Implementing SOX controls can significantly improve your company. Unfortunately, companies often view SOX compliance as a necessary evil, similar to the way a child views homework. Companies should embark on a SOX compliance project with the intention of becoming compliant and making their company run better. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring new controls fit while improving their company. By focusing on the following, companies can benefit from the efficiencies and improvements that arise from implementing a process-based controls environment:
A cookie-cutter controls framework will fail because it doesn't consider a company’s specific attributes, such as industry, size, and unique processes. Auditors tend to look at risks in a silo: when a common risk is identified, they automatically align the corresponding control to fit within the same process for all companies. Instead, when designing controls, auditors should ask, "What is the most efficient place within my company’s current processes to implement this control?"
To answer this question, the company’s current state processes should set the foundation, offering a complete look at the current owners and procedures within each business process. Once the business has been deconstructed into its various processes, it becomes clear where the control will fit best within your company. For example, a manufacturing company books material usage by calculating the difference between the beginning and ending inventory count. Therefore, the applicable controls were placed within the inventory process rather than diving into the production process.
A SOX implementation project can be approached with the goal of gaining organizational efficiencies through more effective processes. Conducting the risk assessment identifies current risks, the probability and impact of a potential deficiency, and the current controls (or lack thereof) to mitigate the discovered risks. Reviewing end-to-end company processes will expose inefficiencies and reveal opportunities for improvement.
The process review of a large energy company found that the Finance Director and Accounting Manager kept their own checklists of key entries and accounting processes. This practice caused key entries and accounting processes to be overlooked during the closing of the books. The inefficiency of the current process was causing a significant risk. By implementing a fully comprehensive close checklist, the company eliminated the risk of missing entries and used the checklist as a planning tool, shortening the time to complete the overall month end close.
One of the primary reasons Congress passed the Sarbanes-Oxley Act in 2002 was to restore public confidence in the reliability of financial reporting. However, this increased reliability has value beyond the investor, as companies can use this improved information to make better informed business decisions, directly benefitting the company’s overall performance.
While designing and implementing a controls framework, companies should ensure controls and business processes align with reporting requirements. To align controls effectively, companies should focus on when they need information. The question of timing will help define 1) where the control is located within the process, and 2) how often the control is conducted. For example, if the control is placed at the end of the reporting cycle, information won't be available until the process is fully complete. However, if the control is placed earlier in the process, the company will be armed with the right information sooner. The same is true for the frequency of the control. Rather than waiting until the year end to review impairment indicators (which was causing misstated assets), a quarterly review allowed an energy infrastructure company to have more timely and accurate goodwill impairment information for their financials.
A chief complaint about the Sarbanes-Oxley Act continues to be the cost of compliance. Cost of compliance is particularly demanding for companies relying heavily on manual controls. However, companies can focus on making information and processes more efficient and centralized by automating controls where applicable. Automation reduces time and improves accuracy by removing the chance for manual error.
A mid-sized manufacturing company implemented strong controls around a cumbersome manual invoice approvals with hand signatures. They found a way to automate the approval process with an inexpensive invoice routing and approval tool. The AP automation tool allowed them to control invoice approvals and eliminate the time it took to collect manual signatures.
Since the enactment of SOX in 2002, companies have worked diligently to implement robust SOX control environments. In the early years of SOX, auditors were overzealous with too many controls, so many companies worked with their auditors to rationalize and reduce the number of controls. Rationalization helped but didn't offset the burden and costs associated with managing the controls environment. Taking the next step in improving efficiency and effectiveness as a part of the SOX controls environment is something every company can do.
Trenegy is a non-traditional consulting firm helping businesses implement proper SOX controls. With proper SOX controls in place, business can benefit from efficiencies and improvements. Ask us how at info@trenegy.com.
