I recently re-read a 2006 Harvard Business Review piece by Stephen Wagner and Lee Dittmar entitled, “The Unexpected Benefits of Sarbanes-Oxley” and was impressed again by the authors’ prescient view that more companies would eventually see the business performance value that controls and structures demanded by SOX could provide.
Before reporting on how some forward-thinking companies had already started to implement better information management and stronger control frameworks in response to the law, the authors note, “As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.” They go on to note that many improvement projects were identified but parked for later attention so that the immediate need to satisfy the first year of the law’s requirements could be addressed.
A decade later, many of those projects remain delayed or incomplete, while others are stuck in a first- or second-generation version of control systems. The irony is that SOX provoked attention to needed change in detective, preventive, and responsive controls, as well as documentation and reporting capabilities, but at the same time initially sucked up so many resources through overreaching consulting projects and inappropriately broad control testing that the opportunity to focus on performance improvement largely was lost in the shuffle.
As with so many projects, a “set it and forget it” mindset and general complacency about revisiting processes and systems once established have won the day. Too many compliance officers admit, behind closed doors or in quiet conversations, that they know their old but still operating approaches are too costly and too unreliable, yet few have the stomach to tackle a redesign.
Today, though, advances in GRC technologies and expansion of the role of internal audit converge to enable SOX and other aspects of compliance as critical enablers of business performance. The shortcomings in compliance and risk management across the board, not just in financial reporting, highlighted by Wagner and Dittmar in their 2006 article, can finally be addressed in a holistic way. There is an opportunity now to make the business case for change in SOX and take advantage of ways a current systematic approach can provide meaningful insights that can drive better business outcomes.
When SOX was first implemented, GRC technologies were in their infancy. They were still largely developed for addressing separate needs and were used by distinct teams. Internal audit had their tools, finance had theirs, compliance had tools for each area of concern, and spreadsheets still were the mainstay of many companies.
So it is no surprise that the consulting firms grasped the SOX opportunity and ran with it, designing huge control implementation and testing projects. The control testing (and I mean testing of every control) approach did initially satisfy regulators, but it provided little to no usable information for business planners and operators.
The irony is that SOX provoked attention to needed change in detective, preventive, and responsive controls, as well as documentation and reporting capabilities, but at the same time initially sucked up so many resources through overreaching consulting projects and inappropriately broad control testing that the opportunity to focus on performance improvement largely was lost in the shuffle.
Since first setting up these systems, many companies have made virtually no changes to their controls or testing schemes, despite sometimes obvious need for change. The fear of having another time-sucking, resource-eating project is just too great.
But things have changed. There is technology today that can streamline SOX processes to support required reporting and, at the same time, provide real insight into risk that can drive better business strategies and outcomes. Instead of establishing zillions of controls and testing them all (and all of the time), processes and controls can be selected based on risk assessment and information can be viewed and analyzed for various needs. New systems support collaboration and communication between business operators, executives, and auditors. The benefits seen by the handful of forward-thinking companies discussed in the Wagner/Dittmar article have expanded and are available to all at a fraction of the cost of legacy SOX approaches.
It’s time for a do-over. We need to step back and take a fresh look at how best to meet the SOX requirements with processes and technologies that provide transparency into things that have an impact on performance. While SOX was enacted to improve the reliability of financial reporting, its most valuable by-product has been revealing the sorry state of information management, understanding of risk, and compliance in many organizations. This added knowledge, if addressed by changes in the way we do business, can make any organization leaner, more agile, and more successful.
Modernizing Sarbanes-Oxley Compliance: An OCEG Roundtable
Switzer: We’re now more than a decade into addressing compliance with the Sarbanes-Oxley Act, known as SOX. Section 404 of the law calls for stronger control systems to ensure the reliability of financial reporting. By now, doesn’t everyone have an appropriate control system in place?
Artinger: It seems not. Businesses are always changing and spawning new processes that need to be controlled. We know that change comes from organic growth and from acquisitions. Small processes that were always out of scope silently and suddenly grow into significance. Auditors and regulators constantly find examples where newly significant processes lack adequate controls—and they don’t like it. Getting ahead of this curve, and staying ahead of it, is difficult.
Rost: I would say that organizations that are required to comply with Sarbanes-Oxley have a control system in place. However, the issue for some organizations is the challenge to mature their processes over the past five years to address the changing requirements of what the PCAOB is requiring for auditors, the enhanced disciplines of COSO 2013, and modernizing their SOX processes with new technology.
Holt: I would agree that everyone has a control system in place, however based on the fact that the PCAOB continues to push for more testing at lower and lower levels, I would say those control systems need to continuously evolve to meet the ever-changing business and regulatory requirements.
Switzer: What are some of the key shortcomings of still-existing first- or second-generation SOX approaches?
Carl ArtingerInternal Audit ManagerKLONDEX MINES
Eddie HoltSOX Compliance ManagerDr Pepper Snapple Group
Mike RostVP, Corporate MarketingWorkiva
Rost: Key shortcomings include testing too many or the wrong controls, lack of a risk-based approach to SOX, and manual or outdated processes and technology. Organizations that have modernized their SOX processes have embraced a risk-based approach to defining their control libraries, which typically reduces the number or controls that they need to test.
Holt: Companies are not able to rely on year-over-year testing results, especially in the area of system controls, which are the most effective part of control environments and most efficient part of SOX testing. Companies are forced to spend time testing and documenting controls that have very little risk of failure, when that time could be better spent evaluating and testing new, possibly more risky, areas throughout the company. Controls are like a river; they flow across time and do not stop and start at period or year ends.
Artinger: The old ways don’t meet our documentation needs. They require too much time for version control. External auditors want to see a complete, seamless flow in the documentation that shows how our control environment evolved. Version control with Word documents and first-generation solutions was killing us. We wanted better version control to track changes in process narratives and related control language.
Switzer: How has GRC technology capability changed over the past few years, and how do those changes support better SOX compliance? Is it mostly change that gives more transparency and accuracy of data or is the change mostly one that offers greater efficiency and cost savings?
Holt: Greater reliance on system controls over process controls is no longer optional. Demands for increased control documentation and enhanced testing of controls continue to grow. The ability to monitor complex enterprise-wide systems with GRC technology allows for more efficient testing and for a level of comfort that is not possible through traditional testing of controls. Linking GRC monitoring to SOX supportive technology provides the greatest efficiency and cost/time saving when it comes to testing of system controls.
Artinger: Sure, technology is efficient and cost-effective, but the real payoff comes when accuracy and transparency improve. Mistakes happen when we are overwhelmed with high transaction volumes and rapid change. We were overwhelmed keeping track of narrative changes—it was an administrative nightmare. We were getting buried behind the curve. It distracted from our real focus as control experts consulting with process owners and implementing efficient test programs. When technology reduces administrative burdens, it also improves accuracy and quality of compliance.
Rost: Many organizations are still using the first-generation GRC technology they purchased to address SOX requirements. These software tools are typically inflexible, forms driven, and used primarily as document repositories. Technology has advanced significantly over the past ten years. Modern SOX technology is collaborative, cloud based, mobile enabled with document-centric user interfaces. Modern SOX technology enables users to better connect data and context, integrate people and documents, provide access anytime or anywhere, and accelerate process to decisions.
Switzer: Given the added value of standardized methods and controls initially driven by the need for SOX compliance, and the availability today of truly supportive technology that reduces cost and increases accuracy, would companies be advised to continue in refining these efforts even if the law were revised or revoked? I mean, is it really the law driving action today or is it the realized benefit of better controls and reporting?
Holt: If the law were revised or revoked, most companies would continue to test financial reporting controls but maybe not at the levels they are currently required to do. There is no doubt that management realizes the value of ensuring financial reporting controls are effective. Without mandated requirements, management would be free to more fully leverage supportive technology, while possibly limiting some enhanced documentation requirements, to reduce the cost of compliance and not sacrifice quality.
Rost: Prior to SOX, the COSO internal control principles were considered a best practice for the previous 10 years. Internal control is broadly defined by COSO as: a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations
The realized benefit of the discipline of documenting and testing controls, performing risk assessments on material financial reporting activities, and certifying those activities through an external audit is fundamentally a good business practice. Even if the law were repealed, audit committees of many organizations would still require the discipline of internal controls over financial reporting. With many organizations currently maturing their enterprise risk management disciplines, the collective benefits of having a strong ICFR and broader risk and control program are well recognized.
Artinger: Most executives believe in the benefit of better controls. That doesn’t change the fact that they are likely to compromise under the pressure of the next big project or crisis. That’s why it makes sense to implement these technologies now, if you have the resources. If you are currently doing well with the older technology, now is the time to upgrade. Don’t let this wave bury you. Stay out in front of it.