Guest Post: A Call to Action for SOX Nerds

Guest Post: A Call to Action for SOX Nerds
March 20, 2018

This is a guest post from David Gamble, SOX Director for a public utility in the southeastern United States with an operating revenue of more than $11 billion.

If you're a SOX nerd like me, you might have been through an experience like this one.

I recently participated in a root-cause analysis meeting with two groups at the utility I work for to discuss a recently identified audit issue. What started as a professional conversation quickly devolved into a controversial one.

One person in the meeting was particularly combative. When I asked why he was being so sensitive to the topic at hand, his answer spoke volumes about his perception of the role of SOX on the whole:

“You are just looking for someone to blame," he said, "and I don’t want to be that person.”

For SOX nerds like myself, those are fighting words. We help businesses, not burden them.

SOX practitioners like us frequently have to defend our roles and oppose the idea that we are in the business of assigning blame and saddling the company with extra hoops to jump through.

However, this is not the case, and it is up to us to change this perception.

Fellow SOX nerds: if you've been looking for a call to action, here it is. Keep reading to learn why process improvement is good for business, how to combat the misconception that it is not, and why I'm passionate about SOX.

Battling common SOX compliance and internal audit misconceptions

I’m sure many of you as auditors have experienced similar situations. It is striking that, many times, there is a difference between our perception and those we audit. Most internal auditors that I know consider our role as one of accountability and risk management. Ideally, we see the creation of a more resilient, efficient, and risk-adverse organization as the outcome of our efforts. We aim to collaborate and cooperate with our stakeholders to make processes more sustainable and less prone to failure—which can be costly.

The current mood of the country seems to be that government is always the problem, and less regulation is better. It is easy to forget that before the Environmental Protection Agency was formed, rivers in Cleveland often ignited, and trees in the Great Smoky Mountains were dying from acid rain.

When management complains about the cost of regulation, the Sarbanes-Oxley Act of 2002 (SOX) is often mentioned. We must remember that although no regulation is perfect, the cost to individuals and companies resulting from the failures of Enron and WorldCom was, for many, catastrophic.

Many Enron employees from acquired companies were required to convert their defined benefit pension plans into 401(k) plans funded with Enron stock. Coincidentally, many of those employees were limited in their ability to choose other investments.

When Enron declared bankruptcy and countless employee retirement funds were wiped out, do you think they thought that government regulation is always bad?

So, yes, investors and users of audit reports clearly believe SOX to be of value. However, is it possible that management has a poorly designed compliance function and/or control environment if they do not see the value of SOX?

A properly implemented SOX compliance program is good business

As an auditor with over 10 years of SOX-specific experience at three different organizations, from the beginning, I have emphasized that properly implemented SOX is good business.

From the first year I helped implement SOX at Gaylord Entertainment and the years following, my message to each VP of Finance at a Gaylord hotel was this: “SOX controls will make your hotel more efficient and, therefore, more profitable.”

As my current organization has refined our audit plan each year, we have become more efficient, the average age of our deficiencies has dropped by over 40 percent, and our burden on the business—the disruption due to audit activities—has significantly decreased.

Much of this improvement has resulted in a focus on the top-down, risk assessment approach first introduced in Auditing Standard No. 5 (AS5) as issued by the Public Company Accounting Oversight Board (PCAOB). For those of you who remember the painful, early-year audits under Auditing Standard No. 2 (AS2), you will agree that the new, risk-based approach has dramatically improved both external and internal audits.

I feel that this dedication to process improvement and efficiency has made me a full-fledged SOX nerd—perhaps you feel the same way.

Here are the top three reasons I am proudly a SOX nerd:

  1. We’ve automated the most manually intensive and painful processes.
    Using Wdesk, we have automated our risk assessment, deficiency evaluation, audit committee reporting, and all of our testing workpapers and evidence requests. Starting in FY17, we have adopted a continuous audit methodology where we select smaller samples in each quarter of the year, instead of our old approach (interim testing, then roll forward testing). As a result, we are more engaged with our stakeholders, and we identify and remediate deficiencies more quickly.

  2. Our testing plan varies based on risk and has eliminated thousands of testing hours.
    These changes and internal process improvements, largely enabled by Wdesk, combined with a testing plan that varies based on risk, has resulted in the elimination of almost 2,000 hours of audit testing each year for our organization. Today, we sample less and test less frequently for low-risk controls/processes than we do medium- or high-risk ones.

  3. Saved time gives my team time to positively impact the business.
    We have taken those saved hours and invested them in more intensive root-cause analysis, remediation plan development and monitoring, and consultation with our stakeholders. This increased focus on root-cause analysis, remediation, and continuous improvement has provided measurable and noticeable benefits to all of the business units throughout our organization.

To solidify my proud nerd status, our SOX program was recognized as best in class by our external auditors after our audit committee and board of directors meetings earlier this year.

So, why am I a SOX nerd? Well, why do I come to work? Why do you come to work?

Studies have shown that millennials—perhaps more so than other age groups—want their jobs to matter. They want their efforts to make a difference.

My personal mission statement is simple: Whatever I find, wherever I go, whatever I do, I want to make sure I leave things just a little better than I found them.

Now, you may disagree, but I know of no better tool—no better motivation—than a properly implemented SOX program to continually improve an organization’s financial process and control environment.

Why am I a SOX nerd? That’s why.

David Gamble

About the author

David is Director of SOX Compliance at a public power utility with over $11 billion in annual sales. David previously served as Global Director of Internal Audit at Sitel Worldwide, a business process outsourcer with over 65,000 employees in 22 countries. In 2004, he also implemented year 1 SOX at Gaylord Entertainment, which is now known as Ryman Hospitality. He has experience and proven success in developing both people and partnerships with other business leaders to implement compliance programs with an emphasis on process improvement and internal controls at both publicly traded and private firms.