< Back

What is the single most challenging Sarbanes-Oxley issue today?

Harald Will
ACL Services

Defining a 'single' most challenging issue for compliance with Sarbanes-Oxley (SOX) legislation is tough. One of the main questions ACL hears from the marketplace is that while the consequences of non-compliance are clear in the legislation, companies are still struggling to answer what 'adequate' testing of internal controls means.

Sarbanes-Oxley requires that organizations document and test the controls that directly impact their operational risks. It also requires companies obtain an annual attestation from their external auditors that the controls they have in place are working effectively. It is this measuring and documenting of the operational risk that has created the sharp rise in compliance costs. Characterized by high volumes of transactional data that are dispersed across multiple applications, the operational control environment is the most costly and difficult to document and test. This has left many CFOs and controllers asking themselves, how much testing is enough?

Market research has identified that a significant number of companies are experiencing challenges in completing the testing component, and now have the opportunity to find alternative solutions to effectively address this issue.

Long before SOX was drafted, auditors and financial managers had to balance the benefits of internal controls against the cost of implementing and maintaining them. Continuous monitoring (or auditing) uses technology to test the effectiveness of controls, for entire business process areas, at the transactional data level. An effective continuous monitoring system requires technology that provides identification of control rules for each internal control point, and independent tests that validate each control rule. Continuous monitoring can be a cost-effective solution for testing controls at the transactional level and improving profitability, while also supporting overall good corporate governance. The key is finding the balance between effectively testing controls in higher risk areas  and not creating an over-controlled environment that slows down operational efficiency.

In addition, an independent continuous monitoring system can provide value beyond that of supporting Sarbanes-Oxley and regulatory compliance. Weak or absent controls, as well as transactions that evade controls, ultimately damage the profitability and success of an organization. The ability to constantly test the integrity of transactions and rapidly identify and solve problems before they become costly is simply a good business practice. Properly implemented, continuous controls monitoring systems have been proven to produce a very good ROI  in terms of achieving regulatory compliance and also in reduced expenditures and increased revenues.

Ideally, Enterprise Resource Planning (ERP) systems and other transaction processing systems should be implemented in such a way that controls are embedded in the core application. In theory, continuous monitoring of transactions would not be necessary if the core application itself ensured tight controls. In practice, the pressure of implementing new ERP systems within tight deadlines can mean insufficient attention is given to effective control mechanisms. Even if systems are initially implemented with sound controls in place, over time system users often find creative ways to bypass controls. Here the value of an independent transaction monitoring system can be twofold. First, it identifies instances where defined controls have been bypassed. Second, it highlights control risks for which no specific control procedure has been established.

The recent delay for SOX 404 filings for accelerated filers is understandable due to the complexity and uncertainty around what needs to be done to meet the filing requirements. The legislation was put together with good intentions, quickly, to address an urgent market concern. What's being recognized now is the sheer amount of work required to understand, document, and test controls at the levels required.

That being said, there are a few organizations that are further along in this process than others, and they are already seeing the benefits from the increased financial rigor and discipline that the ongoing monitoring of internal controls brings. Using continuous monitoring solutions, these companies are seeing a return on their SOX investment  benefiting today  from money they are spending on their compliance efforts. Just because the deadline has been extended doesn't mean that companies should slow down in their efforts to meet SOX requirements  doing so will only compound the compliance challenge these public companies face.

Harald Will is the President and CEO of ACL Services Ltd., and is responsible for the strategic vision and direction for the company. ACL ( is the leading global provider of audit and continuous controls monitoring solutions to financial executives and audit professionals. Combining market-leading software and professional services expertise, ACL gives organizations confidence in the reliability, accuracy, and integrity of the data underlying their increasingly complex business operations.

Since 1987, ACL's proven solutions have enabled financial decision-makers to assure controls compliance, reduce risk, detect fraud, minimize losses, enhance profitability, and achieve fast payback. With an international customer base including 90 of Fortune 100 companies and over half of the Global 500, ACL solutions are delivered in more than 150 countries through a global network of ACL offices and channel partners, and are used in hundreds of national, state, and local governments and by the Big Four public accounting firms.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY