Contributors: Carole Sorensen, Senior Manager, Risk & Accounting Advisory Services
In the aftermath of the Enron scandal and other widespread fraud and failures, the Sarbanes-Oxley (SOX) Act was enacted to improve corporate transparency and accountability in financial reporting and to prevent corporate fraud from occurring. Although SOX compliance is now a requirement for all publicly traded companies in the U.S., the necessary SOX audit process can be a time-consuming and costly undertaking. Prioritizing the importance of the internal control environment through risk management will help mitigate the challenging demands the program entails, and focusing on a well-planned SOX program can ease the burden.
There are several ways organizations can achieve compliance, but also create organizational and operational efficiencies that can add value to their business.
Six Steps To Developing Efficiencies in Your SOX Program
1. Streamlining Processes and Reducing Redundancies
SOX requires companies to formally document their financial processes and internal controls, which can help process owners identify inefficiencies and redundancies by default. Creating process mapping is crucial to SOX as it allows organizations to understand their processes, identify potential risks, and then implement solutions that mitigate those certain risks. Performing this review not only brings visibility and transparency to the current state of the control environment, but it helps create opportunities for improvement and provides process owners with tools for success. Process mapping can also help identify areas to automate repetitive tasks or reduce redundancies.
For example, after completion of a process mapping exercise for the financial close process, the business leader noticed five members of the team were all running duplicate reports out of the Enterprise Resource Planning (ERP) system to use in their calculations. Identifying this during the documentation process allowed the group to strengthen the process and assign the report generation to one control owner, who shares the support with the team in a secure shared folder to reduce redundancies and duplication of efforts.
Performing exercises as such and maintaining this documentation allows companies to save time and resources and improve overall efficiency.
2. Enhancing Risk Management Through ERM
SOX mandates that companies identify and assess risks to their financial reporting and implement controls to mitigate those risks. Building out an in-depth SOX program is the first step to helping companies identify and manage risks beyond financial reporting. However, adding an additional layer of enterprise risk management (ERM) brings visibility to high-risk areas that can impact the financials on a different level, not historically captured by SOX. These areas include uncovering risks previously unknown within areas such as operational, legal and reputation. The ability to identify and manage these separate risks creates visibility for process owners and creates opportunities to strengthen the control environment even further.
Take into consideration a manufacturing company with inventory movements/changes on the floor. This may not be considered a financial risk as part of SOX planning and might be ignored. Identifying this as an area of operational risk through the enhanced ERM process can ultimately:
- Identify areas of improvement in the process (inventory is not controlled and workers can grab tools as needed)
- Strengthen the control environment by evaluating and improving upon the current process (inventory should be secured and only required individuals should receive access to their necessary items; sign-off of materials obtained may be required)
- Enhance the overall operational process resulting in lower inventory variances and accountability on the manufacturing floor
3. Improving Communication and Collaboration
Communication can help identify potential risks and issues before they become significant problems. SOX compliance requires coordination and collaboration between different departments and teams that would not otherwise interact. Clear communication of roles and responsibilities can help ensure that everyone involved in the SOX program understands their responsibilities and how they contribute to the overall success of the program.
A thorough SOX program can improve communication and collaboration between various groups resulting in integration for better decision-making and more effective risk management. Senior Management should set the tone when it comes to SOX communication, and creating an environment of transparency and expectations around SOX compliance is key. The business and process owners tend to be more willing to assist when they understand the benefits, requirements, and collaborative efforts that go into SOX planning. Management should regularly communicate the goals, objectives, and overall status reporting during the SOX testing periods and provide ongoing resources to business areas to strengthen communication and collaboration amongst various areas.
Furthermore, effective organizational communication can educate employees on the importance of SOX compliance, what they need to do to support the program, and how their actions impact the organization’s compliance efforts.
4. Increasing Transparency and Accountability
Transparency and accountability are critical components of a successful SOX program. These program elements ensure that all financial reporting is conducted in a clear and honest manner and that any discrepancies are identified and addressed promptly. SOX compliance requires companies to provide accurate and timely financial disclosures, which can increase transparency, trust, and accountability and improve accuracy. This can also help build trust and confidence among investors, customers, and other stakeholders.
Internally, SOX checklists can be a tremendous help when working with various business units. This allows other business areas the visibility of the broader SOX compliance scope and objective and improves clarity amongst the groups. Implementing a checklist eliminates any ambiguity around process owners and due dates when they are outlined directly.
Another way business leaders can improve visibility and accountability is to assign SOX coordinators to larger business areas. These coordinators can help streamline communications and expectations between larger functions and ensure deadlines and expectations are met.
5. Driving Continuous Improvement
SOX compliance is an ongoing process that requires regular monitoring, testing, and improvement of controls and communication. By building upon your SOX program year after year, companies can create a culture of continuous improvement and drive operational excellence through streamlined processes and standardized procedures to reduce errors, redundancies, and delays. There are long-term benefits to committing the time and resources to improving your SOX plan. Companies that strive to improve the SOX process see a reduction in SOX efforts over time and see more positive results.
Additionally, external auditors value relationships with internal audit and there are several ways they can give business units SOX breaks if they have strong trust with the business, which is a direct result of continuous growth and development. Some ways the business can reap the benefit of this growth are self-assessment testing for controls, reliance on internal audit workpapers, and peer review opportunities.
SOX compliance requires regular communication between management and auditors, which can help companies identify areas for improvement and develop proactive solutions. This can lead to more effective decision-making, as management can make informed decisions based on accurate and timely information.
6. Creating Structure and Standardization
SOX is a requirement for all public companies in the U.S. and ongoing compliance must be met every year. Identifying areas to improve within the structure of the SOX program and by implementing standardized procedures will minimize the amount of time and resources spent on program requirements for years to come. We have outlined several ways to create structure and standardization above, including process mapping and implementation of a SOX compliance checklist, but there are ways to improve within the SOX program itself:
- Identify how many testing cycles will be performed. Most external auditors will use three to four rounds of testing (walkthroughs, interim, year-end and substantive), but finding the cadence that works best for the businesses unique control environment is important to successful program structuring and improving organization.
- Execute identified testing phases by building standardized templates to create structure for SOX coordinators, internal auditors, external auditors and other stakeholders.
- Results reporting should be communicated regularly, and having a standardized method of sharing the goals, projected outcomes, and results is crucial to the structure. Having standardized methods for delivery of these items also reduces the amount of time needed to prepare materials overall, especially deliverables that are to be shared on a regular, ongoing basis.
Implementing a SOX program can do more than just achieve compliance. It can create organizational and operational efficiencies that can add value to a company’s business. By streamlining processes, enhancing risk management, improving communication and collaboration, increasing transparency and accountability, driving continuous improvement, and creating structure and standardization, companies can achieve better outcomes and build a sustainable competitive advantage.
How Cherry Bekaert Can Help Guide You Forward
At Cherry Bekaert, our goal is to help clients protect value, power performance, and build financial and operational resilience. It is important to understand your organization-wide risk appetite and managing compliance risk, financial reporting risk, and operational risk. Cherry Bekaert’s Risk advisors can help you design and implement strategies around SOX 404 compliance, IPO readiness, internal audit co-sourcing, control testing, rationalization and optimization, risk assessments, and accounting advisory, with results in mind.
For more information on establishing or enhancing your organization’s SOX program, contact Cherry Bekaert’s Risk & Accounting Advisory Services practice or your Cherry Bekaert advisor.