SOX Software: A Buyer’s Guide

A now-classic PriceWaterhouseCoopers paper on using spreadsheets for SOX compliance details a litany of disasters:

  • The spreadsheet problem that was deemed a significant factor in a $1 billion financial statement error.
  • The utilities company that took a $24 million charge to earnings after a cut and paste error in a spreadsheet led to a mistaken bid on hedging contracts.
  • The trader that perpetrated a months-long fraud by manipulating spreadsheets.

So in the face of stories like these, why do companies continue to use spreadsheets?

In most cases, software like Excel is readily available to an organization at effectively no cost. Further, auditors often recommend the use of spreadsheets when working with companies that are just starting to look at SOX. And perhaps most critically of all, an over-familiarity with spreadsheets — and an underestimation of what it takes to run a compliance program — makes them seem like a logical choice.

Let’s get one thing straight: if you’re using spreadsheets for compliance, that’s OK. The decision to do so must have made sense at the time your organization put it in place. But it’s likely that since that point, your needs have changed and now you’re looking for something better. This guide will help you define “better” — and advise you on what to think about when you’re in the process of buying it.

Why Spreadsheets are so Dangerous

If you rely on spreadsheets to help manage your SOX compliance, you’re not alone. One research study performed around the time Sarbanes-Oxley was passed into law revealed that 95% of respondents were using spreadsheets in at least some capacity; another showed that 7 in 10 were using them exclusively.

And while, in the intervening years, there have certainly been an increasing number of companies abandoning spreadsheets in favor of dedicated software, you shouldn’t be ashamed if your organization hasn’t yet made the move.

Concerned? You should be. To put it bluntly, using spreadsheets for compliance is risky business. Here are several reasons why.

  • The possibility of mistakes — input errors, logic errors and more — makes it difficult to feel confident in your data. One examination of large spreadsheets found material errors in 1% of documents.
  • With spreadsheets, the hidden costs of wasted time and effort go unaddressed — employees, contractors, and auditors all do more than they should when managing SOX compliance.
  • The link between risks and controls is difficult to establish — and harder to track — with spreadsheets. What’s more, low-value controls appear just as important as other, more critical ones.
  • Changes are nearly impossible to cascade — for example, when updating spreadsheets because a deficiency was discovered, or rolling up data for reporting.
  • Accountability is negligible: process owners and sponsors are hard to designate; assigning people responsible for testing is a nightmare; and there’s no proof that any part of the process has management oversight.

In short, visibility into your “whole system” is limited with spreadsheets — you can’t know when you are making mistakes, you can’t hold anyone responsible, and you don’t know whether you doing the right work. (But you can be sure it’s taking too long.)

Why Software Makes Sense

Considering GRC software to manage SOX compliance? The value proposition is a simple one.

In a nutshell, dedicated software represents standardized risk management. Software can establish a clear relationship between objectives, risks, controls and results — and that relationship is infinitely easier to track than when you’re using spreadsheets to do it.

Plus, better reporting will give you increased insight, at both the control level and organization-wide. That means you’ll be able to shift the organization from a quarterly focus to a real-time mindset — and discourage the Q4 “race to the finish”.

What’s more, the kind of duplication of effort you see with spreadsheets is cut down, or in some cases, eliminated. That means your internal staff, contractors and external auditors will save time — the value of which will more than offset the fees you’ll pay to license the software.

Most importantly, software makes it easy to assign accountability and ownership across the organization — meaning it can provide that most valuable of commodities… peace of mind.

Bottom line: with reduced costs, reduced exposure to risk, and reduced organizational burden, the question isn’t “Should you buy dedicated software for SOX?” The question is “How can you afford not to?”

What Concerns Different Departments

Legal

Ahhh, contracts… Necessary evil, or necessary protection? Perhaps a bit of both.

But however you see contracts, there’s no escaping the fact that the one you’re about to sign with your vendor will be very, very interesting to your Legal Department.

Many otherwise smooth software projects have come off the rails because Legal wasn’t involved early enough. If you’re considering software for SOX, involve the lawyers as soon as you can.

Finance

If you think you’re going to be able to get your SOX software approved without a crystal-clear financial plan, think again. Financial risk is very real — and very concerning to the CFO.

Your vendor should be able to help you consider more than just the technical side of the project — and roll up their sleeves with you on your business case. Will your software deliver the savings you’ve promised? Will the money you’ve asked for in order to acquire and implement the software be enough? Finance will want to know — and the right vendor can help you show them.

IT

It stands to reason that the people with the most concern about your software will be… well, the software people.

IT will have a myriad of questions about your project — as well they should — stretching across every facet of the project. Will personally identifiable information be secured? Will the project be cost effective? How will the project roll out, and what happens if something goes wrong? What will support look like? Will the software be easy for the business to use? Who will train staff?

Fortunately, a good vendor will be able to answer all these questions and more.

C-Suite

A 2014 study from Deloitte showed that 78% of companies are concerned with both their ability to adapt to changing regulatory requirements, and the flexibility of their current system to adapt to those changes.

In other words, the more you can do to help executives feel like everything is going to be OK, the better. Ask your vendor to help you assuage fears around budget, policy, procedures, security, data residency and distribution — and even the installation process.

After all, if you can’t get senior management on board, chances are your project is going nowhere.

How to Make the Move to Dedicated Software

1. Get the basics in order

Before you implement dedicated software for your organization, you need to make sure you’re ready for it.

  • Align your stakeholders. Don’t assume you know what different areas of the business want from the software. “Get them in the room” to find out. Risk, Finance, Legal, IT… Each will have different wants and needs, and they’ll be looking to you to meet them. For your part, you’ll need to set expectations around project goals and what success will look like.
  • Make sure your policies, procedures and controls are up to date. Software is only as good as the foundation on which you build it. Before you “turn on” the advanced workflow your software can enable, get as much as you can in order. If you’re lucky, you’ll only need to review — but be sure to make time in this phase if you haven’t revisited these things in a long time.
  • Reinforce your processes for identifying, managing and remediating issues. You’ll need everyone with a stake in compliance pulling in the same direction — once your software is up and running, requirements, accountabilities and responsibilities will be managed automatically. If it’s going to be someone’s job to fix a particular problem, they’ll need to know ahead of time. And if a particular area of the business has specific requirements, they’ll need to document them here

2. Build the business case

If you’re reading this document, odds are you already know you want dedicated software.

But simply knowing, obviously, is not enough. In order to convince your organization that they need it too, you’ll need to make a compelling argument. Only by calculating the ROI can you help your organization’s decision makers fully understand the extent to which software can benefit your company.

That’s often easier said than done, however. The benefits of SOX software are widely known, but they can be difficult to quantify.

The good news is they’re substantial. Total ROI — a combination of implementation-based and procurement-based benefits — can exceed 600% of the total cost of licensing and implementing a dedicated solution. Consider these advantages when demonstrating ROI:

  • Elimination of duplicate effort. It’s not inconceivable for software to save hours of redundant work on each of dozens of processes. That could be worth hundreds of thousands of dollars of staff time.
  • Streamlining of controls. By organizing risks and controls centrally, it’s possible to link controls that span multiple risks across different business functions. The result? Less time to document, maintain, execute and test.
  • Reducing the external audit effort. You’ve invested a lot in your internal SOX documentation and testing efforts. SOX software will enable your external auditor to more efficiently review and rely upon that effort, enhancing their confidence in your process and providing a compelling case for you to negotiate a reduction in their SOX- related activities. (Not to mention their fees.)
  • Faster reporting. How many reports do you produce in a year and how long does it take to prepare each one? Software can often help you shave 10% or more off that time.
A 2014 study from Deloitte showed that 78% of companies are concerned with both their ability to adapt to changing regulatory requirements, and the flexibility of their current system to adapt to those changes.

3. Begin the implementation process

  • Take an iterative approach. Nothing will help you more in implementation than gaining an understanding of your exact needs. Consider starting with a pilot or “proof of concept” project to test the waters and find out — early — what’s working and what’s not. (This approach will also have the added benefit of helping you control the install, allowing you to focus only on a small group of users.)
  • Assemble your project team. If you’ve never brought enterprise software into an organization before, you’ll be surprised at how quickly the process can become overwhelming without proper planning. It helps to have a “classic” project team in place to work with your vendor: executive sponsor, steering committee, dedicated project managers, business leads, technical leads and more. The size of your team will vary with the size of your organization, however. If you’re a small company, you’ll be fine as long as you have at least someone paying attention to project management.
  • Communicate with stakeholders throughout. Communicating is the stuff of Project Management 101, but even so it’s still often neglected. After all, when you’re neck- deep in an implementation project, it’s easy to forget that others “on the outside” may not know what’s going on. Don’t wait until your next quarterly update to fill them in — consider regular status reports to your major stakeholders to keep support for your project strong.

4. Train and test

Don’t forget to plan for showing the business how to use the new software and manage their own risks. You’ll also need to track ongoing user uptake, as well as test to make sure everything is working as it should. In other words, this is not a “set it and forget it” exercise — getting your software installed is only the beginning.

Where to Go from Here

This guide only scratches the surface, of course — the intricacies of an enterprise software installation project are much too deep to explore in just a few pages.

But if you’ve been leaning toward making the shift from spreadsheets, there’s no time like the present. The benefits — more visibility and insight into your organization, and confidence in your compliance operations — far outweigh any temporary challenges you might be fearing. To learn more about SOX compliance and how your business can benefits, request a free demo of our software.

Rate this article

Loading...