Technology and the Sarbanes-Oxley Act of 2002 Featured

9:08am EDT March 24, 2006
Although the smallest, non-accelerated filers have been granted a deadline extension for complying with the requirements of Section 404 of the Sarbanes-Oxley Act, it remains clear that the SEC is intent on making top executives fulfill the spirit of the law.

Companies must be held accountable for maintaining an effective system of internal controls over financial reporting and making an annual assertion as to the system’s overall effectiveness as part of its annual report to the Securities and Exchange Commission. As such, many accelerated filers are now in the process of completing year two of compliance with Section 404 of the Sarbanes-Oxley Act.

“Many of these accelerated filers thought year two would actually be much more efficient than the fire-drill they experienced in completing the first year of compliance” notes John Gutierrez, a founding Principal of Avvantica Consulting in Dallas and the company’s SOX Practice leader.

Here’s what else Gutierrez told Smart Business:

Why aren’t we seeing more companies making SOX compliance more efficient and cost effective?
Internal staffing for year one compliance was mostly project-based and typically leveraged a high number of costly external resources. During the first half of 2005, most firms took a much deserved break before starting to think about year two. Often, the extended project team members were re-focused on their “real jobs” and dedicated compliance staffing was very lean. Once they started re-examining their results from year one, they realized they had to spend much more time cleaning-up disparate documentation and correcting problems throughout their organizations than they originally thought. They operated in project mode in year one by necessity and were not able to develop an effective compliance management process with the right supporting tools.

I believe the companies that were most successful in year two were able to develop a plan that strategically enabled them to transition from a project-based to process-based approach to achieving compliance, which solved these lingering issues from the first year.

How does a company go about making the transition from a project-based to a process-based approach?
The key to success lies in management’s ability to maintain the momentum they have already built while simultaneously transitioning focus such that compliance becomes part of the firm’s “corporate DNA” in the future. Executives should adopt best practices such as developing a compliance charter that establishes a corporate governance structure with supporting policies and procedures for how key process owners and stakeholders will routinely document, maintain and test the company’s system of internal controls as part of their ongoing job description.

In tandem, they need to implement a software solution as the technical foundation to enable ongoing compliance and achieve significant value for the organization. This combination should substantially increase the cost effectiveness of the compliance process and drive down the annual Total Cost of Compliance (TCC).

What would you consider the most key factors a company should consider when evaluating which software solution to implement?
Companies must find a solution that truly enables a seamless compliance process and delivers real cost savings. It should also provide executives with the right information to make key decisions and deliver compelling business value. It should be easy and inexpensive to implement. Implementations should be quick; measured in weeks not months. The software must have robust functionality designed to accelerate the data conversion process of a client’s existing compliance data, which is typically stored in numerous spreadsheets and various templates. It should also support the digitization, storage and retrieval of historical 404 documentation for audit record retention requirements and drive a significant ROI within the first year of compliance.

Once a company has chosen a compliance solution, what kind of advice would you give them on how to proceed?
Companies should develop specific solution implementation criteria and deadlines for their software vendor, and hold them accountable for delivery. If implemented properly, companies should be able to immediately leverage the solution to quickly identify controls optimization opportunities across the entire organization. Many executives don’t even realize how many controls they have until they see their data represented properly in the right (executive dashboard) reporting environment.

Finally, since even the best-planned transition takes time, companies usually will want to initially keep the controls maintenance function within a small group of employees such as the internal audit group. However, the executive team should push controls data maintenance accountability down to key process owners and stakeholders. Companies should facilitate more effective communication throughout the year by extending solution access to their external auditors, which should lead to lower SOX-related audit costs.

JOHN GUTIERREZ is a founding principal of Avvantica Consulting in Dallas and the company’s SOX Practice leader. Reach him at (214) 379-7904.