5 Benefits of controls automation
The increasing number of transactions in ERPs systems makes it hard to comply with anti-fraud regula...
If you ask someone what they think of SOX, you’ll likely spark the age-old feud between the New York...
Helen Ganley | March 23, 2022
If you ask someone what they think of SOX, you’ll likely spark the age-old feud between the New York Yankees and the Boston Red Sox. Enter the compliance sector, however, and SOX takes on a whole new meaning: The Sarbanes-Oxley Act.
In this article, you’ll gain a deeper insight as to why SOX was enacted, its impact on companies, and how to leverage technology to strengthen SOX compliance.
Everyone remembers the accounting scandals in the early 2000. In 2002, a whistleblower exposed Enron for hiding their debts and assets from investors and creditors by using off-balance sheet statements and debts. As a result, the stock price fell from $90.75 to $0.26 in just two years. Right afterwards, Tyco International was exposed for siphoning $2 billion to fund the lavish lifestyles of the company’s top officials. Completing the trifecta, WorldCom repeatedly inflated their financial documents (including their 10-k, Balance sheet, income statement, and annual report) to overstate its profit by $3.8 billion and mislead their investors. There was great pressure on the federal government, especially the SEC, to strengthen disclosure and auditing requirements for public corporations.
In 2002, the U.S. government instituted the Sarbanes-Oxley Act, an 11-part law divided into several subsections. When companies go public, they have just two years to become SOX compliant, which is no small task. However, the SEC enacted it to provide guidelines for companies to be more transparent in their auditing and disclosures.
The Sarbanes-Oxley Act is infamous for the two main resources that it drains: time and money.
When it was first released, economists anticipated companies spending approximately 1% of revenue on compliance costs – for everyone billion of revenue, one million of expenses. However, surveys of real companies discovered that the actual costs were much larger than expected. Companies averaging revenue over or under $2.5 billion found that their compliance costs were 25% or 80% higher than the initial estimates, respectively.
This isn’t even to mention the time it takes to perform testing. From documenting to testing, completely performing just one key control takes an average of 35.9 hours annually. This means that it takes approximately 4.5 workdays to complete just one control. This is largely due to the sampling and testing methods – manually gathering samples and testing them individual is very repetitive and takes time to understand if the control is working.
No matter how overwhelming this seems, the introduction of automation into the compliance space is greatly decreasing costs. To read about the potential benefits of automation, read our article here.
Thinking about SOX compliance, the two largest sections are Section 302 and Section 404. These sections outline different compliance measures for internal controls. The key points of each section are outlined below:
Section 302 Corporate Responsibility for Financial Reports |
Section 404 Management Assessment of Internal Controls |
CEOs/CFOs must:
The Bottom Line: All corporate financial reports must be “fairly presented.” |
Part A: Management in all publicly traded companies must:
Part B: Larger publicly traded companies must:
The Bottom Line: Management must maintain adequate internal controls and formally certify, along with auditors, that they are in place. |
Why: Data tampering is just what it sounds like – changing data such that it’s no longer what it truly was. The person who tampered with the data can face a fine and/or up to 20 years in prison. The CEO/CFO who certifies a misleading/fraudulent financial report can be fined upwards of $5 million and spend 20 years in prison.
Steps:
Why: During a SOX audit, it is essential that auditors have access to an audit trail and/or access to secure information. The ability to see and analyze who made changes, what they changed, and when they changed it is essential.
Steps:
Use Extractable Compliance Management Software
Why: Not only do these systems help you in keeping a clear audit trail, as specified in Step 2, but they also allow you to extract this data from all information systems, files, and/or databases. During an audit, accessibility to this information in a consolidated and verifiable manner is essential.
Steps:
Why: At the end of the day, implementing auditing protocols and controls is only helpful if you have systems in place to ensure that they’re being effective in achieving their desired goals. As a result, you need to have a method of testing controls in order to report the effectiveness of your safeguards. Additionally, many of these methods include functionality to provide regular reports to auditors while giving them view-only permissions.
Steps:
Why: Performing a one-off audit can greatly misrepresent the company’s performance. Periodic audits catch mistakes well after they happen, leaving little room to correct the error. Testing only a sample of the transactions means that there are hidden weaknesses in the data that aren’t found during the annual audits. Continuous monitoring enables companies to monitor accounting and operational transactions in real-time and get alerted regularly on misstatements anywhere in the transaction data.
Steps:
November 30, 2021
The increasing number of transactions in ERPs systems makes it hard to comply with anti-fraud regula...
December 21, 2021
When automating their controls, companies save time, increase efficiency, and ensure compliance with...
April 5, 2022
Watching the hours on the clock tick past, it is hard to refocus on your laptop screen to the same c...