The risk mitigation factors of being SOX compliant are obvious, but what are the other benefits of having a controlled internal process?
The Sarbanes-Oxley Act of 2002 (SOX) was formed in response to multiple worldwide corporate financial scandals. Financial mismanagement at Enron, Global Crossing, Tyco, WorldCom and other companies, brought to light the need for tighter reporting, standard controls and transparency for publicly-traded companies.
SOX was intended to increase transparency in financial reporting and corporate governance of publicly traded companies. Lawmakers believed that requiring a system of tight checks and balances would prevent large-scale financial scandals from happening again. Forcing companies to adhere to strict guidelines both internally and externally would, in essence, make it far more difficult for bad actors to commit large scale fraud.
The predictable and immediate response was push-back from companies, as the cost of implementing SOX compliance was significant and the fines were substantial. With the average cost for financial companies averaging one million dollars annually on internal reporting costs, external audit fees, and information technology restructuring, the cost of compliance became prohibitive for some.
But the potential penalties of non-compliance made the choice simple: fines up to five million USD and up to twenty years of jail time. It’s no wonder publicly-traded companies scrutinized their current internal procedures and complied with the strict provisions of Sarbanes-Oxley. Under the act, CEOs and CFOs who willfully submit inaccurate certification to a compliance audit could have their companies delisted on the public stock exchanges and have their D&O Insurance policies invalidated.
The internal benefits of Sarbanes-Oxley
There were many who looked past the headaches and saw these laws for what they were — great practices for a strong business strategy. This was confirmed as organizations with no legal requirement to comply with SOX started to follow its guidelines.
As companies examined their internal systems for accounting, IT, and reporting, they discovered immediate benefits. Controls that showed even the smallest risk were documented and tested for effectiveness. Inspections identified redundant controls, security risks and accounting inaccuracies. As a result, companies were actually able to cut costs and be more productive in other aspects of their business. Firms discovered that if they enhanced their internal control environment in response to SOX, they earned a competitive advantage over those who didn’t.
In a survey conducted by Protiviti: (1)
- 78% of organizations leverage SOX compliance initiatives to drive continuous improvement around financial reporting.
- 52% of organizations reported “significant” or “moderate” improvements in internal control over their financial reporting since the implementation of SOX.
The SOX framework helps your company:
- Discover inefficiencies in your IT infrastructure.
- Eliminate redundancies in your workflow.
- Manage security and respond faster to a breach.
- Identify and assess risk.
- Streamline the reporting process.
- Document work tasks to improve processes.
- Consolidate key financial processes.
- Minimize inconsistencies.
- Mitigate human error.
- Automate manual processes.
- Reduce the number of data handoffs.
- Train new hires faster.
- Increase confidence in reports.
SOX planning for non-SEC organizations
Proactive private sector and non-profit organizations who have implemented SOX not only as a compliance exercise, but also as a framework for a solid long-term process, have discovered a host of perks. For instance, firms which plan a public offering in the future should be following SOX guidelines today, even if not required to by law. Early investors display more confidence in a company when a fully auditable accounting system is already in place.
Sox Compliance Checklist
Although a SOX audit will differ between industries and company sizes, this checklist will provide a few general considerations:
- Is your organization working with an accepted framework? (COSO, COBIT, ITGI, or a combination?)
- Does your company have a policy on how to create, modify, and maintain accounting systems, including software which handles financial information?
- Is your organization equipped with safeguards to prevent data tampering?
- Are there security protocols to respond to a data breach?
- Are user level controls to sensitive information being recorded?
- Does your firm report data breaches to the authorities?
- Has your organization collected valid, recent SAS 70 reports from all applicable 3rd party organizations?
If you’re interested in a SOX-compliant solution for your company, contact us.