What is the single most challenging Sarbanes-Oxley issue today?
The key challenge is, and has always been, finding, hiring, training and retaining top talent. Sarbanes-Oxley is no different.
While the mechanics of the legislation have had executives and others focusing on the process and technology aspects of compliance, it is ultimately the quality and the caliber of the people that will ultimately determine the outcome of the project.
Here is a list of the most frequently encountered human-resource related challenges in a Sarbanes-Oxley implementation:
1. Knowledge, skills and abilities: The ability of the people to do their jobs and perform in their assigned roles and capacities. Specifically, for example, roles related to the establishment of internal controls, the assessment and auditing of those controls, the technology aspects and implications of setup and auditing, the project management of the compliance project, and above all a broad-based understanding of Sarbanes-Oxley and how it fits into and impacts the organization in particular and the corporate world in general.
2. Ethics and values: While the sections of the Act outline the requirements from a legislative standpoint, underlying those aspects is the ethical expectation of the individuals involved. Do the organizational values create an atmosphere of ethical conduct in the organization, or is it the ethical nature of the individuals that ultimately determines the organizations Code of Conduct and its ability to consistently follow-through on it? It is truly a chicken-and-egg question.
3. Leadership: The tone at the top can literally make or break the project. The individuals responsible for providing organizational and project leadership play a key role in how a Sarbanes-Oxley effort eventually turns out.
Here are some suggestions on how you can mitigate some of your risks and challenges around the people issue in a Sarbanes-Oxley compliance project:
1. Training, training, training. The most critical ingredient and must be implemented as an ongoing process rather than a one-time occurrence. The training must include two components: broad-based education in the fundamental tenets of Sarbanes-Oxley and more detailed exposure to job-specific aspects of compliance.
2. Code of Conduct: Dont just create a Code of Conduct and Statement of Ethics because you have to or because youre supposed to, but rather create it because you know that it will serve as the guiding light in the event of any questions that arise around both implementing as well as enforcing the discipline of SOX in the organization.
3. Board buy-in: SOX puts the CEO and CFO on the hook to comply. This in itself should be a sufficient motivator to encourage and ensure board-level buy-in, involvement and accountability in the Sarbanes-Oxley compliance project. But in case it isnt, I have listed it here.
In conclusion, here are the top three reasons why you must invest in and develop your professionals who are leading, implementing and validating your SOX effort:
1. Organizations are comprised of people, and therefore tend to behave very much like the aggregation of the people involved.
2. The CEO and the CFO cannot implement an entire SOX process in the organization themselves. They must depend upon reliable and qualified people to do this for them.
3. SOX is about creating processes, procedures and check-and-balances in the organization so as to minimize the organizations exposure to the individual whims and fancies of the people involved.
Take good care of your people. Find, hire, train and retain the best talent. And SOX will be a breeze (relatively speaking, of course).
The Sarbanes Oxley Group of Auditors and Professionals is the provider of SOXBase and SOXPro level training and certification programs for Audit and Non-Audit Professionals involved in (or looking to get involved in) SOX-related compliance projects. Founded in early 2003, the Group today is one of the largest and most active online SOX communities, and through its members is committed to establishing and enforcing the industry-wide standards for Sarbanes Oxley compliance, professionalism, knowledge, expertise and ethics.
SOXGAP is recognized for its contributions to Sarbanes-Oxley-related research and education at the exclusive and highly respected Master Key level at the Institute of Internal Auditors (IIA) Research Foundation, the Financial Executives International (FEI) Research Foundation and the International Association for Continuing Education and Training (IACET).