Sarbanes-Oxley (SOX) has created a lot of extra work for CFOs, finance and IT departments. However, when the correct approach is taken to comply, enterprises can experience long-term benefits without adding substantial overhead to manage compliance.
The Foundation of Compliance
The IT infrastructure is the foundation for an enterprise's financial systems. In year one of SOX, many companies decided it was best to use one company to provide the audit effort, help with documentation and policy and procedure creation. On the surface, this was a sound decision; one provider would give the enterprise a unified set of documents and controls across IT and finance. However, for year two, many companies are reevaluating this strategy.
Today, many companies are seeing value in splitting the compliance effort between a regional accounting firm for financial compliance efforts and an IT consulting firm that is well-versed in control objectives for information and related technology (COBIT) and remediation of the IT infrastructure for the IT foundation. The IT consulting firm provides deeper insight into the changes required in IT and application infrastructures.
Many companies have chosen to use the new regulations as an impetus to better manage their records and improve data flow by incorporating analytics, forecasting and modeling into the mix. Rather than being a burden, SOX can give companies the momentum they need to incorporate financial intelligence throughout the enterprise and become more competitive in the process.
Patching versus Architecting
SOX will require changes in IT and application infrastructure that support the business; some companies are even deciding to use the new regulations as justification to convert their entire computing infrastructure from a legacy architecture. Why? Simply stated, it comes down to cost versus benefits. Many companies are expecting to spend one to two percent of their total revenue on SOX compliance. For a $5 million company, that is $500,000 to $1 million.
CFOs of midmarket companies are reluctant to spend money patching a legacy infrastructure and implementing controls that do not provide value to the organization other than compliance with the act. The newer applications available to midmarket companies provide many benefits unavailable in the legacy environment.
Stronger role-based security, preventive controls, monitoring tools and reports, and executive dashboards are all key ways to help reduce the effort required by IT to support the SOX initiative. In most IT environments, hardware is continually upgraded as the enterprise grows to keep up with user demands. Often, the applications remain the same and are merely reinstalled on the newer hardware. Companies are seeing that they can retire legacy applications, strike deals on licensing agreements and reap benefits from compliance by architecting a solution as opposed to patching their existing environments.
Event versus Process
In year one of SOX, many companies were reactionary. Compliance was event-driven. IT departments patched systems and produced manual tests to prove controls were in place and security was adequate for compliance. This event-driven model has proven to be very costly in two ways: revenue is required to patch legacy applications and IT resources for support of the day-to-day operation of IT processes are lost.
Year two finds companies looking for a way to reduce these costs. The alternative is turning SOX compliance from an event to a process. Many IT consulting firms have been able to identify processes that can be implemented within the IT infrastructure to reduce the time and effort required to reach compliance.
The configuration of operating systems, network monitoring tools, change-control applications, backup strategies and automated reporting of those activities reduces the IT effort significantly. This allows IT departments to return to the tasks of supporting the company as opposed to dedicating resources to support SOX and other compliance issues.
The leading IT consulting firms also provide the means to create company portals for the IT departments. These portals provide a repository for the company's controls, risk matrices and links from these documents to tests that prove the effectiveness of the company's SOX initiative. This greatly reduces the time needed to prepare for future audits and provides CFOs with the foundation for dashboard elements that can keep them abreast of compliancy.
Alleviating the Hassle
The biggest problem many firms have faced is using an accounting audit firm that doesn't have IT as its primary focus. The IT department then struggles to fill in the gaps, correct errors and play catch-up. More and more firms are choosing to outsource their compliance effort to IT-specific consultants. Here's what to look for:
Experience. Everyone has to start somewhere, but you probably don't want your business to be the consultant's first client for SOX compliance. Make certain the individual consultant or firm has experience doing what you need done.
Standards of Practice. If you are considering a firm that does not belong to an association or does not have industry partnerships and certifications, ask questions such as: "What standard do you use for the framework of your SOX practice?" or, "What are the key areas I should expect the auditors to focus on?" Be sure to ask for references.
Focus of Practice. Some IT firms provide general consulting, while others specialize in specific areas. Make sure your needs match the consultant's expertise. IT firms that provide audit, policy and procedure creation, risk control matrices and remediation typically know best what they need to deliver to satisfy the auditors.
Audit Firm Experience. Ask with which audit firms the IT consultant has prior experience. While within each firm there are differences between the partners and what they require, the audit firm itself typically requires that certain standards be met. A consulting firm that has worked with a particular audit firm in the past will save your company a lot of time and money.
Method of Services Delivery. Businesses with an in-house IT staff for managing the IT process may simply need to augment their existing human resources by contracting a few individuals and providing management in house. On the other hand, smaller companies will probably want the consultant to oversee and deliver the total project.
SOX compliance can be very costly from a financial standpoint as well as from a resource standpoint because internal resources need to be allocated away from critical business functions to facilitate compliance. The key to alleviating these costs is to change your perspective when approaching the compliance situation. Being proactive and architecting a compliance infrastructure, rather than simply patching, leads to a reduction in overhead and frees the IT department to work on strategic objectives for the organization. SOX compliance moves from being an arduous duty to a catalyst for a strengthened IT framework that helps the enterprise develop best practice and become more competitive.
It's also crucial to treat compliance as a process rather than an event. Incorporating IT processes for the long term will alleviate future headaches and make compliance a normal part of business operations, rather than a fire-drill effort.
Finally, when choosing an IT vendor to assist you with compliance efforts, ensure that you thoroughly research their capabilities and experience. With SOX compliance being such a hot-button item, a number of firms are out there marketing themselves as experts when they actually have little or no experience to offer. As with any service critical to your business, buyer beware.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access