The Sarbanes-Oxley (SOX) legislation introduced in the US was designed to force companies to more effectively manage the processes through which they arrive at their financial results.
In essence, SOX can be considered in two parts. The first concerns a company`s internal controls over financial reporting (ICFR). The management must assess their company`s system of ICFR and express their opinion on whether or not they find them effective. The second part relates to the "attester" (the SOX auditor) who must also express his opinion on management`s assessment of the company`s ICFR and conclude on whether he finds the company`s ICFR to be effective.
SOX is not required to test or express an opinion on all the controls in a business, as many believe. In light of these regulations, it can be seen that the choice facing companies is either to do just enough to comply, or to make changes that will improve and streamline business processes while also obeying the law.
The thinking behind SOX was that simply having CEO-level executives sign off the final figures for their organisations` quarterly or annual results was not in the interests of shareholders. The ease with which a few executives were able to commit fraud and then claim innocence made legislators look for a way to ensure business leaders assumed more responsibility for the figures they delivered.
The way they did this was to demand that companies model the processes that lead up to the production of the financial figures, and that executives guarantee that the process - as well as the results - are free of irregularities.
If fraud is detected, it will be much harder, almost impossible, for management to claim they were left in the dark because they have personally vouched for the whole process.
In addition, auditing companies will have to verify that the processes and final results are completed acceptably and legally, or they too could end up being prosecuted if fraud is detected.
A question of process
It is only when the processes followed to obtain the results required by SOX are automated that companies can rely on the information provided, as well as the process itself.
Sybille McCloghrie, group business development director at COSA
Achieving this in a small business would be difficult, but doable because the CEO generally knows what processes are involved in the business. In large corporations, however, SOX compliance is a complex process that cannot be handled without the aid of modelling, workflow and reporting tools.
Unfortunately, making use of these tools is a long, complicated procedure that can be costly. Many companies therefore model their processes on paper and only use the various IT vendors` compliance tools for reporting.
This means that while the manual processes, models and final reports are verified, meeting compliance regulations, the final results can still be incorrect because the data used to obtain the results is not accurate.
A comprehensive offering would need both a management tool and also an attester tool. Unlike most tools, this type of offering would enable the management of the entire process from control capture to testing, and re-scheduling of the test on an ongoing basis.
Enter BPM
Of course, the above is a worst-case scenario, the domain of those companies that will do what they have to in order to comply with SOX, but nothing more. These organisations will find SOX a great expense and time waster, with no additional benefits accruing to the company in the long-term.
For those executives wanting to use the new legislation to improve their business processes and gain in-depth insight into their organisation while implementing their compliance programmes, automating the processes through business process management (BPM) is the answer.
It is only when the processes followed to obtain the results required by SOX are automated that companies can rely on the information provided, as well as the process itself. Developing and implementing BPM will not only smooth the flow of information and also facilitate the easier analysis of data received - with the assurance that everything has been done to ensure the accuracy of the intelligence.
Of course, new company reporting legislation is not limited to the US and it won`t be long before every country has its own local legislation of the same nature as SOX. Complying can be about obeying the law or it can be about improving your company, its business processes and transparency as well as its ability to function in a competitive global environment, thereby better serving shareholders.
* Sybille McCloghrie is group business development director at COSA.
Share