Companies often view SOX compliance as a necessary evil, similar to the way a child views the chore of homework. This is unfortunate. Companies should embark on a SOX compliance project with the intention of becoming compliant along with making their company run better. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring the new controls fit while improving their company. By focusing on the following items, companies can benefit from the efficiencies and improvements that arise from implementing a process-based controls environment:
- Every company is different
- Design controls to improve existing process
- Use controls to improve financial reporting
- Reduce the cost burden through controls automation
Every Company is Different
A cookie-cutter controls framework will fail, as it does not consider a company’s specific attributes, such as industry, size, and unique processes. Auditors tend to look at risks in a silo: when a common risk is identified, they automatically align the corresponding control to fit within the same process for all companies. Instead, when designing controls, auditors should ask: What is the most efficient place within my company’s current processes to implement this control?
To answer this question, the company’s current state processes should set the foundation, providing a complete look at the current process owners and procedures within each business process. Once the business has been deconstructed into its various processes, it becomes clear where the control will fit best within your company. For example, a manufacturing company books material usage by calculating the difference between the beginning and ending inventory count. Therefore, the applicable controls were placed within the inventory process rather than diving into the production process.
Design Controls to Improve Processes
A SOX implementation project can be approached with the goal of gaining organizational efficiencies through more effective processes. Conducting the risk assessment identifies current risks, the probability and impact of a potential deficiency and the current controls (or lack thereof) to mitigate the discovered risks. Reviewing end to end company processes will expose inefficiencies within the company. Discovery of these inefficiencies is an opportunity to improve the processes.
The process review of a large energy company found the Finance Director and Accounting Manager kept their own checklists of key entries and accounting processes. This practice caused key accounting processes and entries to be overlooked during the closing of the books. The inefficiency of the current process was causing a significant risk. By implementing a fully comprehensive close checklist the company eliminated the risk of missing entries, while also using the checklist as a planning tool, shortening the time it took to complete its overall month end close.
Use Controls to Improve Financial Reporting
One of the primary reasons Congress passed the Sarbanes-Oxley Act in 2002 was to restore public confidence in the reliability of financial reporting. However, this increased reliability has value beyond the investor, as the company itself can use this improved information to make better informed business decisions directly benefitting the company’s overall performance.
While designing and implementing a controls framework, companies should ensure controls and business processes align with reporting requirements. To align controls effectively, companies should focus on when they need information. The question of timing will help define 1) where the control is located within the process and 2) how often the control is conducted. For example, if the control is placed at the end of the reporting cycle, there will be no information available until the process is fully complete. However, if the control is placed earlier in the process, the company will be armed with the right information sooner. The same is true for the frequency of the control. Rather than waiting until the year end to review impairment indicators which was causing misstated assets, a quarterly review allowed an energy infrastructure company to have more timely and accurate goodwill impairment information for their financials.
Reduce the Cost Burden Through Controls Automation
A chief complaint about the Sarbanes-Oxley Act continues to be the cost of compliance. Cost of compliance is particularly demanding for companies relying heavily on manual controls. However, companies can focus on making information and processes more efficient and centralized by automating controls where applicable. Automation reduces time, while improving accuracy by removing the chance for manual error.
A mid-sized manufacturing company implemented strong controls around cumbersome manual invoice approvals with hand signatures. They found a way to automate the approval process with an inexpensive invoice routing and approval tool. The inexpensive AP automation tool allowed them to control invoice approvals, while removing the cumbersome and time-intensive job passing around invoices for manual signatures.
Since the enactment of SOX in 2002, companies have worked diligently to implement robust SOX control environments. In the early years of SOX, auditors were over-zealous with too many controls. Then, many companies worked with their auditors to rationalize and reduce the number of controls. The controls rationalization helped yet did not offset the burden and costs associated with managing the controls environment. Taking the next step in improving efficiency and effectiveness as a part of the SOX controls environment is something every company can do. Trenegy specializes in helping companies step “out of the box” and view controls to improve business operations.
Trenegy is a non-traditional consulting firm, helping businesses implement proper SOX controls. With proper SOX controls in place, business can benefit from efficiencies and improvements. Ask Trenegy how: firstname.lastname@example.org.