SOX Compliance with ERM: Managing the Risk of Misstatements
Steven Minsky | June 11, 2012
First, what is Sarbanes-Oxley (SOX) 404 compliance? SOX compliance is the legal requirement for public companies that senior management state that their company’s financial reporting is accurate. Sounds simple? The expense and the value are all in the execution. How is that done? Simply put, the flow of information from the financial reports themselves is traced and connected to the activities that generate that information and the resources that are depended upon to generate that information. That sounds like, and can be, a very difficult and time consuming process, but that is where Enterprise Risk Management steps in to manage the complexity.
How ERM Software benefits SOX
An ERM approach to SOX 404 compliance will dramatically reduce control maintenance and compliance testing activities as well as reduce your external audit fees. What in specific you ask?
- Setting priorities – Most organizations find it difficult to determine objectively and systematically across business silos what makes an operational control “key” or prioritize test activities based on materiality of the risk of the control they are evaluating. Risk assessments identify which risks, and which controls over those risks within each business process are scored the highest.
- Joining IT SOX and SOX compliance at the activity level – Any automated financial control depends on an underlying IT system to run and be accurate. Most organizations evaluate IT SOX compliance by one group and the internal controls over financial reporting in another without a direct connection between the two. Connecting the specifics of all the touch points in IT and vendor management to a control dramatically reduces the scope of work for what needs to be tested. For example, if an IT resource to a material control has not changed within the past year, there is no need for retesting. But most organizations not being able to connect IT to key controls end up testing for SOX compliance too many applications because their IT group cannot determine what specific controls depend on what parts of their IT infrastructure. The result is not only wasted resources internally, but wasted expense paying external auditors large fees do check and recheck this redundancy!
- Assurance – Having everything in one place and connected through a risk taxonomy makes automated fact checking easy. Combined with the setting of priorities in point #1 above ensures you that your organization’s most material issues are covered by appropriate controls and testing is up-to-date so that management has full transparency and confidence in making their attestations.
- Saving money – Removing the unnecessary redundancy and overlap between IT SOX and SOX business controls reduces SOX compliance testing and sign-off of testing activities. Finally it reduces the external audit fees companies are paying to review all of this unnecessary redundancy and overlap. Look up your company’s audit fees disclosed in your organization’s 10k to see what a 15-20% reduction of that number is worth to your company each year. Multiply that number by 2 times to get a sense of the time your organization is putting in preparing for that audit and supporting that audit.
How SOX compliance with ERM benefits the enterprise
CFOs need greater transparency into operational activities, not just financial reporting accuracy. In the process of achieving SOX compliance, a lot of valuable information is collected that should be used to help other functional areas and bring value to the rest of the organization far beyond just SOX.
By using your ERM software to streamline SOX compliance, like the six degrees of separation theory, all the relationships between the activities and the effects of the outcome of these activities can be used for other purposes like business continuity, IT access rights auditing, user defined application management, PCI compliance, and so much more. Not only does this result in a reduction of all these other activities by 40-60% due to the reuse of information, but short term cost savings are just the beginning as all this information becomes connected to board strategy and performance management goal achievement at virtually no additional cost or time commitment. The result is better business decisions and better performance management.