SOX Redux—an opportunity for a fresh look

During a roundtable moderated by Carole Switzer, Workiva (NYSE:WK) VP of Corporate MarketingMike Rost highlights the challenges that many organizations are facing in terms of evolving/maturing their processes to meet changing PCAOB requirements.

Switzer writes, "I recently re-read a 2006 Harvard Business Review piece by Stephen Wagner and Lee Dittmar entitled, “The Unexpected Benefits of Sarbanes-Oxley” and was impressed again by the authors’ prescient view that more companies would eventually see the business performance value that controls and structures demanded by SOX could provide.

Before reporting on how some forward-thinking companies had already started to implement better information management and stronger control frameworks in response to the law, the authors note, “As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.” They go on to note that many improvement projects were identified but parked for later attention so that the immediate need to satisfy the first year of the law’s requirements could be addressed.

Roundtable Excerpt:

Switzer: We’re now more than a decade into addressing compliance with the Sarbanes-Oxley Act, known as SOX. Section 404 of the law calls for stronger control systems to ensure the reliability of financial reporting. By now, doesn’t everyone have an appropriate control system in place?

Rost: I would say that organizations that are required to comply with Sarbanes-Oxley have a control system in place. However, the issue for some organizations is the challenge to mature their processes over the past five years to address the changing requirements of what the PCAOB is requiring for auditors, the enhanced disciplines of COSO 2013, and modernizing their SOX processes with new technology.

Switzer: What are some of the key shortcomings of still-existing first- or second-generation SOX approaches?

Rost: Key shortcomings include testing too many or the wrong controls, lack of a risk-based approach to SOX, and manual or outdated processes and technology. Organizations that have modernized their SOX processes have embraced a risk-based approach to defining their control libraries, which typically reduces the number or controls that they need to test.

Switzer: How has GRC technology capability changed over the past few years, and how do those changes support better SOX compliance? Is it mostly change that gives more transparency and accuracy of data or is the change mostly one that offers greater efficiency and cost savings?

Rost: Many organizations are still using the first-generation GRC technology they purchased to address SOX requirements. These software tools are typically inflexible, forms driven, and used primarily as document repositories. Technology has advanced significantly over the past ten years. Modern SOX technology is collaborative, cloud based, mobile enabled with document-centric user interfaces. Modern SOX technology enables users to better connect data and context, integrate people and documents, provide access anytime or anywhere, and accelerate process to decisions.

Switzer: Given the added value of standardized methods and controls initially driven by the need for SOX compliance, and the availability today of truly supportive technology that reduces cost and increases accuracy, would companies be advised to continue in refining these efforts even if the law were revised or revoked? I mean, is it really the law driving action today or is it the realized benefit of better controls and reporting?

Rost: Prior to SOX, the COSO internal control principles were considered a best practice for the previous 10 years. Internal control is broadly defined by COSO as: a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1.Effectiveness and efficiency of operations.

2.Reliability of financial reporting.

3.Compliance with applicable laws and regulations

For the latest information and news, visit The Workiva Press Page.

Compliance Week
Carole Switzer