After Sarbanes-Oxley Act of 2002 (SOX) was enacted, companies were forced to rethink their reporting to avoid penalties, but SOX compliance brings significant benefits. The new approach to financial reporting that SOX created engenders greater market trust. In fact, for private companies considering going public, these SOX compliance benefits manifest, first, as better IPO pricing. A 2014 Forbes article written by Harvard Business School Working Knowledge notes,
Despite high initial costs of the internal control mandate, evidence shows that it has proved beneficial….Another concern that the act would shrink the number of IPOs has not been borne out either; in fact, the pricing of IPOs post-SOX became less uncertain. The cost of being a publicly traded company did cause some firms to go private, but research shows these were primarily organizations that were smaller, less liquid, and more fraud-prone.
In other words, SOX implementation has strengthened the public market. A company’s SOX compliance communicates a baseline level of financial assurance in publicly-traded companies, which inspires both investor confidence and market certainty. SOX has cleaned the market of less financially-reliable companies, while new publicly-traded entrants can command higher IPO pricing. This has increased overall market strength, as well as individual corporate financial stability.
These advantages represent macro-level improvements to the broader marketplace. But what are the impacts of SOX at the level of a particular company?
Six Ways SOX Compliance Benefits the Organization
Risk Triage
Not all risks are created equal. SOX compliance benefits companies by giving them a starting point for asset analysis. SOX articulates expectations, so that organizations can predict the standard they will be held to. Understanding risks means being able to more effectively target your controls. The Information Systems Audit and Control Association (ISACA) explains,
The most appropriate and effective way to define the right scope and the extent of testing for each Sarbanes-Oxley in-scope system is to perform a risk assessment focusing on the risks associated with Sarbanes-Oxley requirements and specific to ITGC. Risk assessment is not a new buzzword-everyone in today’s world talks about risk-based approach, risk assessments, etc., but few understand that for a risk assessment exercise to be successful, it is extremely important to identify whether the focus of risk assessment is confidentiality, integrity and/or availability, and then to define the risk criteria/parameters.
For example, a risk assessment exercise for Payment Card Industry (PCI) Data Security Standard (DSS) compliance focuses on what should and should not be stored to ensure that credit card information is not compromised and, thus, to ensure data privacy. However, for Sarbanes-Oxley, the same approach cannot be applied, because Sarbanes-Oxley focuses on data integrity and misstatements to financial reporting. Therefore, the risk assessment criterion shifts from data privacy to data integrity.
Focused risk assessments mean understanding the landscape of the organization’s risk exposure and controls. By learning what areas do not need to be SOX compliant, the company can focus its efforts on the in-scope areas that are the greatest risk. In addition, by learning what areas are subject to SOX and how they fit into the compliance profile, internal stakeholders gain insight into how various types of compliance overlap.Control Structure Strengthening
Sections 302 and 404 require documentation of controls, including operations manuals, personnel policies, and recorded control processes. With this kind of documentation mandatory, many organizations may find the process overwhelming. However, the steps needed to comply can be productive for the company.
One benefit of SOX compliance is better control awareness; how these controls fit into the big picture becomes more transparent. When auditors and management focus on internal controls through a SOX assessment, the organization quickly become more aware of how important control activities are to the financial success of the organization. The additional scrutiny that comes through a SOX assessment prompts participants to put forth even more effort to ensure that activities important to financial reporting are well-executed.
As businesses grow, organic changes can affect controls as the company matures. Organizations that prioritize compliance sooner experience SOX compliance benefits at an earlier stage. In 2006, The Harvard Business Review‘s writers Stephen Wagner and Lee Dittmar wrote,
PepsiCo has also benefited from updating its documentation processes. In the course of making these updates, the company determined that inadequate controls existed for pension accounting, a complex process that depends not only on the internal compensation and benefits group but on external actuaries and asset custodians. Lardieri says with dismay, “A lot of steps we assumed were being taken-account reconciliations and interest calculations and data integrity checks-actually weren’t.”
Although it was not why they began the endeavor, PepsiCo discovered unanticipated gaps and faulty assumptions while improving controls. Organizations just starting the process may be surprised by the benefits they encounter while pursuing SOX compliance.
The process may also highlight inefficiencies in how documentation is generated and stored. For those using spreadsheets to document their SOX compliance, information may end up scattered across an organization. Automated tools provide a single location for the documentation, providing the necessary artifacts to demonstrate controls.Better Audits
While “better audits” is imprecise, the description’s vagueness encompasses many different aspects of the audit process. The 2016 Protiviti Sarbanes-Oxley Compliance Survey research noted that
- For a strong majority of public companies (85 percent), either the audit committee or executive management is the executive sponsor for SOX compliance efforts. The audit committee is responsible for the broad overview of the organization’s risk management, under which SOX compliance falls. Executive management is specifically responsible for the accuracy and completeness of the organization’s internal control over financial reporting – a key component of the SOX requirements. Therefore, it makes sense that executive sponsorship falls under one of these bodies.
- Internal audit is primarily responsible for the execution of these activities in one out of three companies (35 percent). Within a majority of organizations, either internal audit or management and/or process owners have this responsibility.
- When it comes to testing, two-thirds of public companies rely on either their internal audit groups (46 percent) or management and/or process owners (21 percent).
- Internal auditors performing and supporting testing efforts is not surprising, given their skill sets and independence to enable external audit reliance.
More effective and efficient operations lead to better audit outcomes. With better internal audit outcomes, the external audit process becomes more efficient. Streamlining external audit lowers overall audit costs by lowering the cost of employee time responding to external audit requests and report results. Creating better audit evidence collection smooths user experience supporting auditors. One key way to achieve this evidence collection is with an automated platform, like ZenGRC, which provides dashboards that make Audit project management easy.
Efficient Financial Reporting
The main goal of SOX was to provide transparency in financial reporting. In doing this, the statute defined minimum standards for determining reliable information. COSO described what early efforts to comply often looked like:
First, management probably specified a high-level financial reporting objective and sub-objectives related to preparing financial statements and disclosures. In doing so, it identified significant financial statement accounts based on the risk of material misstatement. Then, for each account or disclosure, management identified relevant financial reporting assertions, including existence, completeness, rights and obligations, valuation or allocation, presentation and disclosure, and the like. In addition, management identified underlying transactions, events, and processes supporting the respective accounts and disclosures. The result may have been a mapping of the design of your company’s internal control environment, providing evidence that control activities are in place for all relevant financial reporting assertions for all significant accounts and disclosures. If there were any significant gaps, you remediated them accordingly.
Despite the effort needed to gather documentation and strengthen controls, completing this process allows for more-efficient, more-reliable financial reporting. Once the effort to map the control environment has been completed, the organization has grappled with compliance requirements. It is positioned, for future years, to track material changes. This makes reporting easier as the organization matures. More accurate financial reporting means less time spent needing to correct mistakes.Peak Operational Performance Early On
Early engagement with SOX compliance benefits companies by instilling process efficiencies that position it for future growth. In his Institute of Internal Auditors North American presentation, Steve Guarini, formerly with Rehmann Group now with Cohen & Company, noted that SOX compliance would
- Utilize a top-down approach to drive efficiency and effectiveness
- Focus on areas of high risk, significant accounts, processes, and locations
- Take a practical approach to “right-sizing” documentation
- Focus on key controls versus all controls
- Integrate IT and business processes and to maximize the benefits of controls
- Build the control structure with the goal of maximizing operational and auditing efficiency and minimizing compliance costs
When organizations initiate controls at an early stage, SOX compliance benefits companies by motivating them to assess their starting points and annually assess their risk. This means that controls cannot be haphazard. By beginning with a streamlined approach to risk that integrates multiple business areas, organizations can operationalize best practices early.
Team Collaboration and Build Working Relationships
SOX compliance requires deeper and more frequent collaboration among internal stakeholders. Particularly in the area of IT security, attempting to operate in isolation will constrain compliance efforts. Ernst & Young note:
As the threat landscape rapidly changes and risks increase, companies need to change their mindset and approach toward information security and privacy to address a new normal… These are issues of importance to the C-suite, elevating the need for boards of directors, audit committees, general counsels and chief risk officers to work alongside information security and privacy officers to fully address their organization’s risk management level of due care, approach and preparedness, and to implement an Information Technology Risk Management program that is adequate and effective in managing cyber risks.
Internal auditors and those who oversee SOX assessments must collaborate across business lines to work with those who own or contribute to financial and information controls, such as control owners, IT, or HR. SOX requirements incentivize building stronger working relationships across teams.
At the heart of this collaboration lies communication. Automated GRC tools, like ZenGRC, ease collaboration by creating a single, accessible location where the stakeholders can meet. This location also can be controlled, providing appropriate access based on compliance role.
Looking to get started with SOX compliance and curious about how an automated tool can help? Contact one of our GRC specialists.