Friday, October 28, 2005
How to Reduce SOX Chaos and Cost Through Automation
For the majority of corporations, compliance with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) has rapidly become an expensive and complex proposition. Surveys reported at the 2004 SEC Conference on Sarbanes-Oxley 404 showed that the effort involved in 404-compliance is resulting in double and triple the amount of work originally estimated and involves tens of thousands of hours.
The year 2004 also saw company executives opening their coffers in an effort to implement the internal controls necessary to achieve 404-compliance at virtually any cost. This "open checkbook" policy meant that while some funds were spent wisely, money was also wasted.
Along the way, an army of consultants and advisory firms were hired (and sometimes fired just as quickly). In sum, there was a feeling of chaos as companies sought to comply with unfamiliar processes and controls.
Throwing money at this problem doesn't necessarily solve it. The answer is that companies need to streamline visibility, control, and processes.
In most companies, SOX 404-compliance is treated as a separate project, independent of the rest of the organization. This "silo" mentality creates a wall between those responsible for reporting and controls and those who are involved in day-to-day processes.
Instead, SOX compliance needs to be integrated back into the day-to-day operations of the enterprise. This means shifting responsibility for testing and documentation to process owners. In other words, you must decentralize to reduce costs.
However, it's difficult for 404-compliance owners to transfer responsibility due to lack of visibility into the schedules, status, and issues of process owners spread throughout the enterprise. In addition, the change control process is manual, which makes it difficult to synchronize documentation, controls, and processes. Finally, many control-owners are reluctant to transfer responsibility for 404-compliance simply because they anticipate having to redo all their work from year one.
Leveraging technology to streamline visibility, control, and processes is the best way to reduce the cost of SOX compliance over the long term.
The most straightforward approach is to adopt a Project and Portfolio Management (PPM) software system, preferably one that offers pre-built templates for 404-compliance and supports the Internal Control Integrated Framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
This software should serve as a central repository of all documents, with role-based access for stakeholders. Web-based access is essential to ensuring that various team members across the globe can easily get to the right version of a document.
posted by Brian Moran @ 11:32 AM