Managing Sarbanes-Oxley Costs Effective control design lowers costs and increases efficiency.
A strong control environment can enhance Sarbanes-Oxley (SOX) compliance efficiency while effectively addressing financial reporting risks. Unfortunately, too many current SOX compliance programs result in bloated, complicated control environments that are cumbersome and expensive to maintain. In light of the current economy, many businesses have been forced to reduce personnel and to cut costs wherever possible, SOX compliance being no exception. While a more efficient compliance process will certainly result in cost savings, many businesses may not have the internal resources to create these efficiencies. The question is: do the benefits of a more streamlined compliance process outweigh the effort?
Costs incurred as a result of SOX compliance are numerous. Not only are companies faced with higher external audit fees, but they must also find the resources to complete their own assessment. Some companies have taken on the burden of testing controls internally, while others have outsourced the work to experienced external service providers. Frustrations with the day-to-day compliance requirements can also be overwhelming. Accounting departments are weighed down with physically signing off on a sheet of paper to confirm that each journal entry, reconciliation, and calculation has been properly reviewed. Checklists have been implemented, and the project requires ongoing management.
There is, however, a light at the end of the tunnel. Despite the headache that compliance may have caused companies in the past, a few process modifications can ease the strain going forward. Many corporations continue to manage their SOX compliance efforts under outdated guidelines—namely, Audit Standard 2 (issued by the Public Company Accounting Oversight Board)—and have not yet fully taken advantage of the benefits of the more recently issued Audit Standard 5 (AS5). Other companies, such as non-accelerated filers or smaller public companies, are burdened with the expectation that their control environments should be benchmarked against those of larger, more complex enterprises. By utilizing a top-down, risk-based approach, and scaling the process to the size of the organization, companies can rely heavily on direct, monitoring, and indirect entity-level controls to reduce risk and, consequently, key controls at the activity level.
The Benefits of Streamlining
Many companies may not have yet taken a pass at optimizing controls despite the more relaxed AS5 guidance. Others may have already reduced total “key” controls somewhat, but probably still have more room to squeeze out incremental efficiencies. SOX compliance is an ongoing process and includes opportunities for continuous improvement. By focusing on more effective analytics and direct entity-level controls, companies can drastically reduce the risk in all business cycles, resulting in fewer required key activity controls. Specifically, companies should consider the following:
- Automating controls, when possible, can drastically reduce testing of high-volume recurring transactions.
- Performing a strong budget vs. actual review mitigates a good portion of the Income Statement risk.
- Analytics, such as estimating payroll by headcount, can provide a high level of assurance over process risk and minimizes the need for additional activity level controls.
- Consolidating decentralized controls and processes at various locations through corporate close procedures can minimize multiple location scoping.
Streamlining controls can save companies big bucks in the SOX compliance department. Each control must be tested by management and by external auditors. Fewer controls to manage, track, and test can create a good deal of savings.
SOX Efficiency
An effective SOX compliance program is initiated with an assessment of financial reporting risks. Control design should be limited to only those control points at which mission-critical risks are prevalent. Fewer controls to maintain and track means more time to effectively monitor the valuable key controls. Once a strong control environment has been put into place, it requires continuous monitoring to ensure its effectiveness. A successful monitoring process includes self-assessment compliance and testing of controls. Increased ownership and monitoring by management directly results in fewer exceptions, which saves costly time spent performing the year-end deficiency analysis. Efficiencies can also be gained by managing the testing process through an automated workflow system, rather than through cumbersome spreadsheets. A variety of systems are available in the market to help companies better manage this process.
The following three-step approach demonstrates an efficient Sarbanes-Oxley compliance program.
Step 1: Assess financial statement risk | Evaluate the business, identify critical financial statement risks, and analyze current control design. Capitalize on existing analytical procedures that are already performed to reduce overall financial statement risk. |
Step 2: Streamline control structure | Strip away redundant, ineffective, and unnecessary activity level controls while enhancing controls that are mission-critical. |
Step 3: Monitor and test internal controls | Develop a comprehensive testing plan. Monitor the control environment throughout the year to reduce the likelihood of exceptions and to ensure that any issues are surfaced with sufficient time to perform remediation efforts prior to the final year-end assessment. |
Review your current SOX compliance program to determine if it is in line with this model and consider the following factors to determine if a more efficient process may be in order:
- Is the current control environment comprised of more than 150 key controls? More than 200?
- Are multiple copies of the same document required by both SOX compliance testers and external auditors, only to later be lost by one or more of them?
- Do audit fees continue to climb despite the fact that controls have been designed to cover every conceivable financial reporting risk?
- Does the current control structure take precious time away from employees, impeding them from performing their necessary daily tasks?
If the answer to any of these questions is yes, consider redesigning the control environment to create an efficient, effective control structure.