![]() |
![]() | ||
| ||
![]() |
|
![]() |
Roundtable
![]() < Back What is the single most challenging Sarbanes-Oxley issue today?
Sarbanes-Oxley requires that organizations document and test the controls that directly impact their operational risks. It also requires companies obtain an annual attestation from their external auditors that the controls they have in place are working effectively. It is this measuring and documenting of the operational risk that has created the sharp rise in compliance costs. Characterized by high volumes of transactional data that are dispersed across multiple applications, the operational control environment is the most costly and difficult to document and test. This has left many CFOs and controllers asking themselves, how much testing is enough? Market research has identified that a significant number of companies are experiencing challenges in completing the testing component, and now have the opportunity to find alternative solutions to effectively address this issue. Long before SOX was drafted, auditors and financial managers had to balance the benefits of internal controls against the cost of implementing and maintaining them. Continuous monitoring (or auditing) uses technology to test the effectiveness of controls, for entire business process areas, at the transactional data level. An effective continuous monitoring system requires technology that provides identification of control rules for each internal control point, and independent tests that validate each control rule. Continuous monitoring can be a cost-effective solution for testing controls at the transactional level and improving profitability, while also supporting overall good corporate governance. The key is finding the balance between effectively testing controls in higher risk areas and not creating an over-controlled environment that slows down operational efficiency. In addition, an independent continuous monitoring system can provide value beyond that of supporting Sarbanes-Oxley and regulatory compliance. Weak or absent controls, as well as transactions that evade controls, ultimately damage the profitability and success of an organization. The ability to constantly test the integrity of transactions and rapidly identify and solve problems before they become costly is simply a good business practice. Properly implemented, continuous controls monitoring systems have been proven to produce a very good ROI in terms of achieving regulatory compliance and also in reduced expenditures and increased revenues. Ideally, Enterprise Resource Planning (ERP) systems and other transaction processing systems should be implemented in such a way that controls are embedded in the core application. In theory, continuous monitoring of transactions would not be necessary if the core application itself ensured tight controls. In practice, the pressure of implementing new ERP systems within tight deadlines can mean insufficient attention is given to effective control mechanisms. Even if systems are initially implemented with sound controls in place, over time system users often find creative ways to bypass controls. Here the value of an independent transaction monitoring system can be twofold. First, it identifies instances where defined controls have been bypassed. Second, it highlights control risks for which no specific control procedure has been established. The recent delay for SOX 404 filings for accelerated filers is understandable due to the complexity and uncertainty around what needs to be done to meet the filing requirements. The legislation was put together with good intentions, quickly, to address an urgent market concern. What's being recognized now is the sheer amount of work required to understand, document, and test controls at the levels required. That being said, there are a few organizations that are further along in this process than others, and they are already seeing the benefits from the increased financial rigor and discipline that the ongoing monitoring of internal controls brings. Using continuous monitoring solutions, these companies are seeing a return on their SOX investment benefiting today from money they are spending on their compliance efforts. Just because the deadline has been extended doesn't mean that companies should slow down in their efforts to meet SOX requirements doing so will only compound the compliance challenge these public companies face. ![]()
|
![]() |
![]() |
![]() | |||
| |||
![]() | |||
© 2019 Simplex Knowledge Company. All Rights Reserved. | TERMS OF USE | PRIVACY POLICY |