Efficiently Achieving Sustainable Compliance
The Sarbanes-Oxley Act (SOX) has been in effect for more than 15 years, yet many companies still haven’t streamlined key elements of their compliance process. They continue to use manual processes for testing controls as well as attesting to their effectiveness. Many key controls are detective in nature and involve checks and re-checks performed after the fact to achieve the assurance that organizations need. Spreadsheets and email messages remain the most common way to manage the data collection, attestations and affirmations that compliance requires.
Spreadsheets and email messages remain the most common way to manage the data collection, attestations and affirmations that compliance requires.
The act has been successful in that there hasn’t been a widespread recurrence of the financial-statement manipulation and fraud that spurred its passage. Yet over the years, companies have continually disclosed material weaknesses, underscoring the need for the Act. And that success has come at a cost – companies have found that the price tag for complying with the law has remained high, often running more than $1 million annually for accelerated and large accelerated filers, according to the consulting organization Protiviti.
Software designed to manage compliance and owned by finance and accounting can provide strong controls that meet the demands of SOX compliance while improving accounting department efficiency and lowering the cost of internal and external audit. CFOs and controllers in companies that must file with the U.S. Securities and Exchange Commission (SEC) and that use spreadsheets to manage SOX compliance should assess software applications to replace them wherever possible. They are likely to find that they can lower the risk of non-compliance, streamline their Sarbanes-Oxley processes and reduce costs.
Sections 404 and 302 Summarized
Two sections of the Sarbanes-Oxley Act are of particular interest to CFOs, controllers and heads of internal audit. Section 404 requires that management of public companies assess the effectiveness of the internal controls of their financial statements. Financial controls include processes, policies and procedures, which are a core element of corporate governance.
The essential objective of section 404 is to apply a comprehensive approach to preventing financial fraud.
The essential objective of section 404 is to apply a comprehensive approach to preventing financial fraud. Most organizations use the “COSO Framework,” which developed from the Committee of Sponsoring Organizations (of the Treadway Commission) recommendations for dealing with computer-based fraud in accounting systems. The Framework is a total-quality-management approach to accounting processes, one that uses control mechanisms to ensure as much as possible that the financial statements are accurate and free of any material misstatements. To accomplish these objectives, companies must have controls in place that will either prevent or detect problems and they must test those controls periodically to ensure they are effective.
The second is section 302, which holds that the CEO and CFO of a corporation are directly respon-sible to the SEC for the accuracy, documentation and submission of all financial reports as well as the internal control structure. Since compliance tasks are delegated, senior executives must rely on the word of others that they have successfully completed section 404 tasks and these attestations must be confirmed by supervisors.
Four Compliance Imperatives
There are four Sarbanes-Oxley compliance imperatives that companies using spreadsheets must follow: They must simplify, standardize, centralize and certify compliance at the nearest point of control.
We recommend two approaches to simplify SOX 404 compliance by reducing the number of necessary controls. One is creating high-level controls that will eliminate the need for additional controls and testing. For example, identity controls built into secure IT systems ensure that all digital signatures are valid and that individuals can access only allowed data and processes. This eliminates the need to create identity controls in every process.
The second is designing accounting processes to reduce the number of necessary controls. For instance, having IT systems manage an accounting process and related data without interruption from start to finish ensures that data integrity is maintained throughout the process. As a result, the data doesn’t require checking and reconciliations to establish its lineage, accuracy and validity. In addition, the compliance process itself can be made simpler by ensuring that those who are required to test controls and certify their effectiveness have all the information they need about the controls and their testing readily available to perform this task.
Spreadsheets complicate Sarbanes-Oxley compliance because they are time-consuming. Moreover, incorporating spreadsheets in processes fundamentally creates more auditing because they are inherently a source of errors and therefore must be audited more closely than systems with controlled data flows. Typically, to collect information about controls a company might send individual copies of its risk-control matrix spreadsheet to each location or business unitlisting all the controls that must be tested and the risks the controls mitigate. Each location or business unit then documents that all controls in force at that location have been properly tested and proven effective. Internal and external auditors often work with management to determine which controls must be tested. They re-quest “provided by client” (PBC) items for testing, perform walkthroughs with the owners of the controls and document that the controls were properly tested and effec-tive. This process typically is managed in spreadsheets that are printed or accessed from shared drives and communicated using email.
Our Spreadsheets in the Enterprise bench-mark research finds that these activities are burdensome even for those with more than a decade of experience and that use spreadsheets all the time. These users reported spending the equivalent of more than two days each month (18.1 hours) maintaining the most important spread-sheet they use. For an audit and control mechanism, spreadsheets are dependably error-prone. The same research finds that 35 percent contain data errors and 26 percent have errors in formulas. Version control is difficult to maintain.
Standardization is a means of rationalizing and therefore simplifying controls, tests and processes. Because this process minimizes complexity, it promotes more consistent and effective compliance with Sarbanes-Oxley sections 404 and 302.And standardization also reduces the effort needed to sustain compliance because standard processes, controls and tests are easier to administer and audit. By analogy, standardizing journal entries is cited most frequently as a specific means to shorten the close process. Software that has defined workflows with established rules, roles and responsibilities ensures that processes are executed consistently.
Relying on spreadsheets makes it difficult to achieve consistency. Even when a company locks down a spreadsheet to prevent editing, an older version may be used, defeating the attempt at standardization. Our research finds that nearly half (45%) of companies said they find multiple versions of the same spreadsheet file circulating either frequently or all of the time.
Centralization is a means of maintaining standardization and consistency in Sarbanes-Oxley compliance. Centralized controls, policies, procedures, workflowsand compliance-related data facilitates audit and oversight because only those in internal audit, compliance, accounting and finance who are authorized can make changes. Finance and accounting applica-tions’ system logs make it easy to flag any new changes. This means reviews of those changes by internal or external auditors need only be made by exception rather than by having to review all or a sample. Logs also reveal who made the changes and whether the appropriate approvals and sign-offs were completed.
Centralization also means keeping docu-mentation in an enterprise “file cabinet,” a single, centralized, secure repository, making it easier to be certain that the most current version of compliance docu-ments and policies is used. Keeping narratives, records and results from a control deficiency and their resolution in a central location means they are readily available to internal and external auditors. This approach speeds up the retrieval, assembly and presentation of compliance-related data. A centralized system makes it easier to implement updates to processes, controls and tests. Rather than having to make changes to dozens of compliance spreadsheets, that change is made once in a centralized system and immediately propagated across a company.
Spreadsheets are islands of information that provide only the illusion of centralization when they are rolled up into a company-wide view. Compared to an application with workflows and supervision built in, spreadsheets cannot provide visibility that makes it easy to monitor the status of compliance processes and manage the process by exception.
Certify at the point of control.
To be most effective, the testing, validating and certifying of a control should be done by those closest to it. This way those most familiar with the control are doing the work, spreading workloads across a larger number of people. A dedicated application with workflows to administer and delegate process execution can handle any volume of certifiers. Companies using spreadsheets may limit the delegation of work because it’s too hard to administer the process, reviews and data collection.
Software Improves Control and Efficiency
Companies that must file their financial statements with the U.S. SEC and that use spreadsheets to manage the bulk of their Sarbanes-Oxley section 404 and 302 compliance requirements should investigate alternatives to spreadsheets. Software provides a clean file-box approach to compliance and certification. Workflows built into the software provide a high-level control that ensures that, for example, all controls are tested as frequently as they should, that any control failures are exposed and that responsible parties take the proper steps to address the issues behind the failure. Compared to spreadsheets, an application can handle crunch-time workload more easily and with greater confidence because centralization and process automation provides supervisors with greater visibility into issues that require their attention. Workflows enable supervisors to focus only on high-risk issues and address control deficiencies.
Furthermore, applications automate handoffs: Our research finds that one-fourth (26%) of companies said that spreadsheet processes are delayed frequently or all of the time because people forget to forward the spreadsheet or are unsure of what to do next. Software is far less prone to data or formula errors compared to spreadsheets and eliminate version control issues. And using workflows to manage Section 302 certification processes and storing documents and attestations centrally means that steps in this process aren’t overlooked and that compliance documentation is always readily available to internal and external auditors.
A Business Case Built on Effectiveness
As finance and accounting departments assemble a business case for investing in software for managing Sarbanes-Oxley compliance, they should include in their assessment the value of the software that goes beyond efficiency. Replacing spreadsheets with a well -designed software application will provide executives with greater confidence in the quality and accuracy of financial statements. When time is tight, this type of software provides visi-bility into the exact status of the process and helps to pinpoint where there may be delays or other issues. Workflows that define the proper control environment, the testing of controls, the centralized reporting of failures, escalations when issues occur and sign-offs on completed work are affirmative steps demonstrating that a company has exercised sufficient diligence in complying with the Act.
What might have been acceptable in the past isn’t guaranteed for the future, especially since the standard for what executives “should have known” rachets higher every year.
What might have been acceptable in the past isn’t guaranteed for the future, especially since the standard for what executives “should have known” ratchets higher every year. Saving time that’s now spent on non-strategic administrative work also means that time can be redirected to more productive work. And relieving the accounting staff of tedious, repetitive work can make it easier to hire and retain qualified individuals.
Companies that are now using spreadsheets and emails to manage their Sarbanes-Oxley sections 404 and 302 compliance process should begin immediately to look for their replacement. Spreadsheets are indispensable for many finance and accounting tasks but not compliance. They have inherent shortcomings that cost organizations valuable time and pose unnecessary risks for compliance. Affordable alternatives exist and should be evaluated.
About Ventana Research
Ventana Research is the most authoritative and respected benchmark business technology research and advisory services firm. We provide insight and expert guidance on mainstream and disruptive technologies through a unique set of research-based offerings including benchmark research and technology evaluation assessments, education workshops and our research and advisory services, Ventana On-Demand. Our unparalleled understanding of the role of technology in optimizing business processes and performance and our best practices guidance are rooted in our rigorous research-based benchmarking of people, processes, information and technology across business and IT functions in every industry. This benchmark research plus our market coverage and in-depth knowledge of hundreds of technology providers means we can deliver education and expertise to our clients to increase the value they derive from technology investments while reducing time, cost and risk.
Ventana Research provides the most comprehensive analyst and research coverage in the industry; business and IT professionals worldwide are members of our community and benefit from Ventana Research’s insights, as do highly regarded media and association partners around the globe. Our views and analyses are distributed daily through blogs and social media channels including Twitter, Facebook, and LinkedIn.
To learn how Ventana Research advances the maturity of organizations’ use of information and technology through benchmark research, education and advisory services, visit www.ventanaresearch.com.