Sarbanes-Oxley Act compliance is still a costly and time-consuming process for many organizations, as it has been since it became law in 2002. What's more, many of the companies who have been faced with years of SOX
SOX, which ultimately is a set of corporate accounting reform laws for public companies, should not be a burden, but rather a helpful tool for assessing risks throughout an organization. With that said, it's important to note that when we speak about SOX compliance in the context of corporate information security and compliance efforts, our specific focus is SOX Section 404, which requires management and an external auditor to report on the adequacy of a company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires a tremendous operational commitment and financial investment. Though all aspects of SOX compliance are critical, the fundamental notion of Sarbanes Oxley is grounded in the basis of internal controls that support financial data that is accurate, timely and valid. Thus, the IFCR component is the dominant factor. Thus, listed are best practices for SOX Section 404 compliance:
- An enterprise should not test every control, but rather only controls that could lead to a material misstatement if they failed. As noted by many SOX auditors, organizations should strive to implement a top-down, risk-based approach. Testing every control, regardless of risk, can become arduous, time-intensive and costly, and is one of the biggest reasons why SOX programs get bogged down over time. Additionally, employees and other significant stakeholders become complacent, tired and uninterested when such an all-encompassing approach is taken. The risk-based approach is a more flexible, scalable and efficient process, resulting in productive feedback and analysis.
- Focus on critical controls (also known as key controls) that prevent or detect errors. Many times, auditors employ testing that "test" controls that are merely procedural based and are not relevant in that they don't have a direct connection to preventing or detecting errors. When auditors begin to refocus their efforts and thoughts regarding these critical or "key" controls, they'll quickly create a more efficient and transparent SOX testing framework. One of the best ways to refine one's list of critical controls is to undertake an organizational mapping technique whereby all processes, procedures and related activities are flowcharted out and illustrated from beginning to end. This will clearly show and state critical controls that should be tested.
- Communication breakdowns often create barriers to SOX compliance, thus the following parties should strive to create open channels and lines of communication at all times. The external CPA firm conducting the actual financial statement audit must effectively communicate with management of the organization that is being required to be SOX compliant. Many SOX audits result in operational and financial overruns based purely on miscommunication and a lack of understanding from each respective side. Specifically, better communication can be achieved by having a healthy mix of experts on both sides of the aisle who understand the SOX framework, the importance of SOX compliance and finally, the ability to develop efficiencies in testing and reporting.
- Understand the core requirements of SOX compliance. Many companies — whether they are
new to SOX compliance or are revisiting their SOX compliance programs — would be wise to re-educate
themselves on what is required for compliance, since people too often fail to educate themselves on
SOX and base important compliance decisions on hearsay. According to the SEC and the PCAOB, this
includes the following:
- Management must perform a formal assessment of its internal controls over financial reporting (ICFR), and this includes tests that confirm the design and operating effectiveness of the controls.
- Within their annual report (Form 10-K), management must provide its assessment of the organization’s ICFR.
- The external CPA firm conducting the actual financial statement audit will provide all
necessary opinions as part of the audit.
- Independent opinion on the effectiveness of the system of internal control over financial reporting (ICFR).
- Standard opinion on the financial statements.
- Lastly, don't forget that the SOX phrase "internal controls" is based on the
framework of the five (5) elements of internal control, which are the following:
- Control Environment: Sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
- Risk Assessment: The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
- Information and Communication: Systems or processes that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Control Activities: The policies and procedures that help ensure management directives are carried out.
- Monitoring: Processes used to assess the quality of internal control performance over time.
Simply stated, compliance with Section 404 of SOX must be aligned with the above-referenced elements of internal control. Remember, it’s relatively easy to have the SOX framework become misaligned by improper testing, a misunderstanding of one's control environment, along with lack of understanding an organization's business model.
SOX compliance is a must for many organizations, even though it is seen as an arduous, costly and ineffective framework for detecting and eliminating fraud. Even with that said, the benefits of SOX compliance are many indeed, such as improving upon the internal control structure of your organization, the ability to truly learn about all aspects of an organization's business model along with the opportunity to implement new procedures that provide real and lasting value to your organization. It can be a “win win” but only with the right attitude.
About the author:
Charles Denyer is a member of NDB Accountants & Consultants, a nationally recognized boutique CPA and advisory firm specializing in Regulation AB, SAS 70, SSAE 16, ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with other regulatory compliance initiatives. Mr. Denyer is actively involved in numerous professional associations and organizations for a wide range of industries and business sectors. He is also an advanced social media expert, having spent years working in the field of search engine optimization (SEO) and various forms of online marketing and social media.
Mr. Denyer holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering. He is also currently an MBA candidate for the Johnson School of Business at Cornell University.
This was first published in September 2011