Taking Control of SOX Costs
Roland Mosimann
Unlike the first year of enforced compliance, the attitude toward managing the process no longer is one of desperation. For accelerated filers, it’s not about how to get the work done, but how to stabilize and reduce costs while converting SOX compliance into a performance driver.
Non-accelerated filers can take note of the best practices established by their larger brethren. These include: streamlining scope and testing plans; getting more people involved as process owners; increasing visibility on project status; removing/consolidating redundant controls; replacing high-frequency controls; and standardizing controls.
Taking these best practices together means companies must move away from the cumbersome, time-consuming document management approach toward a data-centric method that uses a control framework built on a common database structure: Having the information related to SOX 404 written directly into a database has a powerful impact on stabilizing and reducing SOX 404 costs by allowing companies to implement the best practices outlined above.
Streamline scope testing plans according to relative risk priorities.
Guidelines from the SEC and COSO stress the benefits of a more top-down and risk-based approach to control framework. This is difficult to do without a data-centric approach. Take a closer look at the way companies complete their scoping exercise. If the scoping methodology and formulas, which should include qualitative and quantitative factors for account and entity, can be tied to the underlying database processes, time is saved analyzing what should be in or out of scope.
More importantly, this provides the judgment and information to gain approval from your external auditor for eliminating low-risk processes. That, in turn, eliminates all testing of associated controls.
Get greater involvement from process owners.
Process owners understand their own processes better than internal auditors or consultants. Involving process owners in SOX adds to the program’s efficiency and enables them to understand the importance of their controls, ensuring that they remain effective.
If control owners can provide their information in clear, self-explanatory forms that directly populate the framework, evaluation and approval can be expedited and consolidation becomes unnecessary. It’s a clear division of labor and expertise; they handle the business input, and the SOX team provides the audit input.
Create greater visibility on the project’s status and what has been accomplished.
With SOX 404 information in a database, program managers can access precisely what they need for reports, spreadsheets, and documents. The internal controls framework turns SOX into a “paint-by-numbers” exercise. As people fill in their parts of the project, the picture becomes clearer – it is easy to see what’s left to do by noting “unpainted gaps.” As questions or issues arise, one can interact with the data so that it becomes easy to use the database to build spreadsheets and documents, not the other way around.
Remove and consolidate controls.
Reducing the number of SOX tests lowers SOX costs. Identifying the areas where control counts or test frequencies can be reduced can mean substantial savings, especially when automated. SOX requires companies to identify the risks that impact financial statements and provide viable controls at each entity to mitigate those risks.
Often, when an analysis is done that compares the number of controls used to mitigate a particular risk within a process by entity, the results are markedly different. Assuming that the process is relatively standard for all the entities, why should one entity require more controls than another to mitigate the same risk? Does one entity have too many controls or does the other have too few?
When the SOX information is properly structured in a well-designed database, such information is easily identified. This type of analysis applied across all processes and entities will quickly point to areas ripe for control reduction.
Replace higher frequency controls with lower frequency and entity-level controls.
Organizations can also realize significant cost reductions by replacing controls that need to be tested often with those needing less testing.
Benchmarks are beginning to appear that show the frequency (real-time, hourly, daily, weekly, monthly, and bi-weekly) of a specific test across industry and size. Similar analytic approach can allow a company to compare its test frequencies to the benchmarks in order to flag areas where a change in a control might be warranted in order to perform tests less often.
With the aforementioned recent guidelines from the SEC and COSO, there is also an opportunity to replace process-level controls with more entity-level controls. The key to these decisions is the ability to apply a more risk-weighted assessment of your control framework.
Standardize controls across entities and processes where appropriate.
SOX programs are simplified whenever multiple entities are following an identical process. When one entity’s SOX information is captured in a database, it can be easily compared against others within the framework. It becomes readily apparent how much or how little standardization exists across the organization. If designed properly, the database approach enables companies to standardize controls across entities while allowing those individual entities the ability to describe the differences of how the control is tested.
Those using the data-centric methodology have seen dramatic results. Companies are able to eliminate the nightmarish problems and hassles of using the document management approach and understand that while SOX is hard work, it is manageable. Further, the companies we have worked with the longest are spending 30-50 percent less compared to the external audit fees of competitors (as evidenced by data from their 10-K filings). The methodology saves significant dollars.
Roland Mosimann is President of BI International, developers of the Aline™platform for Governance, Risk, and Compliance highlighted by Aline™SOX for 404. Mosimann is co-author of “The Multidimensional Manager — 24 Ways to Impact Your Bottom Line” and is currently writing a follow-up book on performance management and GRC. He may be contacted at rmosimann@aline4value.com.
AZ CPA - November 2006
