What is the single most challenging Sarbanes-Oxley issue today?
Doing this across the enterprise challenges the operational or disciplinary silos that have been long held in most organizations. In most large organizations regulatory compliance falls on the shoulders of the audit department, which reports to the CFO.
More and more, we are seeing the title of Chief Compliance Officer, or Chief Risk Officer, and they are responsible for all things related to complying with such regulations as SOX, HIPAA, GLBA, Regulation FD and more. Of course with SOX, more than the CFO needs to ensure that the organization is in compliance. Other titles where it is their job to make sure compliance is achieved are of course the CEO, President, and board members as well.
We all know that as for accountability, SOX requires public company CEOs and CFOs to certify that the financial statements their companies issue are accurate. But imagine how challenged they must be when you consider that 80% of U.S. workers have never heard of SOX and only 9% say they have been asked to do something differently in their jobs as a result of SOX, says Hudson Financial Solutions survey.
The point here is that SOX is everybodys job, not just the finance teams role. If the information provided to the SEC is wrong, then criminal, as well as civil penalties can result. That would have a major impact on a company, and ultimately cost people at all levels their jobs.
Because any enterprise is only as strong or as ethical as its weakest or most unethical employee, the blame for a poor control environment must be shouldered throughout the entire organization. This means the entire organization, and each and every person who works there, should be tuned in to internal control tuned into SOX.
In todays work environment, employees often work in narrowly defined roles that might actually fly in the face of and even negate the bigger picture of corporate accountability. In order for strong controls to be an integral part of day-to-day operations, management must take steps to ensure theres a clear organization-wide understanding and appreciation of the important elements of control the control environment, risk assessment, control activities, information and communication.
Whats needed is a holistic unified approach, to understanding and repairing a risk control structure. For example, departments within the company need to agree on what standards they will use to assess risk and to identify priorities for process improvement.
For instance, Internal Audit may view SOX compliance from one set of lenses, while the CFO might look at it from still another set.
The second thing that will need to be achieved is to build a recurring process around the compliance processes, to institutionalize them and drive change throughout the organization. Large institutions that embrace compliance need to do a good job at it in such a way so as to have it work for them.
Compliance is mostly about establishing and formalizing best practices based on a set of formal regulations. Compliance is the process of adhering to a set of guidelines or rules established by government agencies, standards groups or internal corporate policies. Adhering to compliance-related requirements can be challenging for some of the following reasons:
• The regulations are new, so no blueprint to follow
• Staff may not see the entire view of regulations and may only focus on one aspect, with the result of missing out on other regulations
• Regulations can overlap, or even conflict, so its difficult to decide what process to follow
• Different countries may have different rules that may create conflicts
• Regulations can change over time and systems to meet new code will need to be updated as well
Based on a review of the above, compliance becomes a continuous process that will need to not only meet the wide variety of regulations, but also help make the business more efficient as a result.
The bottom line is from now on, a significant part of a companys budget and resources will be spent on ongoing compliance initiatives. The trick is how to turn compliance into a system that can be part of everyones job to drive the business forward AND meet with regulations.