Public companies with market capitalizations exceeding $75 million have had three years to integrate Sarbanes-Oxley (SOX) compliance efforts into their business processes.
Unlike the first year of enforced compliance, the attitude toward managing the process no longer is one of desperation.
For accelerated filers, it’s not about how to get the work done, but how to stabilize and reduce costs, while converting SOX compliance into a performance driver.
Non-accelerated filers can take note of the best practices established by their larger brethren. These include: streamlining scope and testing plans; getting more people involved as process owners; increasing visibility on project status; removing/consolidating redundant controls; replacing high-frequency controls; and standardizing controls.
Taking these best practices together means companies must move away from the cumbersome, time-consuming document management approach toward a data-centric method that uses a control framework built on a common database structure: Having the information related to SOX 404 written directly into a database has a powerful impact on stabilizing and reducing SOX 404 costs by allowing companies to implement the best practices outlined above.
Streamline scope testing plans according to relative risk priorities.
Guidelines from the SEC and COSO stress the benefits of a more top-down and risk-based approach to control framework. This is difficult to do without a data-centric approach. Take a closer look at the way companies complete their scoping exercise. If the scoping methodology and formulas, which should include qualitative and quantitative factors for account and entity, can be tied to the underlying database processes, time is saved analyzing what should be in or out of scope.
More importantly, this provides the judgment and information to gain approval from your external auditor for eliminating low-risk processes. That, in turn, eliminates all testing of associated controls.
Get greater involvement from process owners.
Process owners understand their own processes better than internal auditors or consultants.
Involving process owners in SOX adds to the program’s efficiency and enables them to understand the importance of their controls, ensuring that they remain effective.
If control owners can provide their information in clear, self-explanatory forms that directly populate the framework, evaluation and approval can be expedited and consolidation becomes unnecessary. It's a clear division of labor and expertise; they handle the business input, and the
SOX team provides the audit input.
Create greater visibility on the project's status and what has been accomplished.
With SOX 404 information in a database, program managers can access precisely what they need for reports, spreadsheets, and documents. The internal controls framework turns SOX into a
“paint-by-numbers” exercise. As people fill in their parts of the project, the picture becomes clearer – it is easy to see what’s left to do by noting “unpainted gaps.” As questions or issues arise, one can interact with the data so that it becomes easy to use the database to build spreadsheets and documents, not the other way around.
Remove or consolidate redundant controls.
An obvious way to lower SOX costs is to reduce testing. Decreasing the number of redundant or unnecessary key controls can significantly reduce the testing needed by both internal staff and your auditors.
The diagram above shows colored bands of individual risks across multiple entities. The thickness of each band is determined by the number of controls mitigating that risk. The wider the band, the more controls are in use. Since the entities are doing similar tasks yet have different band widths, we must wonder why. Does one entity have too may controls or does the other have too few? The analysis shows where to quickly focus our search for control reduction. This type of analysis is difficult to complete in an efficient manner without the use of a data centric method.
Replace higher frequency controls with lower frequency and entity-level controls.
An organization can realize significant cost reductions by replacing controls that need to be tested often with those needing less testing. Such lower-frequency controls also tend to be automated. A study of the companies we support found the following results.
In the diagram, each bar represents a different company. The bars show how controls are broken down by frequency (real-time, hourly, daily, weekly, monthly, and bi-weekly) for a single process. This enables one company to benchmark itself against others (for example, same industry, same size) and see how they compare. If they have too many high-frequency controls, companies can investigate whether lower frequency controls could work for them.
With the aforementioned recent guidelines from the SEC and COSO, there also is an opportunity to replace process-level controls with more entity-level controls. Key to these decisions is the ability to apply a more risk-weighted assessment of your control framework.
Standardize controls across entities and processes where appropriate.
SOX programs are simplified whenever multiple entities are following an identical process. When one entity's SOX information is captured in a database, it can be easily compared against others within the framework. It becomes readily apparent how much or how little standardization exists across the organization. If designed properly, the database approach enables companies to standardize controls across entities while allowing those individual entities the ability to describe the differences of how the control is tested.
Those using the data-centric methodology have seen dramatic results.
Companies are able to eliminate the nightmarish problems and hassles of using the document management approach and understand that while SOX is hard work, it is manageable. Further, the companies we have worked with the longest are spending 30-50 percent less compared to the external audit fees of competitors (as evidenced by data from their 10-K filings). The methodology saves significant dollars.