In 2004, Jeffrey Heer at UC Berkeley demonstrated a project that he had undertaken to analyze Enron's corporate email database. Using various visualization techniques and algorithms, Heer dug deep into Enron's communication network and constructed a tremendously intricate map profiling the communication between respondents. It was a fascinating piece of work, both vast and deeply complex. Suspicious email threads were exposed, which if detected earlier, might have helped to nab the financial defaulters and prevent Enron's bankruptcy. More importantly, the map demonstrated just how complex the communication network within a single organization can be.Download an Insight
In 2004, Jeffrey Heer at UC Berkeley demonstrated a project that he had undertaken to analyze Enron's corporate email database. Using various visualization techniques and algorithms, Heer dug deep into Enron's communication network and constructed a tremendously intricate map profiling the communication between respondents. It was a fascinating piece of work, both vast and deeply complex. Suspicious email threads were exposed, which if detected earlier, might have helped to nab the financial defaulters and prevent Enron's bankruptcy. More importantly, the map demonstrated just how complex the communication network within a single organization can be.
Over the years, corporate networks have only increased in size and complexity. Today, the average global business has thousands of employees, suppliers, distributors, managers, hardware, software, applications and servers spanning continents. Considering the enormity of this network, how can businesses ensure transparency, especially with regard to such sensitive data as financial information?
When the Enron scandal emerged in 2001, it resulted in one of the largest and most far-reaching bankruptcies in corporate America. Less than a year later, the Worldcom scandal hit America with even greater force. Billions of dollars were lost to shareholders, while thousands of employees were left without jobs and pension funds.
Prior to these events, transparency in corporate information was hardly given any thought. But when it surfaced that the Enron and Worldcom scandals could be traced back to a lack of accounting transparency, corporate America began to panic. By July 30, 2002, theSarbanes-Oxley (SOX) Act was signed into law, dictating financial transparency requirements for U.S. public company boards, management and public accounting firms. Named after its sponsors, Senator Paul Sarbanes and Representative Michael G. Oxley, the SOX Act (also known as the Public Company Accounting Reform and Investor Protection Act of 2002) is considered to be the most significant change to federal securities laws in the United States. Gartner called it “the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression.”
The intent of the SOX Act is to protect investors by improving the accuracy and reliability of financial disclosures. It emphasized on corporate responsibility, auditor independence, and enhanced financial disclosure, while creating new standards for corporate accountability such as the establishment of the Public Company Accounting Oversight Board.
Complying with the SOX Act requires companies to institute and strengthen internal controls, disclose financial reports and ensure complete transparency of corporate governance. Companies are also required to have an internal audit function, which must be certified by external auditors. To fulfill these requirements, companies have to document, trace and audit any change that affects financial reporting structures. Non-compliance can result in multi-million dollar fines and imprisonments extending up to twenty years, not to mention a loss of investor confidence and brand value.
IT - the key player
At first glance, SOX appears to be related primarily to corporate accounting and financial reporting. However, both activities are most often conducted through Information Technology (IT) systems. In fact, a wealth of financial information is created, stored, transmitted and maintained electronically - which makes IT a major part of SOX compliance. The smallest glitch in the system, either man-made or accidental, can put important data at the mercy of threats such as tampering, loss, fraud and viruses.
Many companies view SOX compliance as a hindrance. Others tend to treat it simply as a regulation that must be complied with at the end of each year. However, successful companies view SOX compliance as a business opportunity - a way in which to instill confidence and trust in the integrity of corporate data, and ultimately in all aspects of business. These companies are the first to attract and retain both shareholder and customer trust, enabling their business to scale greater heights of success.
In a 2010 survey conducted by business consulting and internal audit firm, Protiviti 1 , 87% of respondents reported that SOX compliance offers some benefit, beyond simply meeting SEC demands. Primary benefits include an enhanced understanding of control design and control operating effectiveness, increased effectiveness and efficiency of operations, and increased reliance by external auditors on the work of internal auditors. Sixty-six percent of respondents also reported that their organizations are leveraging their SOX compliance efforts to drive continuous improvement of business processes that affect financial reporting.
The key to SOX compliance is to treat financial data as a crucial financial asset. This enables companies to visualize how it must be protected just like other valuable financial asset. For instance, most companies have strict controls regulating the exchange, transfer and handling of corporate funds. Similarly, companies need to establish controls to manage and monitor financial data, ensure its integrity and provide visibility into it whenever required.
Well designed, well-implemented, and well-maintained IT solutions can deliver critical components of effective internal controls. Of course, finding the right IT solution may depend on each company's compliance, but it definitely requires that IT managers, business managers and auditors work together to integrate SOX compliance and controls cross the organization.
SOX Section 404
SOX Section 404, the 'IT section' of the SOX Act, mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. Companies are required to:
- Establish and maintain an internal control structure for financial reporting
- Continually test and assess controls and their effectiveness
- Engage external auditors to audit controls and attest to their soundness
- Report on the scope and adequacy of the internal control structure and financial reporting procedures
While Section 404 mandates that companies establish internal controls, it contains no provisions of what those internal controls should be or how companies should implement them. Fortunately, the SEC recommends internal control frameworks, the most commonly used ones being COSO (Committee of the Sponsoring Organizations) and COBIT (Control Objectives for Information and Related Technology). COSO suggests general controls centering around business processes, while COBIT focuses sharply on IT governance. Used together, the two can help companies implement controls to suit their needs and confidently comply with SOX regulations.
Implementing internal controls
Before companies implement controls, they need to identify their risks. For every identified risk, companies must choose to either accept it or mitigate it by preventing its occurrence or reducing its impact. Once the company chooses its option, it can implement the appropriate controls
Deciding on which controls to implement will depend on a company's business situation, as well as its relevance to COBIT and COSO frameworks. But there a number of best practices that companies can follow as they begin their journey towards SOX compliance. For instance, companies must assign clear job roles and functions to employees, which can help determine who can access information databases, and who can't. In addition, companies should consistently track audit trails, maintaining a clear record of any person that accesses and modifies financial data. By keeping a tab on who did what, when and why, companies can effectively control the integrity of their data.
Another equally important best practice is to control access to systems. For instance, stringent password encryption policies and protective firewalls can ensure that only authorized users have access to data.
Challenges of SOX compliance
While complying with SOX regulations is compulsory, it is also extremely challenging. Conducting risk assessments, implementing controls and monitoring compliance can be a drain on time, money and effort especially in small to mid-sized companies. Compounding the challenge is the effort of administrating and documenting compliance efforts. Since any change that impacts financial data must comply with SOX regulations, these changes have to be tracked and documented. This is usually done manually, using spreadsheets and complicated formulae that attempt to integrate data across thousands of change requests, people, business processes and locations. According to Protiviti's study, 70% of respondents indicated a high dependency on spreadsheets, which can prove to be both complex and risky because the slightest error can result in incorrect financial data.
Advancements in IT only complicate the situation. With the emergence of wireless technology, virtualization and cloud computing, the network perimeter is fast fading, increasing the challenges associated with assessing and maintaining IT security. At the same time, devices like removable drives and mobile phones have increased the risk of data being stolen or tampered with.
Maximizing SOX compliance benefits
Clearly IT managers have their task cut out for them. That being said, there are ways to alleviate the SOX compliance burden while leveraging maximum benefits. For instance, companies should opt for a top-down risk based approach by prioritizing risks and then choosing the right controls. This approach is not only efficient, but cost-effective, as it helps companies focus their resources on those risks and controls that truly matter to the organization.
To ease the burden of managing controls, companies can automate and embed control testing right into the business processes themselves. Control testing efficiency can be improved further by breaking down organization silos and integrating compliance efforts across the organization.
Whatever the strategy, it is crucial that companies treat SOX compliance not as a one-time activity but as an on-going process. While that may be easier said than done, new technologies are making it possible. More and more companies are opting for GRC solutions that enable the automation of compliance efforts as well as their integration across the enterprise. Added benefits include dashboards that provide real-time visibility into compliance statuses and super-efficient document management systems. Companies that have opted for these technologies have reported successful results, immense product satisfaction and increased efficiency in SOX compliance efforts.
- 2010 Sarbanes-Oxley Compliance Survey - Where U.S. Listed Companies Stand: Reviewing Cost, Time, Effort
- Beyond SOX Compliance: IT controls for Data Governance - Netezza
- COBIT + DLP = SOX Compliance - Gil Sever, Sarbanes-Oxley Compliance Journal, March 23, 2009
- The role of IT in Sarbanes-Oxley Section 404 - Hugh Taylor, WTN News, January 4, 2006
- IT’s Role in Sarbanes-Oxley Act - SunView Software Whitepaper, September 2006