Over the past decade, we’ve seen SOX compliance move through waves of transformation, predominantly focused upon enhancing efficiency and reducing cost. After all these efforts to rationalize and/or automate controls, adopt leaner approaches, etc. is there anything left to do that may increase the efficiency or effectiveness of your SOX program? You bet – transformational improvements, in fact – but it actually has more to do with transforming your team than it does with transforming the process itself. But first, some important context.
Many of today’s newly minted accountants and auditors know the Enron, WorldCom and Anderson implosions, simply as interesting, historical case studies from their university years. Without that benefit of lived experience, young professionals may naturally view participation in SOX compliance as a necessary rite of passage, rather than an essential activity, critical to an organization and its key stakeholders. This negative perception of SOX compliance activity also creates challenges in hiring and retaining the skilled internal resources needed to properly execute a robust SOX program. In brief, we now have SOX teams that lack an inspired sense of purpose, passion or mission.
Fortunately, today’s chief audit executives and/or directors of internal control typically have a bit more grey hair (well-earned), and recognize SOX compliance as a necessary response to the corporate implosions witnessed during their careers. However, in today’s economic environment, they are under increasing pressure to execute SOX compliance with as little impact and disruption to the organization as possible and, at the lowest cost.
Many global companies are still running their SOX programs using MS Office.
So, in addition to the aforementioned controls rationalization efforts, many organizations have streamlined their SOX teams – with many now outsourcing key components of SOX compliance, especially testing, to the lowest cost provider. Hardly a recipe for building a cohesive and collaborative team spirit.
Finally, in any program viewed as mature or routine, and especially wherein cost pressures are prevalent, the sharing of any “bad news” that may disrupt the status quo is often discouraged. This condition is most prevalent within organizations wherein performance pressures are very high, but governance structures are siloed and unconducive to open, constructive dialogue regarding risks to achieving performance. For example, when the technologies being employed to support a program—although acceptable at the outset— are now dangerously antiquated, the suggestion that a technology upgrade is imperative may be viewed as too disruptive, the alternatives too costly, and therefore suppressed.
For example, many global companies are still running their SOX programs using MS Office. This results invariably in version control issues, challenges in aggregating and reporting data, not to mention a mad- dash to the finish of each quarter with fingers-crossed that nothing was missed.
In some ways, the context above resembles a potential, perfect storm wherein management of key risks has become viewed as a routine, almost mundane activity, further exacerbated by a drive to lower costs and to minimize the sharing of any bad news. Unfortunately, history is littered with examples of the catastrophes that invariably ensue within the environment described above. The earlier noted examples of Enron and WorldCom certainly come to mind. Looking at the “routine” yet high pressure space shuttle program – the Challenger and Columbia accidents are also clear examples. And of course, more recently, we have the Fukishima and Deep Water Horizon debacles – largely preventable disasters that reflected many of the causal attributes noted above.
Fortunately, catastrophic examples like those listed above are fairly rare. Most importantly, not only are they preventable, but the same measures to reduce program risk can also yield remarkable improvements in efficiency and effectiveness. So, even if you feel your SOX program only shares one or two of the traits above, adopting the steps below will still help reduce program risk, overall, and with potentially dramatic improvements in engagement and performance as well. Let’s see how.
These stakeholders include the audit committee, external auditor, CFO, controller, control owners and more. Richard Arthurs, Chief Audit Executive of AltaLink – A Berkshire Hathaway Energy company, put it well. “I always start with from a key insight standpoint that the investment that’s made in the relationships up front will always pay dividends as you maintain the program over time. Distinctly, when you’re leading change to move to a risk-based approach, you need to bring all of your sponsors and partners along with you – and getting their buy-in up front is very critical”, said Arthurs.
Of course, the external auditor is perhaps the stakeholder with the greatest weight when it comes to defining the approach and scope of the SOX effort that will satisfy their requirements. But there too, they answer to stakeholders, including the PCAOB, that inform their approach. Bill Powers of the PCAOB shared his own personal view regarding opportunities to place more emphasis upon entity level controls – potentially reducing the number of in-scope controls. In one case, Powers cited, “We asked the firm: ‘why don’t you start from the top down? Look through those higher level controls, those entity-level controls, those division level controls that management is reviewing information, and if they can be tested effectively and they’re working or operating effectively and designed effectively, you can minimize the amount of testing you could do at the process or at the transaction level.’ Eventually that turned around, so you’ll find that many of the firms today and companies alike are really doing a very effective job of looking for higher level controls to test.”
This is perhaps the most discussed, but least optimized, of all the strategies that may be employed to drive effectiveness and efficiency – and perhaps, more importantly, to get the SOX team and key stakeholders enthusiastically rallying around a common, agreed purpose. This also ties neatly back into Step 1. Again, Richard Arthurs shared the following, “I’ve learned that taking a risk-based approach is easy to sell to senior executives because they love the efficiency, but they always obviously want the effectiveness of the approach.”
But what exactly is an acceptable level of risk, as it pertains to SOX? Norman Marks, shared this perspective on the topic: “When we look at COSO 2013, it really helps us because it talks about reducing the level of risk to an acceptable level. What is that acceptable level? When it comes to SOX, we’re talking about there’s less than reasonable likelihood or possibility that there will be a material error or omission. We need to focus on the risks where there is at least a reasonable possibility of a material error or omission. That’s the top-down. That’s the risk-based.”
Although there is no magic bullet, there are a few simple steps that can help shift your SOX team’s propensity to share open, honest feedback. First, celebrate those that do have the courage to share – doing so in an open forum, if possible. Secondly, if you receive feedback from your team, but choose not to act upon it, explain why and then consider engaging with the team to explore alternatives. Finally, find opportunities to celebrate small, early wins. Transforming old habits takes time and will be an iterative process. As such, every step forward is a good step and should be recognized as such.
So there you have it, four simple steps that can help transform your SOX program. With all the talk of controls transformation, automation and the potential of technology to drive dramatic improvements in efficiency, it’s really much simpler in the end. It all starts, and ends, with people.
Resolver is the risk backbone for over 1000 of the world’s largest organizations. Our cloud software takes the uncertainty from Decision-Making, Internal Control, Internal Audit, Compliance Management, Enterprise Risk Management and Incident Management. Resolver’s team is comprised of risk, compliance, and security experts supporting customers across 100 countries with offices in North America, United Kingdom, and the Middle East.
If you’d like to learn more about Resolver software for SOX compliance, request a free demo.