Surely the single most crucial Sarbanes-Oxley topic today is to find an efficient way of managing and sustaining compliance over the longer term. Most organisations caught by the legislation have completed the groundwork of documenting their financial reporting structure and process and the control fence around them, but it has been a very time intensive struggle to achieve compliance.
The next challenge is to identify and adopt a sustainable solution that distributes responsibility for monitoring of controls to the appropriate managers, and minimises the time and effort required to maintain it. Data and report mining, including the automated versions of such software, can and will play a vital roll in this process; bringing to the table understandable systems and a business as usual enterprise environment.
Such solutions should also ensure accountability for those managers, requiring systematic review and sign-off through defined workflows. Ideally, the solution would provide support for automation of the monitoring of critical controls. A long term solution will eventually be integrated into many of the organisations enterprise applications, with the ability to extract data and monitor key control activities, delivering the timely reporting that S409 demands. If ever there was a business environment designed for data mining then Sarbanes-Oxley – and the other current compliance imperatives – have certainly created and defined it.
The task seems simple enough on the surface, but the requirements are extensive. Controls must be monitored and tested on a regular basis to ensure that they are performing adequately. The documentation must be updated and maintained. Management must be able to support their assertions that the financial data in their reports is accurate. Material weaknesses must be identified and reported in a timely manner. Resolution of issues must be tracked and reported. The control environment must be evaluated. A cultural change may be needed to encourage managers to identify problems without the fear of retribution. By understanding that this is an enterprise wide task and not – as many are reported as believing – an IT issue then fear becomes redundant.
The best IT head in the world is highly unlikely to be a compliance professional or, for that matter, an internal auditor of finance professional. To see this new era as a mostly IT issue is to assume that IT can be tasked with fully understanding all the additional needs of these other departments in a real time and changing environment. It is much better to allow compliance, audit and finance teams’ direct access to the existing data using their accumulated knowledge and data mining skills to monitor and control these vital processes.
Organisations that find a technology solution which allows them to efficiently meet these requirements, with a minimum of manual effort, will reap rewards. But what they do not need is more expensive technology just timely solutions. These solutions will ultimately provide more than just compliance with Sarbanes-Oxley. The same solutions can be applied across the enterprise, to document, evaluate and monitor processes and controls in all areas. It does not need to be limited to financial reporting. The methods and procedures that are applied to achieve compliance for Sarbanes-Oxley can also provide the foundation for an enterprise risk management program. Better corporate governance is the certain prize awaiting those enterprises which adopt a can do and positive approach to twenty first century compliance.
The objective of Sarbanes-Oxley is to provide shareholders, markets and regulators with greater transparency into the financial reporting process. The goal of enterprise risk management is to provide executive management with greater understanding and transparency into their enterprise, enabling them to make better management decisions. IT auditing can apply a system of measurement to the organisations internal processes, providing management with an understanding of their organisations system’s strengths and weaknesses. It allows resources to be assigned to the appropriate areas to address weaknesses or to exploit areas with competitive advantages.
Better business process is a long term goal for many organisations. The first and most pressing need is to find that solution which can efficiently and effectively help them maintain compliance with the many requirements of the Sarbanes-Oxley act. Technology can and will help in that imperative but enterprises should be wary of technology at any cost pitches, concentrate on the solution and import no more new technology than is necessary to enhance the existing process. Business as usual wins over technology at any price.