According to a number of studies released recently, most companies have spent significantly more than they had budgeted on SOx 404 compliance. As companies look to the subsequent years of SOx compliance, they are looking to find ways to make compliance with SOx sustainable at lower costs. This article looks at techniques that cutting edge companies are implementing to reduce their cost of compliance.
Following are the primary types of costs associated with the first round of SOx 404 compliance:
- External consultants hired to bring specific expertise not present in the company
- Consultants added to augment the team so that the internal resources were not stretched too thin
- Accounting firms that audit the compliance efforts
- Infrastructure such as document management systems, hardware etc.
- Internal resources from various groups working on SOx as a special project
- Opportunity costs due to "internal distraction" of the management
The last two cost categories listed above were difficult to estimate, but were a significant contributor to the overall "cost of SOx compliance". Each of these costs can be marginally reduced by improving the compliance process and reducing in-efficiencies. However, significant reduction in SOx compliance costs will have to come from a paradigm shift.
Cutting edge companies are addressing this issue by evolving compliance from being an exercise managed by a separate and dedicated team to becoming a part of the way they do business everyday. In this scenario, process owners would be responsible for a large majority of the compliance documentation and testing of controls. The internal audit staff will largely become an oversight organization and will be responsible for managing the quality of the process by conducting high level reviews to make sure controls and procedures are effective.
In order to decentralize compliance, these companies are ensuring that process owners and team members (such as Accounts Receivables manager and team members) are proactively documenting processes, controls and any changes to them, following procedures very strictly, have a standard way of doing things and are running standardized tests frequently. Following are key elements for ensuring that compliance can be decentralized:
- The company needs to implement continuous employee training to ensure that the process team members clearly understand current processes and controls, know when and how to update the control documents when changes occur in systems and practices and are familiar with the process of testing internal controls. Similarly process owners should be able to recognize good and weak internal controls or good/unsatisfactory documentation. They should have a clear understanding of all the process documentation requirements and knowledge of all the internal controls for the process they manage. They should also clearly understand how to engage the finance and internal audit organizations to improve the compliance process. Training for process owners and team members should be triggered off automatically when deficiencies are identified in internal controls for that process or a certain time period has elapsed since the last training.
- The company must implement standard documentation methods to ensure that common tools and standards are used to document a process/control across all subsidiaries within a company. Standardization ensures that process definitions/controls can not be misinterpreted by cross-process teams within an organization, as the documentation/testing responsibility shifts to process owners. In many companies, document tools were selected by process teams, leading to a very diverse set of tools being used within a company. This issue is likely to slow down the decentralization of the compliance process.
- The company needs to implement comprehensive document control with a well defined review process to ensure only people with the right authorization can update and review the documents. This is essential to making sure that the process and control documentation is always correct.
- The company should have standardized tests for any internal control across the enterprise with automated scoring & reporting to ensure that internal controls are tested in a consistent manner across all operations within the company and over time. This requirement is critical to successfully embedding the compliance process within the business. Only authorized people such as the internal audit staff or process managers should be authorized to update these tests. Once a test for internal control is updated, only the latest version should be allowed to be used for testing that internal control across any operation within the company.
- Below threshold scores for an internal control need to be automatically flagged as deficiencies in internal controls and tracked within the company. Key process owners and internal audit staff should automatically have visibility into such deficiencies. Remediation process should also be automatically triggered and key stakeholders need to track the definition and successful implementation of corrective actions to ensure that the deficiencies have been corrected.
- The process must provide dashboard-based visibility into the compliance process status to notify all stakeholders with evaluation status, deficiencies uncovered and their remedial status. This visibility lets the process owners drive most of the documentation, testing and corrective action process themselves and yet enables the internal audit team to manage the overall SOx compliance process and provide oversight.
- Due to the uncertainty surrounding Section 404 compliance, combined with heightened certification risk and shareholder scrutiny, many companies decided to be conservative and ended up with a large number of controls and assessments. Moving forward, companies may need to review and rationalize some of these controls and assessments, resulting in reduced cost of compliance with almost no added risk. Such rationalization will always be an ongoing process - hence it is critical that the SOx compliance process uses software that enables the internal audit manager to easily update/modify the control hierarchy - a structure used to define the scope of the program.
- Historically, the internal control software has been designed for internal auditors, but it is critical that the SOx compliance software be easy to learn and easy to use since decentralization requires that it reach a wide variety of end users.
Companies can significantly reduce the cost of SOx compliance, while making compliance sustainable. In order to achieve these objectives, they need to decentralize the compliance process and implement the right technology to enable this shift within the company. Spreadsheets and document management systems alone are not enough to provide the automated environment (discussed above) that is needed to enable this shift.