Rationalizing SOX from the ground up
We are coming up on the 10 year anniversary of Sarbanes-Oxley (enacted July 29, 2002). Most companies have gone through at least one major rationalization effort to reduce the number of controls and understand the true cost of compliance. However, there are important rationalization lessons that have been learned during the past 10 years; namely, that rationalization isn’t a onetime event, that it takes involvement from all stakeholders, and that you company has to be diligent in measuring the progress you are making around SOX.
Rationalization is an ongoing effort
Rationalizing your controls isn’t a one-time event. For global companies with ongoing changes, it’s an ongoing, all-the-time proposition. Businesses change and growth in one market may be balanced with a retraction in another market. Annually, you should be revisiting your scoping based on what is material. This will guide you in which markets need more attention due to growth and which markets need less attention due to contraction. For those markets that are getting smaller, it may be an opportunity to rely on more entity level controls and do less detailed testing of process controls. For markets that are growing, use this as a time to revisit documentation and the control framework. It could be that controls that worked for a $10 million segment no longer meet your control objectives if the segment is now $100 million.
It takes a nation
As you look at your control framework, use this as a time to include all stakeholders. Invite your external auditors to the table to gain consensus that the key controls you are identifying are the same key controls they are looking at. If Internal Audit provides testing services, include those parties as they will be able to provide a ground eye view of opportunity areas. Representatives from Information Technology should be at the table as they can provide insight into controls that can automated and alignment to ongoing and planned IT initiatives. Of course, the control owners need to drive the discussion as they have ultimate accountability for the control environment.
You can only manage what you measure
Understanding your true cost of compliance is a fundamental aspect of rationalizing your control environment. Are you measuring how long it takes to scope your certification testing? Are you measuring how long it takes to test each control? With this data, along with data points around control types (manual vs automated, detective vs preventative, controls by cycle), you can start to build a picture of the true cost of compliance. Further, this picture will help you develop a return on investment for spend when it comes to projects that automate existing manual controls. While it may be challenging to ask your staff to log hours testing each control, this data is critical to building the right picture to sell the business case for change.
What will your SOX efforts look like 10 years from today? I hope your organization is much more efficient and lean, while providing even more insight around risk than it is today. And with the realization that SOX is evolving through ongoing rationalization, continuous engagement of all stakeholders, and diligent measurement, I know that your organization is well on its way.