Over the last 12 months, we at MetricStream have informally and formally talked to number of professionals in quality, compliance, internal audit, SOx program office, finance and external audit. Three major themes have emerged during our interactions with customers, prospects, and analysts.
First, there are significant benefits associated with the automation of control management, documentation, and testing process. Companies have seen improvements in internal controls, reconciliations and segregation of duties. While horror stories abound on failed SOx projects and systems, when done right, with the right tools, companies have been able to achieve greater SOx compliance at significantly lower costs while delivering operational benefits to the businesses.
Second, in almost all situations we have seen that the regulatory compliance costs will continue to be unmanageable or in many cases rise, if proper initiatives are not undertaken now. All this becomes more critical as we start to look at the subsequent years of SOx compliance, when most CFO's are moving from "compliance at all costs" to "compliance at reduced costs". Best in class companies are proactively approaching cost efficient strategies like control rationalization, sharing SOx cost across divisions and business units, leveraging automation tools, using cost-effective document management and creation processes to lay the foundation of sound SOx practices.
Third, control improvements have to become a continuous process rather than a one time "project approach". Companies are paying particular attention to a well thought out control environment, one that makes sense to their business. Control environment, which can be managed within your SOx compliance budget. Last year, companies over extended their internal audit departments, used improvisational approach, to get things done. Moving forward, a well-planned approach must be taken, to create greater efficiencies and enjoy greater control and benefits. Furthermore, management has to embed the SOx control, effectiveness, testing operations into the DNA of the company, so that internal audit can focus on their core mission - to provide "objective" assessment of management controls.
Fourth, changes in business are a given fact. Increased M&A, divestitures; new lines of businesses, new accounting laws, increased focus on international markets, are all realities that are here to stay. Good internal control programs enable companies to change with the time, still ensuring the critical SOx compliance along the way.
10 Step Guide: Sustained Compliance
A well-designed SOx compliance program almost always follow the 10 step guide:
To further validate the significance of quality improvements, from MetricStream customers, many of our customers are keen to attain SOx 404 compliance while delivering greater quality improvement for the business. Our customers are linking their operational quality initiatives (FDA compliance, ISO, Six-sigma, OSHA, EPA, Regulatory affairs) with the SOx 404 compliance so that operational business benefits can flow across all compliance and quality initiatives across the company.
- Ensure Rollovers: Rolling over internal controls and policies from prior year to the next is a critical requirement. To use an analogy here, we all use tools like turbo-tax to file our personal taxes with IRS. Isn't it nice, when we can roll over the tax filing from last year, before we start our work for the current year? Imagine if one had to recreate all the information, controls, and documents every year, how unmanageable that would become? Unfortunately, many businesses are in the same state today. Without a "turbo-tax" like tool, which understands the SOx regulations, which can evolve every year, every quarter with the nuances of all the regs, each year is going to be an expensive process.
- Stay Current: Staying current with the SOx regulations has been challenging for all of us. Changes in the regulations, interpretation of the regulations can be daunting as we attempt to implement these into the processes of our business. Staying current with the regs, best practices, interpretations, external audit frameworks are critical moving forward. Clearly, your external auditors help you stay current with the policies and procedures, your internal audit tool must provide ways for ensuring that you stay current with not just your company-level SOx programs, but industry level SOx developments. At MetricStream, we have created one of the most definitive portal for compliance, to help our clients and prospects stay current with the industry and the latest developments: ComplianceOnline (http://www.complianceonline.com)
- Avoid Errors: Going back to my turbo-tax example, imagine making errors in your tax filings this year? That surely raises risks of getting audited by the IRS, with penalties and late fees. Similarly, in the SOx world, it is important, that you get your SEC filings done right, the first time around. When you change a control in part of the business, the effect must ripple over to all other aspects of your SOx program & any errors, discrepancies must be flagged proactively. Only a well-designed Sarbanes Oxley (SOx) compliance software tool can help provide the checks and balances to avoid unintended and deliberate errors in the filing process.
- Create SOx monitors: A more engaged internal control environment must have well defined system for monitoring critical processes and metrics. Drill down real-time dashboards, slice-and-dice analytics, ability to set monitor probes on specific controls, risks, become critical requirement for a well-designed SOx program. A good Internal control tool offers monitoring and visibility across your global enterprise in an easy and simple framework.
- Keep it simple: Most traditional enterprise applications have burdened themselves with very high degrees of complexity, which makes it hard for professionals to cope with the software. Software must be "easy" to use, deploy and manage; else, you have one more thing to worry about. For example, at MetricStream, we have designed our SOx compliance software with a "portal" like feel so that any one who can use MyYahoo! can use our application with little training. We have created a web portal called complianceonline (http://www.complianceonline.com) so that your SOx users can stay current with all the latest and greatest SOx developments; download useful checklists, audit best practices or even interact with other SOx users from companies around the world.
- Rationalize Controls: Control rationalization is about defining and sticking to the set of "internal controls" which matter. I am sure many of you must relate to the uncontrolled proliferation of process and internal controls which don't even add value to the business or compliance imitative. Year 1 was all about covering all the basis at all costs. Moving forward, companies are focusing on a careful selection of controls, which cover the material risks in the enterprise. Companies must take a "risk-based" approach to prioritize controls. Effective software tools, process design is important to achieve this control rationalization.
- Share SOx services: Shared services is about consolidating your world-wide SOx operations so that one can achieve leverage of resources and processes across the divisions and business units. Year 1 was distributed operations, where all the divisions and business units conducted their SOx operations almost separately to get things done. Year 2, we have to now apply the efficiency gains applied through consolidation and aggregation. Which means, global teams from different business units, divisions, subsidiaries have to come together on a "collaborative" platform to help them all work together on a well planned central theme of achieving SOx compliance.
- Define Roles and Responsibilities: It is important that the global team knows who is playing what role. A well-managed program ensures that internal audit remains objective, so that there are no conflicts because how the roles are assigned to individuals. Segregation of critical duties becomes inherently important for this purpose.
- Train SOx team to ensure "competency" and "objectivity". Identify critical skills and competencies needed for effective SOx compliance. Without effective skills, internal control cannot be in grained in the DNA of the enterprise.
- Keep a robust, auditable employee training program at all times. Training must be rolled out from the board and audit committees to the IT staff to ensure that employees are aware of the nuances and changes of the SOx compliance process. Without a good training discipline it is impossible to create an environment of good internal controls.
- Eliminate Emails/Spreadsheets: I was recently attending a breakfast seminar with over 35 internal auditors, controllers and CFO's. They were all unanimous in their view that emails and spreadsheets create a lot of trouble when it comes to SOx. Keeping track of certifications, documents through emails becomes a challenge, even though, all of us use emails as our primary communication channel. To solve this problem, for example, MetricStream has developed a unique patented technology called "Zaplets", where the application forms, SOx certifications, surveys, come to you in your outlook as "Zaplets" - not just text emails. These Zaplets are powerful lightweight applets, which can ensure that the recipient takes the appropriate action, while all of the actions are stored in the central SOx database for future audit use. So, you get the ease of use of email, while ensuring protection and auditability of the Zaplets.
- Deliver Quality Improvements: I quote, the CFO of General Electric (which spent well over $30MM on section 404 compliance): " (GE) had good controls before this, but it[Section 404 work] has added more rigor.It certainly gives [CEO Jeff Immelt] and me more confidence when we are signing off on the results." Quality and six-sigma pioneers like GE are demanding that SOx results in significant quality improvements. In a recent survey conducted by The IIA Research foundation (http://www.theiia.org) of a sample of 171 responses on the direct results of their SOx 404 work, companies saw direct quality improvements in the following areas:
- The control environment
- Often manipulated accounting areas
- Routine accounting controls
- Anti-fraud activities
- Take Actions based on results: It is no good to merely identify all the weaknesses and risks in your controls. It is equally important that you can take timely action to fix the issues coming out of your control testing activities. To achieve that, a closed loop system, which helps you take both a corrective and preventive action to remediate for known SOx issues becomes critical. Our recommendation is to use the same rigorous approach of corrective and preventive actions which have been time tested in the world of quality management and six-sigma. The CAPA (corrective and preventive action) approach allows for root cause analysis, remedial action, adverse event management in a systematic quality framework.
As we look at year 2 of SOx compliance, businesses which follow the 10 Step guide, outlined above, will see significant improvement in their SOx compliance program. Embracing this 10 Step process will ensure higher SOx compliance and greater quality and operational benefits at a signifcantally lower compliance cost.
As always, I would appreciate any feedbacks on the methodology and the guide. Hope this makes our year 2 of compliance, a bit less cumbersome!