriately, and assign them to a chosen team or individual member (e.g. tester, assessor), along with the task details, milestones, and due dates. The app also supports survey-based or questionnaire-based assessments. Control samples can be selected and assigned to control owners, including testers and assessors. In addition, the app supports an independent evaluation of control testing, along with control scoring and reporting of results. At the end of each test or self-assessment, the app helps capture non-compliance issues or control deficiencies which then become part of the issue remediation process. Issues can be classified into categories (e.g. significant deficiency, material weakness) for easy reporting and remediation.
The app helps streamline the SOX compliance document management process, while also improving the quality of documentation. Standard templates and forms built into the app can be used to conduct assessment surveys or tests, record the results, and attach supporting documents as evidence of SOX compliance. This data is centrally stored, and can be easily accessed based on a user’s access rights.
Certification and Attestation
The app supports compliance with the certification requirements under Section 302 and 404 of the SOX Act for internal control effectiveness (over the company’s entire financial statements). Through the app, certifiers can respond to a questionnaire or survey in the context of the processes, controls, or areas of compliance that are being certified and validated. Workflows for approval and sign-offs from management are also built into the app.
The app allows authorized users to upload content into the library in bulk to set up the process (e.g. list of controls, processes, risks, and other data objects). It also supports uploading of documents or templates for SOX compliance tests, surveys, and certifications.
Remediation and Disclosures
After control deficiencies or issues are identified and documented from the risk or control assessment process, a systematic mechanism of remediation and disclosure is triggered by the app’s workflow and collaboration engine. Issues are marked for remediation and/or disclosure, and assigned to owners within the relevant business unit. Control managers or issue owners can modify the controls, define new controls, or recommend treatment plans to address each issue. After the remediation plan is created, the issues are routed to reviewers for approval, and communicated to the implementer, with the loop extending back to the internal auditor to ensure that the issue has been addressed. The app provides comprehensive visibility into the status and progress of the remediation plan, and helps monitor, track, and follow up on the remedial action. It also helps review and channel issues marked for disclosure to the disclosure committee for their recommendations and inclusion in regulatory filings.
Control Monitoring and Reporting
Through the app, SOX compliance and control processes can be monitored periodically to ensure their effectiveness. The app has the ability to track the key attributes of controls, design status, process ownership, assessment plans, test results, and other factors on graphical charts. These charts, which can be accessed globally, display real-time information. They can also be drilled down to access data at finer levels of detail. Therefore, you gain a streamlined and transparent view of your SOX compliance data which, in turn, simplifies verification and decision-making. The app provides standard control monitoring reports that track the SOX compliance status. It also offers SOX scorecards, test reports, survey lists, and other critical information. These insights enable management to identify control deficiencies, while also guiding sign-offs and internal control review processes. The app helps configure ad-hoc or scheduled reports, and defines a reporting period (e.g. weekly, monthly, or quarterly). These reports provide a consolidated view of SOX compliance metrics by a variety of parameters such as process, test results, key controls, and issue remediation status.