Security Management Strategies for the CIOWhat you will learn from this tip: How to better understand SOX Section 404 and improve compliance efficiency.
The intent of Sarbanes-Oxley (SOX) Section 404 is to improve internal control over financial reporting.
Requires Free Membership to View
The number and scale of accounting scandals in the wake of the 1990s stock market bubble forced a change from informal to formal control mechanisms. SOX was enacted so investors in public companies could have reasonable confidence that financial reports are prepared according to generally accepted accounting principles (GAAP) and therefore fairly represent the results and condition of the company.
 |
||||
|
|
|||
|
||||
The vagueness of the law's language, the lack of enforcement history and the potential severity of failing to "pass" has created a great deal of anxiety among senior executives of public companies. Since SOX is here to stay, companies should focus on improving compliance efficiency. One important way to improve compliance efficiency is to reduce the number of points of control. There are at least two ways to do this.
- Automate (or otherwise eliminate) manual steps in a financial process.
- Reduce the number of controls the company needs to monitor and test.
Companies were required to document their financial processes in detail in the first stage of the compliance process. They should go through these process maps and look for manual steps that can be automated by passing information from one system to another (rather than manually re-keying it), using statutory consolidation software to perform certain calculations they may be doing on spreadsheets, and so on. Manual steps should be avoided whenever possible because they pose a control risk (for fraud or error) and therefore require auditors to sample or inspect transactions. Moreover, since manual steps create errors they also drive up the cost of detecting and correcting those mistakes –- cost senior executives underestimate.
Spreadsheets should be avoided as much as possible, but especially in processes where errors or mis-statements will affect external financial reports. By themselves, electronic spreadsheets are inherently unauditable and research shows it is surprisingly easy for them to contain errors regardless of the number of times they are checked. A company that calculates allocations in a spreadsheet and then creates journal entries manually should look for ways to automate this part of the process within their accounting or consolidation software.
In the wake of their initial compliance effort, many companies have realized they can simplify their control environment and still maintain effective control. Often, they can achieve simplification by relying on higher-level controls
Many companies will find they can reduce the complexity of their operations by applying process commonality to financial systems wherever possible. It is not uncommon for companies to find they had more than a dozen ways of handling a payables process or billing exception. While some variation is inevitable, simplification is usually practical and pays off in a more common set of controls and systems for monitoring and testing.
MORE INFORMATION:
- Learn how to take control of SOX 404 with security policies.
- Find out how to comply with SOX in five steps
- Learn how to make SOX work for you
Robert D. Kugel is CFA, VP and Research Director at Ventana Research. He heads up the Financial Performance Management (FPM) practice, focusing on the intersection of information technology and the finance organization. The FPM research agenda includes the application of IT to financial process optimization and collaborative systems, control systems and analytics, profitability management and advanced budgeting and planning. Rob has been a technology analyst for over 20 years.
This was first published in June 2005
Join the conversationComment
Share
Comments
Results
Contribute to the conversation