If you have made new year's resolutions, chances are one of them was about your personal health: eating better, working out more, or being more mindful in your everyday activities.
But what about the day-to-day health of your Sarbanes-Oxley compliance program? In the same way that you are investing more time and effort into your personal wellbeing in 2020, it is likely your SOX program is in need of revitalization. After all, we are nearly 20 years into SOX - the way your organization handled it back in 2002 should not be the way it is addressed today.
In order to evaluate their current situation and uncover next steps to shape up their processes, we have found that SOX leaders must ask themselves six insightful questions. The answers that lie on the other side can help you trim down and get your compliance in shape.
Luisa v. Esterházy
Partner, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft
1. Does your executive team see SOX as valuable?
Most organizations we have talked to would say they do not have a SOX strategy - not because they fail to approach it tactfully, but because it is viewed as more of a binary, cut-and-dried exercise. It is either completed or incomplete. But it really should be more than that.
If your executive team sees compliance as a burden or sunk cost, there is a need for some education. It is also likely that you and your team may be the best to deliver said education.
However, changing that mindset does not have to be laborious. Tactically, as a SOX leader, hone your focus on the areas that actually have the highest risks, rather than what your external auditor or audit committee wants to see. In doing so, you will be in a stronger position to prove that the work you and your team does has substantial value.
2. Is your culture's tone at the top to discover and address issues or to focus on achieving a clean audit?
We may be nearly 20 years into SOX as a regulation, but on the whole, the mindset around the regulation has not shifted dramatically. Executives not fully in the know are still stuck thinking “What is within the scope of SOX?” rather than the broader internal controls, even though there are real benefits.
A Harvard Business Review article explains the situation well. Some executives approach SOX with “something like gratitude,” the authors write. “[Executives] were thinking not only of protecting stakeholders and shielding their companies from lawsuits but of developing better information about company operations in order to avoid making bad decisions.”
In other words, the true benefit of SOX is to develop better information about the underpinning operations in your organization, not just mere regulatory compliance. If executives and your board fail to see that - and if the tone coming from the top is not favorable toward compliance exercises - the impetus is on you and your team to get that point across. For the SOX process to have the greatest benefit for the entire organization, control deficiencies should be truly addressed and remedied, not just bandaged over for the short-term goal of a clean audit.
3. Do you know what your 10 to 20 most critical controls are?
Not all controls are created equal and approaching each with identical levels of scrutiny is a recipe for disaster - or, at the very least, extra work. All key controls are important, but some are more pressing than others, and 10 to 20 make the list of the ones most likely to lead to a material weakness.
We have found that organizations achieve the most success by reprioritizing the most critical controls (based on which are most likely to incur a material weakness) and spending more time focused on enhancing the design of those controls.
By analyzing the overall control design for these 10 to 20 controls, dissecting how to enhance them, and finding ways to maximize the potential of each for the overall benefit of the company - rather than churning through a forest of controls - your entire organization will benefit.
Designed properly, your program can continue to evolve and change as business risk changes. But this is contingent on whether or not you create the bandwidth for your team to do so.
4. Do you have a strong set of direct entity-level controls?
When Sarbanes-Oxley was first released, it was a bottom-up exercise - the people on the front lines of compliance did the work based on the largest controls that impacted the entire organization, and they were funneled up to executive leaders.
As the guidance around SOX compliance has become more clear and precise on the more niche controls, compliance teams have tended to move away from testing and relying on direct entity-level controls, such as gross margin reviews or budget/actual reviews - even though these controls are key tools used by organizations to manage accurate financial reporting.
We firmly believe that SOX professionals need to return to placing greater reliance and emphasis on direct entity-level controls. After all, if there is a control failure, the company often points to these direct entity-level controls as the rationale for why there could not have been a material error in financial reporting.
With strong entity-level controls, organizations provide additional safeguards and assurance. By reevaluating these controls and making them more precise, they can truly defend the organization at a deeper level.
5. If you did not test your controls, would you feel confident they would pass?
Similar to my previous points, it's up to SOX teams to articulate why they are pursuing certain controls and not others. While it is critical to pick those 10 to 20 most important controls, it is just as vital to educate control owners and process owners on why these control activities are being done.
Testing every single control simply is not scalable and doing so is not only stressful, but also diminishes the scrutiny you place upfront on each risk.
It is more valuable to spend the time educating control owners on why they are executing controls. If controls are not being executed consistently, then the root cause is likely that the control owner either does not understand the rationale for performing the activity (which should be resolved through training or education in order to make the control more robust), or that the control is the wrong control (which should be resolved by revisiting both the risk and the control activity to ensure they are aligned). These activities are much more valuable than detailed sample testing of controls.
6. Have you identified KPIs that could identify and monitor potential issues in your SOX program?
To accomplish a goal, you must first articulate the goal. And, with SOX, to efficiently accomplish compliance, you must articulate the key performance indicators (KPIs) - what you want to achieve by when - that point you toward success.
KPIs draw a line in the sand between what is accomplished as compared to what is not. They can also narrow down areas where the process could be further enhanced.
For example, a KPI monitoring control might look at the number of exceptions identified during a quarterly user access review. If the metric shows an increase in the number of changes required to be made as a result of the periodic review, then that would indicate a need to look at the underlying process to determine why the access for those terminated employees was not being removed on a timely basis, or was not being completed for all relevant applications. Another KPI might look at the level of employee turnover in key control positions within an area or process. If the metric shows higher turnover, you could proactively provide reminders or training on the control activities that need to be performed by those roles to ensure no control activities are lost during the transition.
Just as a set of well-planned new year's resolutions can provide guidance for the actions you will take in the months to come, the ongoing health of your SOX program can be kept in check by asking these six questions.
In doing so, you can help steer your compliance program toward greater effectiveness and further affirm that SOX can drive substantial business growth - today, tomorrow, and in the months to come.
For more detail on how to reinvigorate value, efficiency, and effectiveness around SOX compliance, contact us.
This article solely represents the views of the author(s) and does not necessarily represent the views or professional advice of KPMG. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.