That would be a mistake. It's better to start today so you can reduce the cost of compliance resources and, more important, profit from SOX.
The first reason is simple -- supply and demand. Teams are now rolling off projects and lingering remediation efforts in droves, and these individuals are available and fully up to speed. The cost of these resources will spike again as the deadline approaches (or as second-round filers start their initiatives). Sarbanes-Oxley compliance is an arduous journey, especially for smaller-cap public companies with unique business units that have different and inconsistent business processes and controls.
The second reason is less obvious -- Sarbanes-Oxley doesn't have to increase your cost of compliance. If handled appropriately and proactively, it can be turned into a positive-ROI initiative. For many companies, this is the first time they have been forced to take a holistic look at all their processes.
First-time filers who delayed were forced to do the absolute minimum to achieve compliance, often creating additional and ad-hoc processes that increased, rather than decreased, reporting complexity.
Why put systems in place knowing that you're going to spend extra money auditing and later eliminating them? The best way to reduce the cost of compliance is to combine and/or eliminate the processes that need to be audited on an ongoing basis.
Use this extension to plan a SOX compliance program that first maps and minimizes your existing controls processes, and then establishes a compliance roadmap that is repeatable, sustainable and efficient. Seek and lock in a SOX business partner who has core competencies both in SOX and business process optimization (BPO), and who has experience using BPO to control and reduce SOX reporting complexity.
Late finish is not an option
To help prioritize compliance initiatives, best practices suggest that companies begin by using a risk-based approach to identify areas that are likely to impact financial reporting and their corresponding key controls.
Using this risk assessment, companies can focus and prioritize areas that must be addressed and corrected immediately; where the risks are high, where controls and procedures are not clearly defined and/or documented and where deficiencies are known.
Avoiding common mistakes
Here are the issues most commonly encountered by companies during their first year of compliance.
* Unclear process ownership and weak project management that resulted in huge resource drains, late filings and ongoing remediation efforts
* Poorly constructed risk assessment frameworks that led to ineffective (failed) control designs
* An inadequate understanding of the business and IT controls design resulted in defined controls that were unreliable in supporting the financial reporting process. Again, this led to remediation activities that could have been avoided altogether.
* Hasty and poorly planned remediation efforts that destroyed the value of prior compliance work
* A late and tactical approach to compliance that did not have business process improvement and process elimination as a core tenet
Turn a negative into a positive
Give yourself, your finance and IT teams, and your budget a break. Be proactive. Seek training for yourself and your team from multiple consultancies who have been through the wars and survived, and then engage the appropriate partner immediately -- before the rest of the herd gets moving.
Turn the SOX challenge into a competitive advantage by simultaneously simplifying your control processes and improving your access to timely and efficient business intelligence.
Phillip Long is an engagement director of Sarbanes-Oxley Compliance Optimization and IT risk management for Xperianz, a professional consultancy providing on-demand business expertise to help clients reduce cost, manage risk and leverage people, processes and technology for competitive advantage. Xperianz has offices throughout the Midwest and Southeast. Reach Long at (513) 576-1970, ext. 105.