The Sarbanes-Oxley Act requires every publicly traded company, large or small, to establish internal controls and procedures for reliable financial reporting. Although the Securities and Exchange Commission has extended the deadline for small businesses and foreign entities, these organizations need to begin planning. But as they do so, they can apply valuable lessons learned by large businesses that paved the way to Sarbanes-Oxley compliance (and spent on average of US$10 million to do so). Here are the top five lessons learned that will help you reduce the cost and level of effort for achieving compliance.
Lesson No. 1: Form a compliance office
Accountants, financial managers and software developers are good at what they do. But expecting them to write business process documentation and flow diagrams will result in substandard documentation and several iterations (and will certainly divert those team members from their daily jobs). With a compliance office, process engineers trained in interviewing, documenting processes and developing flow diagrams treat accountants and technologists as subject-matter experts. The process engineers complete the documentation themselves and have the subject matter experts validate the final result. This results in less rework, less cost and less frustration.
Lesson No. 2: Implement financial compliance process management software
The more then 100 corporations and government agencies I've worked with on Sarbanes-Oxley compliance and A-123 attestation have all admitted to handing their audit teams hundreds of three-ring binders packed with Word documents and Excel spreadsheets, claiming compliance. The response? The auditors asked for abridged versions or traditionally out-of-scope documentation for an audit, such as full integration diagrams and touch-point descriptions. Very few firms implemented a financial compliance process management (FCPM) application in Year 1 or even Year 2, but auditors applauded the efforts of those that did. Such a system allows access to a repository of documentation through a user interface linking corporate objectives, risks, control points and frameworks, such as Coso (the Committee of Sponsoring Organizations of the Treadway Commission) and Cobit (Control Objectives for Information and Related Technology). It allows for transparency into a company's governance framework and provides the ability to keep process, evidence of compliance and self-assessments current. Implementing FCPM software reduces the work both for auditors, who have to review your documentation, and for your team members, who have to keep it up to date.
Lesson No. 3: Hire consultants who do rather than review
Contract the services of a risk and control consulting firm. Risk and control consultants can identify your technology-related risks and document your internal controls so that they align with Coso and Cobit frameworks. They'll do the work that a public accounting firm won't, such as prepare documentation and actively participate in review sessions among audit groups and staff. Many companies hire a second public accounting firm, rather than a risk and control firm, to act as a Sarbanes-Oxley compliance adviser. These registered firms, however, still act conservatively and simply review the work iterations of the internal teams without offering directive guidance. In essence, the companies pay for two layers of audit review. The lesson? Supplement your staff with experienced and knowledgeable people to accomplish the work without multiple iterations and to save time and money.
Lesson No. 4: Focus on control points, not process
Companies often present Sarbanes-Oxley auditors with binders full of detailed processes, such as a full software development life cycle (SDLC), mapped back to the core Cobit goals. However, by focusing on control points and associated authorized signatures within the process, organizations can reduce the time and expense of producing documentation. Much to the appreciation of its external auditor, it handed over not the entire 300-page SDLC, but a framework made up of 16 control points with two-page descriptions for each and evidence of compliance for all points throughout the life cycle.
Lesson No. 5: Education, awareness and coaching
A lesson can be learned from an organizational change management practice that assigns coaches to work with teams daily, over a short period, to help them fill out paperwork and enable them to understand the new processes and controls.
A company was introducing a new SDLC methodology based on industry best practices, which would radically change the way project teams functioned and progressed through the life cycle. The company identified 20 staff members to act as process coaches. By interacting and coaching team members daily, teams were given assistance in completing documents, storing artifacts and asserting that they followed the required processes. After only one month, 10 team members were so well versed in the processes that they became coaches themselves, and within three months, over 2,200 staffers had been given formal awareness training and had been part of a team with a coach. The quarterly assertions became easy to distribute and collect, and the number of waiver requests dropped by 80 percent.
When we consider the wave of corporate scandals in recent years, we see that regulation is a good thing. But the organizations forced to comply often experience the frustration and confusion that accompany large-scale change. By implementing a few lessons learned, corporations, the federal government and small businesses can reduce their costs, increase the efficiency and effectiveness of their processes and ease the strain on their employees.
Adam Nelson, director of public-sector solutions at Keane, has been advising the private and public industry for 15 years, promoting governance models such as Coso and Cobit before Sarbanes-Oxley made them popular. He can be reached at Adam_Nelson@keane.com.