After Sarbanes-Oxley Act of 2002 (SOX) was enacted, companies were forced to rethink their reporting to keep from incurring penalties, but SOX compliances benefits organizations in many significant ways. SOX created a new approach to financial reporting that has created greater market trust. In fact, for private companies that are thinking about going public, SOX compliance benefits them precisely because it allows better IPO pricing. A 2014 Forbes article written by Harvard Business School Working Knowledge notes,
Despite high initial costs of the internal control mandate, evidence shows that it has proved beneficial….Another concern that the act would shrink the number of IPOs has not been borne out either; in fact, the pricing of IPOs post-SOX became less uncertain. The cost of being a publicly traded company did cause some firms to go private, but research shows these were primarily organizations that were smaller, less liquid, and more fraud-prone.
This ability to better price IPOs has added to market certainty while also cleaning the market of those public companies that were more financially stable being held privately. This has increased overall market strength as well as individual corporate financial stability.
Six Ways SOX Compliance Benefits the Organization
1. Risk Triage
Not all risks are created equal. SOX compliance benefits companies by giving them a starting point for asset analysis. Bringing in the risk means being able to more effectively manage your controls. The Information Systems Audit and Control Association (ISACA) explains,
The most appropriate and effective way to define the right scope and the extent of testing for each Sarbanes-Oxley in-scope system is to perform a risk assessment focusing on the risks associated with Sarbanes-Oxley requirements and specific to ITGC. Risk assessment is not a new buzzword—everyone in today’s world talks about risk-based approach, risk assessments, etc., but few understand that for a risk assessment exercise to be successful, it is extremely important to identify whether the focus of risk assessment is confidentiality, integrity and/or availability, and then to define the risk criteria/parameters.
For example, a risk assessment exercise for Payment Card Industry (PCI) Data Security Standard (DSS) compliance focuses on what should and should not be stored to ensure that credit card information is not compromised and, thus, to ensure data privacy. However, for Sarbanes-Oxley, the same approach cannot be applied because Sarbanes-Oxley focuses on data integrity and misstatements to financial reporting. Therefore, the risk assessment criterion shifts from data privacy to data integrity.
Focused risk assessments mean understanding the entire landscape of the organization’s controls. By learning what areas do not need to be SOX compliant, the company can focus on shoring up the areas that are the greatest risk. In addition, by learning what areas apply to SOX and how they fit into the compliance profile, internal stakeholders gain insight into how various types of compliance overlap.
2. Control Structure Strengthening
Sections 302 and 404 require the documentation of controls including operations manuals, personnel policies, and recorded control processes. With this kind of documentation required, many organizations may find the process overwhelming.
SOX compliance benefits around controls include better Control Awareness by Control owners. This means that how and why these controls are important and where they fit into the big picture is more transparent. When auditors and management focus on internal controls through a SOX assessment, the control owners quickly become more aware of how important their activities are to the financial success of the organization. Additional scrutiny provided by a SOX assessment directs its participants to put forth even more effort to ensure that activities important to financial reporting are well-executed and well-controlled.
Often businesses grow organically. This can mean that staff changes leading to control changes may occur that cause problems as the company matures. SOX compliance benefits even smaller organizations at an early stage. In 2006, The Harvard Business Review’s writers Stephen Wagner and Lee Dittmar wrote,
PepsiCo has also benefited from updating its documentation processes. In the course of making these updates, the company determined that inadequate controls existed for pension accounting, a complex process that depends not only on the internal compensation and benefits group but on external actuaries and asset custodians. Lardieri says with dismay, “A lot of steps we assumed were being taken—account reconciliations and interest calculations and data integrity checks—actually weren’t.”
For larger organizations just starting the process, SOX compliance benefits may be surprising. However, as SOX compliance has progressed since 2006, the issue today more often falls to the manner through which that documentation is done. For those using spreadsheets to document their SOX compliance, information may end up being scattered across an organization. Automated tools provide a single location for the documentation providing the necessary visibility to ensure that all stakeholders are aware of controls.
3. Better Audits
While better audits feels vague, the term encompasses many different aspects of the the audit process. The 2016 Protiviti Sarbanes-Oxley Compliance Survey research noted that
- For a strong majority of public companies (85percent), either the audit committee or executive management is the executive sponsor for SOX compliance efforts. The audit committee should be responsible for the broad overview of the organization’s risk management, under which SOX compliance falls. Executive management is speci cally responsible for the accuracy and completeness of the organization’s internal control over financial reporting – a key component of the SOX requirements. Therefore, it makes sense that executive sponsorship falls under one of these bodies, particularly within a public company.
- Internal audit is primarily responsible for the execution of these activities in one out of three companies (35 percent). Within a majority of organizations, either internal audit or management and/or process owners have this responsibility.
- When it comes to testing, two-thirds of public companies rely on either their internal audit groups (46 percent) or management and/or process owners (21 percent).
- Internal auditors performing and supporting testing efforts is not surprising, given that they are well-suited to do it with their skill sets and they are suf ciently independent to enable external audit reliance.
More effective and efficient operations leads to better audit outcomes. With better internal audit outcomes, external auditors have a more efficient process. A more efficient process for the external auditors lowers overall audit costs as well as lowering the cost of employee time when responding to external audit report results. SOX compliance benefits the audit process by specifying that it “creates better audit evidence collection, leads to better user experience supporting auditors. Additionally, an automated platform like ZenGRC provides dashboards that make Audit project management easy.”
4. Efficient Financial Reporting
The main goal of SOX was to provide transparency in financial reporting. In doing this, the regulation defined the process for determining reliable information. These early processes looked similar to the COSO description
management probably specified a high-level financial reporting objective and sub-objectives related to preparing financial statements and disclosures. In doing so, it identified significant financial statement accounts based on the risk of material misstatement. Then, for each account or disclosure, management identified relevant financial reporting assertions, including existence, completeness, rights and obligations, valuation or allocation, presentation and disclosure, and the like. In addition, management identified underlying transactions, events, and processes supporting the respective accounts and disclosures. The result may have been a mapping of the design of your company’s internal control environment, providing evidence that control activities are in place for all relevant financial reporting assertions for all significant accounts and disclosures. If there were any significant gaps, you remediated them accordingly.
Despite the perceived drudgery of documentation, completion of this process allows for more efficient financial reporting in years two and beyond. Having the control environment mapped meansthe documentation provides insight to track material changes. This makes reporting easier as the organization matures. More accurate financial reporting means less time spent needing to correct mistakes.
5. Peak Operational Performance Early On
Early engagement with SOX compliance benefits companies by instilling a sense of internal control that eases growing pains. In his Institute of Internal Auditors North American presentation, Steve Guarini, formerly with Rehmann Group now with Cohen & Company, noted that SOX compliance would
- Utilize a top-down approach to drive efficiency and effectiveness
- Focus on areas of high risk, significant accounts, processes, and locations
- Take a practical approach to “right-sizing” documentation
- Focus on key controls versus all controls
- Integrate IT and business processes and to maximize the benefit of automated and manual controls
- Build the control structure with the goal of maximizing operational and auditing efficiency and minimizing compliance costs
By requiring organizations to initiate controls at an early stage, SOX compliance benefits the companies by requiring them to assess their starting points and annually assess their risk. This means that controls cannot be haphazard. It also requires that organizations begin with a streamlined approach to risk that integrates multiple business areas.
6. Team Collaboration and Build Working Relationships
SOX compliance requires deeper and more frequent collaboration among internal stakeholders. Ernst & Young note
As the IT risk profile and threat landscape rapidly changes and risks increase, companies need to change their mindset and approach toward IT risk to address a new normal. Now more than ever, IT issues are issues of importance to the C-suite. Boards of directors, audit committees, general counsels and chief risk officers need to work alongside IT leaders and information security and privacy of users to fully address their organization’s risk management level of due care, approach and preparedness and to implement an IT risk management program that is adequate and effective in managing cyber risks.
Internal auditors and those who oversee SOX assessments collaborate across business lines to work with those who own or contribute to financial controls, such as controls owners, IT, or HR. SOX provides the backdrop for building stronger working relationships among teams. At the heart of this collaboration lies communication. Automated GRC tools, like ZenGRC, provide ease of collaboration by creating a single, accessible location where the stakeholders can meet. This location also can be controlled, providing appropriate access based on compliance role.
Looking to get started with SOX compliance and curious about how an automated tool can help? Contact one of our GRC specialists.