SOX Compliance shouldn’t be a dirty word
At a recent Oracle User Conference, I had a number of conversations about SOX Compliance.
The most difficult one was with an ERP Manager who’d been tasked with getting Oracle GRC implemented next quarter. She didn’t believe it when I told her that the product is no longer supported by Oracle. Her company was undoubtedly another in the long list of clients who acquired the software as part of a larger “year-end” deal, and thought they were getting a bargain. Until they looked at the implementation costs.
But SOX Compliance is a very important business issue. I know that many CFOs would like to ignore it, but it’s not going away, so you can either embrace it and treat it as a good thing, or waste lots of time and energy struggling just to check the right boxes.
SOX Compliance – why do we need it?
Mr Sarbanes and his friend Mr Oxley put this through the statue book because people were manipulating their financial position, and after major frauds at WorldCom and Enron, the stock market was very jittery. People needed to be reassured that the financial numbers being presented were correct, and no Senators and only 3 Congressmen disagreed. (Doesn’t that seem unusual in our current political climate?)
Unfortunately, Section 404 of SOX has been misinterpreted by many, and blamed for many business ills. A lack of clarity in some parts of the legislation left some areas open to interpretation, and a whole industry was created in the audit world.
The fundamental aim of SOX Compliance is to implement effective and robust Internal Controls – but doesn’t this make sound business sense for all organizations? Do you want control over core business functions? For instance, do you think you should have tight control over who can access your systems?
It all comes down to how tightly you want to run the business. Good controls lead to increased efficiency and fewer problems. Implementing sound IT General Controls brings many benefits, such as less staff, less time wasted correcting mistakes, and it also makes it much easier to divest or acquire business units.
Last month I met two organizations who hadn’t understood another major benefit of achieving SOX Compliance; if you invest the effort needed to get it right once, it will cost you a lot less in the medium term. Once you’ve satisfied your auditors that your controls are effective, future audits are usually much more straightforward.
Internal controls need to be appropriate and easy to manage
The basic tenet is to put in place a sustainable controls mechanism that fits your business. It must be geared to the main risks and processes within your organisation; i.e what controls do you need, what reporting do you need, and how are you going to satisfy the auditor? These requirements will be different from one company to the next.
Achieving SOX compliance doesn’t need to be expensive. The average cost is falling, but up to now the total cost of ownership of some GRC solutions has been particularly onerous for mid-market businesses.
What we should learn from the failure of Oracle’s offering is that extra investment in hardware and 12-months projects is not the solution. It is said that Oracle GRC is one of the most common items of shelf-ware. There’s no way to verify whether this is actually true, but there has to be a better way forward.
The answer is to identify your real requirements. Some companies at the top of the market will need a full-blown “compliance platform.” In this case, choose your supplier carefully; you want to satisfy your needs, not pay a salesman’s bonus.
Or perhaps you already have tight internal controls, and all you need is an audit tool to do the reporting. In this case, you don’t want shelf-ware, and you certainly don’t need a year-long project! If you want to satisfy your auditor, but know that your controls are good enough, an ERP security audit can be a one-day job. Above all else learn from other companies by starting with a suggested set of controls and a sample risk matrix.
In the longer term the answer will lie in automation, or what marketing people are telling us is Artificial Intelligence.
Whatever path you choose, it’s is all about using good controls and good IT systems to make our businesses more efficient.
SOX compliance doesn’t have to be a dirty word; it can actually help your business run more smoothly and profitably.
And it can be very cost effective indeed if the by-product is avoiding a major fraud.
Read how Ogilvy Commonhealth Worldwide achieved a green rating on their SOX audit
Find out more about SOX compliance solutions for your ERP system