|
|
 |
Roundtable
< Back
What is the single most challenging Sarbanes-Oxley issue today?
|
Frank Hailstones
CEO
Axena
|
The single most challenging Sarbanes-Oxley issue has changed over the last nine months or so as the impacts of the implementation of the Act's requirements have come into effect. The challenge at any point in time has reflected the maturity of the implementation process cycle - from the adequacy of documentation, through the identification of relevant controls, to now, identifying and dealing with control deficiencies within a timeframe that allows organizations to manage and mitigate the impact of major control failures in terms of reportable conditions.
Today, compliance with SOA 404 has now reached, for many accelerated filers, a stage whereby, well into the third quarter for many, most controls are/have been tested and auditors are now significantly engaged in their own assessment of the effective operation of controls.
The challenge for many in identifying and dealing with control deficiencies and potential reportable conditions can be summarized as the need to be "better prepared," which will mean the need for focus on three areas in particular:
- Need for Better, Early Warning Systems Although there are a number of criteria which have been articulated in the Audit Standard and guidance issued from numerous sources, including examples of what will likely constitute a material weakness or significant deficiency, the evaluation of control failures still requires a number of subjective judgments e.g. "remote likelihood" or "material," and for many, that evaluation will be after the fact and potentially too late. The evaluation process needs to be framed in a more structured way, at a sufficient level of detail that allows local management to focus on risk areas, and an earlier evaluation "radar" system of circumstances that cause, or indicators of the existence of potential reportable conditions.
- Focus on Control Risk Assessment A more structured approach is required to the evaluation of the risk of control failures, and the selection of a 'second-line,' where appropriate, of controls that will help detect failures or provide compensating control comfort. Creating a "safety-net" of compensating /mitigating controls for assessed high-risk / high-impact control failures is one of the keys to minimizing the risk from control failures. The trick here is striking the appropriate balance and not extending the controls portfolio to unmanageable or inefficient proportions.
- Enabling Management Early identification by the organization is critical in avoiding or at least mitigating the impacts of control failures. This requires not only a periodic confirmation of the adequate operation of controls but, just as significantly, engendering a culture of ongoing management monitoring of controls - which are, after all, their responsibility - and reporting and actioning failures on a timely basis. This is the real challenge for many organizations and will require a combination of corporate drive to embed the changes required, as well as a rebalancing of the internal audit role to more coaching of management in the skills and processes required to enable them to effectively discharge this (perceived for many of them) new role.
Of course there are other actions required to better identify and deal with control deficiencies and potential reportable conditions e.g. engaging auditor more effectively and earlier, but addressing these three will provide a more robust platform for organizations being "better prepared."
Frank Hailstones has extensive audit and consulting experience in all aspects of governance and is a regular speaker on the conference circuit on a number of subjects related to this area.
As Chairman and Chief Executive Officer, he is responsible for the strategic direction of the company. Operationally, he has been extensively involved in developing Axena's governance solutions as well as working with clients in designing and implementing processes to support compliance with the new Sarbanes-Oxley 302 and 404 requirements.
Prior to co-founding Axena in 2001, he spent a combined 18 years with PricewaterhouseCoopers (PwC) as a senior partner (10 years); partner (4 years) and senior manager (4 years). At PW, he ran the Internal Audit Practice, building the Europe, Middle East and Africa (EMEA) teams and network in 12 countries, led a number of outsourced internal audit appointments, and conducted performance reviews of internal audit in a variety of industries throughout the world. He led the PW Global Team that developed the PW Internal Audit Methodology and supporting technologies, before moving into Business Risk Management where he led the firm's Business Risk Assessment approach using collaborative technology. He has conducted more than 300 successful risk management facilitations and workshops.
He is a member of the Institute of Internal Auditors (IIA) International Board and the Institute of Directors (IOD) in the U.K. He is a CA (Chartered Accountant -Scotland) and a member of the CPFA (Chartered Institute of Public Finance Accountancy) and the ACA (Association of Chartered Accountants- England & Wales). |
|
|
|
