From the very beginning of my work getting Viacom’s Sarbanes-Oxley compliance efforts off the ground in 2003, one thing always struck me as vital to success: setting standards and implementing best practices to achieve an effective, and efficient, compliance program.
Many companies struggled to work through limited SOX implementation guidance, with varying degrees of success. At Viacom, we were fortunate to make a number of good decisions that enabled us to implement a highly effective and streamlined process. As a result, we held our compliance costs well below commonly published benchmarks. Many of the tactics that we used are still relevant and appropriate today and have been supplemented with other strategies developed more recently. Whether you are preparing your company for initial implementation or just looking to enhance your company’s performance, I have a few tips that can go a long way toward making your SOX compliance effort “street smart.”
In a previous article I focused on the importance of planning and program management as the starting point for compliance initiatives, so let’s assume you already have those areas under control, so to speak. If that was the appetizer, documentation and testing have to be considered the main course.
Let’s start off by addressing one of the most important aspects of the compliance process: establishing the definition of a key control for SOX 404 purposes. Far too many companies initially took the approach of documenting and testing all their controls, and then had to re-evaluate which were really key controls. That resulted in disruptions and inefficiencies. To avoid a similar predicament, you should focus on identifying only those controls that could reasonably lead to a material misstatement in the financial statements if they are not in place and operating effectively.
Documentation Roadmap
Companies are well served by envisioning compliance as a process, rather than a project, to obtain the maximum benefit from the effort. Developing a standard documentation methodology that can be consistently implemented and used across the organization can limit the reworking of documentation that you will need to do. Additionally, companies that consist of multiple businesses may want to consider using best practice leaders to create standard documentation for analogous processes—particularly generic processes, such as cash disbursements, financial close, and payroll. While you do that, also seek as many operational efficiencies (such as standardizing or rationalizing controls) as you can. While this approach may add some incremental time and costs initially, meaningful control reductions may be identified that can result in perpetual cost savings in the future.
One of the most effective ways to determine which controls are key is to conduct process-specific workshops with all appropriate personnel, such as process owners, IT staff, and internal auditors. This is particularly important for automated or application controls; people often overlook them initially, but they are an integral component of most efficient internal control environments. These workshops are useful not only during the initial documentation stage, but they may also facilitate reductions to key controls based on subsequent re-evaluations.
Test Drive
Documentation efforts are typically significant in your first year of compliance, and then lessen in subsequent years. Testing is another matter; that effort will remain more or less constant over time and, therefore, will encompass more of your compliance efforts in future years. As a result, any efficiency you incorporate into testing can be tremendously useful.
Assessment standards, guidance, and protocols require a great deal of effort to develop initially, but can pay recurring dividends over time. Centrally developed standards can be incorporated into guidance issued to the testing team, including for example, sample size and selection, use of pass/fail criteria, and requirements for tester and reviewer experience and independence (if you’re using a self-testing model).
One of the best recommendations I can offer relates to selection of sample dates. To streamline the overall sample selection process, use random-number generation to select standard dates for daily, weekly, and monthly controls, and use those standard dates for testing across the entire company rather than selecting different sample dates for each procedure. The collective savings from this strategy alone can be enormous.
To facilitate the testing process, particularly when there are hundreds of assessments to be performed, consider pre-populating data in templates used to capture results from the risk and control matrix (ideally using automated methods) with as much information as possible. There may be some initial costs incurred to set this up the first time, but they are easily justified if you get more expedient test preparation and results documentation on an enduring basis.
One of the most challenging parts of assessment is determining a testing and review resource strategy. You must include several factors here, such as independence, availability of qualified internal resources, the contribution of IT, and internal audit resources—as well as language barriers. Remember that most source documentation to be tested outside the United States, Canada, and Britain will be in the local language and may be difficult to assess without some reliance on third parties. They’ll need to be trained on your approach.
The timing of testing is also critical. Dividing the assessment process into two phases is a wise idea, and I can give you plenty of reasons why. Ideally, phase one should be conducted as early as possible to allow for remediation and retesting and to let the external auditors complete their initial evaluation. Company level controls especially should be assessed early, since you might need additional testing of your process controls if the company level controls aren’t working properly.
In the first assessment year, the logical desire is to have all controls in place, documented, and operating effectively prior to commencing testing, but that is usually not realistic. It is better to fail early than to fail late, because you might not have sufficient time to correct issues and perform necessary retesting to validate control effectiveness at year-end. That also gives you additional time to identify or implement, as necessary, and test compensating controls.
Start Your Engines
Maintaining and retaining process and testing documentation affects the entire compliance effort, and how you address this carries huge consequences for your overall success. For larger companies, a SOX data repository is vital, but smaller companies should also pay attention to this need. Even if a standalone SOX tool is not justified, some form of collaborative or shared data repository such as a portal can facilitate document sharing and retention and add a measure of structure to the compliance program.
Considering differences in company size, control environments, industry, and other factors, no single approach can work for all registrants. Still, numerous aspects of managing a SOX compliance initiative can have a major impact on the success of the program, including some that have been covered here. I have found that the best overall approach is to be highly innovative in your thinking and to take on as much of the administrative burden as possible centrally to maximize efficiencies. In my experience, these are the key ingredients for creating an efficient and effective compliance program, and I encourage you to apply what you can to your own efforts. Class is over; now it’s time to hit the streets.
No comments yet