Many organizations have spent millions of dollars and tens of thousands of man-hours to complete the documentation, testing and reporting required by the Sarbanes-Oxley Act (SOX). In retrospect, many organizations faced two very common issues.
1. Documenting too many controls
When SOX compliance was in its infancy, no one was certain how many documented controls constituted too few, too many, or just right. Preferring to err on the side of caution, most companies documented every control they could find. Not just key controls, but every control.
2. Documenting mostly manual controls
SOX teams often lacked ERP experts with a detailed understanding of the embedded system-based controls (often called configurable controls). Therefore, they mostly documented manual controls.
The net effect of these errors is that companies performed very extensive and largely manual testing. These “testing projects” occur quarterly and annually for the 302 and 404 certifications. Often, this is costly work that is not adding value or improving the internal control environment.
Most companies seasoned in SOX compliance are beginning to change their approach. Rather than approach it as a project, they see the advantages of treating it as an ongoing process. Taking a process-based approach to SOX compliance helps companies maintain strong internal control over financial reporting and saves money in the long-term. To accomplish this, proper use of technological tools is key in creating an effective and sustainable transition from project-to-process.
Automating and optimizing controls
Technology plays a big role in moving SOX compliance from a project to an ongoing, sustainable process. Manual controls are more prone to failure than automated controls; they are detective rather than preventive, identifying problems only after they have occurred; and they are ad-hoc, meaning only a portion of all transactions are evaluated and tested.
Optimized automated controls are systems-based, preventive and managed. These features allow companies to engage in more self-assessment, entity-level and process-level monitoring, and automated testing. Also, automated testing more accurately covers a larger universe than manual testing.
The role of technology in regulatory compliance can be broken down into two parallel tracks – (1) automation of the internal control environment and (2) automation of the compliance process. By automating the control environment and compliance process, companies are able to test and review controls throughout the year, providing the documentation and reporting materials needed to more easily comply with quarterly and annual reporting requirements.
In many instances, companies do not need to purchase expensive new technology tools. Many companies can make significant advances by making better use of the applications and tools they already use. The result is improved sustainability, lower costs and greater value to the internal control environment and compliance process.
ERP companies and other business technology vendors recognize the benefits they can provide to the control environment and compliance process. As a result, they have been improving their products in an evolutionary way.
Continuous control monitoring
The highest levels of compliance technology provide continuous control monitoring and improvement, and supports enterprise risk management (ERM). With continuous control monitoring, companies achieve preemptive SOD conflict analysis, real-time transaction exception monitoring and master data and configuration change alerts. These features keep management on top of, and in many instances, ahead of developments. They can immediately detect problems or often anticipate and avoid them.
ERM provides the greatest value to the organization. With ERM, companies have the ability to integrate compliance frameworks, tools and data. They gain portal access to personalized risk management information. They also enjoy the benefits of proactive risk identification and evaluation.
To achieve sustained value from application controls, organizations must first attain a high level of process maturity. Process maturity implies a high degree of control automation, control reliability and preventive-versus-detective controls. This entails properly configuring controls for the control universe, assessing existing controls, identifying gaps and opportunities, and implementing necessary control and process changes. SOD issues must also be addressed, including the design and acquisition of rule sets, assessment of existing roles and assignments, identification and mitigation of potential gaps, redesign of roles where necessary and cleanup of assignments.
Once process maturity is achieved, SOX compliance costs become much more predictable. They are also lower than the expected costs of a manually driven project approach. This decrease in cost occurs because most of the controls testing, monitoring and documentation are automated and woven into business processes.
The move from manual to control automation entails an investment in people, tools and time. However, once automated controls and SOD are in place, organizations can actively maintain the environment. It is this active maintenance that ensures compliance becomes an ongoing process rather than a stand-alone project.
Keeping one’s guard up
Active maintenance is critical. Without active maintenance, companies with a strong automated control environment can eventually fall back into the “project” mode of compliance. This happens over time as a result of employee turnover, poor change management and other factors that decrease the effectiveness of the control environment. Eventually, the organization reaches a point where it must engage in another expensive project to bring the control environment back to a high level of effectiveness.
Along with active maintenance, continuous monitoring and automated testing enables organizations to stay on top of employee turnover, quickly address SOD issues and address changes in the environment to keep the technological tools current.
Vendor tools from Applimation, Approva, Logical Apps, Virsa, Oracle and Protiviti (Assure Controls) are key to helping organizations ensure active maintenance of their control environment. A story about a Protiviti SOX client illustrates the effectiveness of these tools.
Company A had been through nearly two years of SOX compliance when Protiviti brought in the Assure Controls tool to assess the company’s high-risk control areas. The findings fell into four categories.
- In the first category, the tool identified 40 controls that matched to the automated assessment and tested without exception. The potential for improvement here resided in the ability to replace manual testing with automated testing.
- In the second category were 69 controls that matched but tested with exception. This means 69 of the controls were being improperly relied upon at Company A. Potential for improvement included enhancing security and configurable controls and automating testing to achieve efficient and replaceable results.
- In the third category, 98 controls were identified that were turned on but which were not mentioned in the control documentation. As a result, this company was missing opportunities to place more reliance on these controls and reduce manual testing.
- The fourth category contained 145 controls that could have been implemented but were not. They were not identified in the documentation and tested with exception.
In the end, there were:
- 109 already identified application controls that could be tested more efficiently, including the 69 that tested with exception.
- 243 application controls that could be used to replace manual controls.
- 214 potential security/configuration issues.
One conclusion to be drawn from this example is that prior-year testing and conclusions may have been wrong due to the inherent limitations of manual testing of sophisticated applications.
A further argument for using automated tools to transition from project-to-process is the stance of the external audit firms. They appear to be preparing to deploy sophisticated application analysis tools for future audits and Section 404 assessments.
By automating controls where possible and shifting the focus away from detailed application testing and onto the tools and rule sets used to monitor the applications, time and effort can be saved, with reliability of results greatly enhanced.
The need for active maintenance cannot be overstressed. Without a process to maintain and monitor the ERP control environment, it will likely weaken over time, forcing companies to spend significant resources to bring it back up to a high level of efficiency. It is the maintenance aspect that ensures SOX compliance remains a process that can be predictably and reliably managed.