< Back

What is the single most challenging Sarbanes-Oxley issue today?

Prashanth Boccasam
President and CEO

The single most challenging Sarbanes-Oxley issue today is understanding that SOX compliance is part of an overall Enterprise Controls Management effort ? it's an opportunity to minimize business risk and maximize business efficiency.

After talking with literally hundreds of prospective customers, their auditors, and implementation partners I believe people tend to fall into one of three camps ? they're confused, complacent, or over-confident.

The confusion comes from trying to sort out and evaluate the competitive claims of software vendors promising "SOX-in-a-BOX." That's shortsighted ? as you'd expect, we think software is a critical element of an overall SOX compliance strategy, but it's only a tool to support the governance and control policies established by Management. Software alone isn't the answer.

Complacency stems from those who view Sarbanes-Oxley as a "documentation problem." The reality is that Sarbanes-Oxley is a business problem ? and a business opportunity as well. Many an organization has been ? or will soon be ? brought up short when auditors begin demanding rigorous integrated audits addressing not only the existence of controls, but also the manner in which they're implemented and their effectiveness. This is particularly true as organizations move from compliance with Section 302, and begin to address the more stringent demands of Section 404 ? to say nothing of the prospect of Section 409 and its requirement for "real time" disclosure of material events.

Over-confidence, I think, affects those who haven't actually experienced a recent audit and so are unaware of the increased demands for information and more stringent tests auditors have begun to require. The confidence espoused by those who feel "we've been doing this all along and there is nothing we'd do differently post-SOX," is probably misplaced when you look at what's actually happening in audits. We've seen projects consuming thousands of hours of auditor time, even for relatively small ? less than $1 billion in revenue ? companies, with some firms requiring over 100,000 hours. And that's before you count internal staff time ? nearly half the cost of achieving SOX compliance, according to recent research I've reviewed.

Perhaps that's why the one consistent theme we've heard across all these groups is that people don't want to go through this again when the next reporting cycle comes around, or managers begin to implement additional provisions of the act ? like the Section 409 requirements I mentioned. That's a real concern because SOX compliance isn't a "one time" project ? as John Hagerty at AMR Research has pointed out, "SOX Compliance is a four-phase project, and phase four lasts forever." We've seen companies facing a "Phase 4 Gap" that results when work performed to satisfy Phase 3 must be repeated because tools and processes for internalizing SOX compliance were not built into the initial project.

That's why at Approva, we look at SOX compliance as part of an overall Enterprise Controls Management effort, a process that moves beyond simple controls documentation and violation detection, to encompass critical activities like preventing violations and monitoring operations. It's the business opportunity I spoke of before ? Enterprise Controls Management helps not only minimize business risk, it maximizes business efficiency as well. When looked at from the perspective of the entire business ? not just the relatively narrow view of Sarbanes-Oxley compliance ? Enterprise Controls Management can positively impact all aspects of the business.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY