Tuesday, December 14, 2004
Automation, The Best RX For SOX Pain
Fix the problems now for a smoother 2005.
from Compliance Pipeline
Well, by now, you are familiar with all the pain points when it comes to Sarbanes-Oxley compliance. If your organization is among the majority that attempted to muddle through with manual processes for this first round of deadlines, you are very aware of your particular pain points. And even if only a portion of SOX compliance tasks fell to your staff to handle manually, you are probably making early New Year's resolutions that sound something like "AUTOMATE OR DIE."
While IT staffers roam around with spreadsheets logging policy exceptions to prove that IT "controls" are effectively in place, IT isn't the only department driven to distraction. The executive suite has been forced to take its collective eye off the ball as well.
A recent PricewaterhouseCoopers survey found that one out of five directors say Sarbanes-Oxley has created an environment where management is distracted enough that company performance will be affected. And this number is up from 13.9 percent in 2003. Why? Sections 404 and 302 for starters. But a failure to automate the processes around monitoring and controls (Section 404) has left them in a precarious position for certifying the integrity of their financial statements (Section 302).
In the survey of 10,000 directors and CEOs of 2,000 publicly traded companies, only about half of the directors felt that Sections 404 and 302 compliance would make a difference in the quality of their financial statements. Something tells me those are the directors from companies that didn't flunk their internal audits the first time around.
Of course, the real message is that no matter how painful the process was this year, you get to do it all over again next year. Now is the time to do something about it. More tools appear every week for monitoring the IT control points associated with compliance management. Or consider an overall framework of process automation.
It was easy to de-prioritize SOX in favor of other activities like running the business. But if IT and business managers end up running around collecting required documentation, it's easy to see how performance can be affected.
To put a finer point on it, we can expect the regulators to learn as the go, as well. They'll figure out what's working and what isn't and if there is piece of technology that turns out to be very effective for identifying problems and making accurate reports, eventually they'll want to know why it isn't being used.
posted by Brian Moran @ 10:18 AM