Thinking outside the SOX: 5 things I learned from successful SOX rationalisation
May 14, 2019
Yes I know! Sarbanes-Oxley has been implemented in 2002 so why do we need another blog about it!? Well simply because I continue to see plenty of opportunities to make SOX programmes more efficient and valuable for all stakeholders. Most SOX programmes are the result of layers upon layers of new controls added over the years, resulting in a process that is ineffective and inefficient: this is when it is time to press the “reset” button and perform a SOX rationalisation.
At the SOX Centre of Excellence, we constantly support multiple SOX rationalisations and have identified five best practices common to all successful SOX rationalisations:
- What rationalisation really aims to. There is a lot of misunderstanding about what the objectives of a SOX rationalisation actually are. The idea is not to create more controls but rather to have the right control activity at the right place to mitigate a risk. Keeping in mind that every client is different, the SOX rationalisations I worked on resulted in a 25% reduction in the number of controls.
- Ensure you are prepared. You should ask yourself the following questions: how will I plan, organise, and manage my team's work? How will I share feedback, files, and status updates? Is there a central SOX methodology in place? These are key questions that ensure you are ready to tackle the right tasks at the right time.
- It starts with the risks! I can assure you that all successful SOX rationalisations start with a detailed and comprehensive identification of all the relevant risks. One has to consider the risks related to manual business process, IT, the adoption of new accounting principles and change in environment. This is not just me saying it, the US regulator is also asking auditors to ensure the companies they audit perform a deep and comprehensive risk assessment! Don’t worry though, it may seem daunting now but there are risk libraries available to help you with this identification process.
- Never underestimate the human factor. A successful SOX rationalisation engages everyone from management to control operators. It is common to identify the need for SOX training as a consequence of the SOX rationalisation. There are several options to empower your people for example, tailored training or examples of what “good” looks like. SOX rationalisation should be all about teamwork!
- SOX is a journey. Everything is changing; your business, its environment, the regulatory requirements, etc. In my role as SOX Centre of Excellence Leader, I know that a successful SOX rationalisation is not a one-off project. You need to ensure you have a system in place to monitor these changes and assess the potential impact on the SOX programme. A good practice is to remain aware of the recent findings of the US regulator and consider what this “what went wrong” guidance means for your SOX programme. Staying ahead of the curve will keep you safe.
If you were to ask me what the future looks like for SOX rationalisation, I would tell you how enthusiastic I am about the efficiency and quality opportunities that artificial intelligence, robotics. a.k.a. SOXbotics, and digitalisation will bring to SOX programmes. There are exciting times ahead and there will be more about it in the next blog!