Is SOX compliance an unwelcome distraction or a business benefit?

Sox or No Sox?

This week I was chairing a webinar on “Preparing for your Security Audit” when I was struck again by how many people still ask the question: “We’re a private company – why should I worry about audit and internal controls?”

When I started work in 1973, business life was a lot simpler.

We spent an hour in the pub most lunchtimes. One of my clients was a small brewery and we traded software licensing for kegs of beer. We worked hard, and we partied hard too. But back then, life seemed much less complex.

These days, success in business is not so much about getting one big thing done.  It’s more about how well you can handle interruptions and conflicting priorities.

So, it’s no surprise that people try not to get involved in projects that they see as non-essential.  My webinar attendees wanted to be told that “compliance” isn’t essential, and so they don’t have to do it.

Why are Internal Controls essential? 

Why should you prepare for an external audit of the security of your ERP system?

Let me give you 3 reasons which apply whether you’re subject to SOX compliance or not.

First, let’s talk about risk.

All areas of business security are a balance between risk and cost, and one of the difficult jobs facing a CIO is to explain these trade-offs to his stakeholders.

You can build the most secure environment for your IT, but will the business pay the price?  Is the return on investment appropriate? Does the risk-reward ratio make sense?

You need to understand the risks with regards to your ERP system, list out priorities, and weigh up the recovery costs if the worst outcomes come to pass.

What you shouldn’t do is ignore the risks. If you’re caught out, the damages can be eye-watering.  Many people will tell you that Risk Analysis is a complex, and therefore costly, process.  But with the proper help, and the right management buy-in, this process is not difficult.  It is essential, and it will help you keep your job.

Secondly, let me dare to introduce an idea that makes many ERP Directors quiver.

Internal controls are a very good thing.

They ensure that key processes are followed; for instance, making sure that appropriate checks are in place when granting users access to the ERP.

Internal Controls are really about making sure that key areas of the business operate properly, and that errors don’t create problems.  Stopping fraud is just a small by-product of a good controls infrastructure; the main objective is to prevent damaging mistakes.

Which brings us to the benefit that will appeal to your CFO.

Putting in place proper Risk Management and Internal Controls leads to greater business efficiency. 

But only if you put in place tools which make it sustainable.  You never want to be re-inventing controls paperwork because the Auditor is due next month.  Get it right once, implement it with a tool that forces compliance, review and improve regularly, and the savings will be considerable.

In theory Compliance is about adherence to legal standards, and one of the most hated phrases for ERP management is SOX.  I remind everyone that SOX turned out to be so beneficial in the US that most other modern economies copied the principles and created their own version.

Does every company need to be compliant with SOX?  Of course not.

Should most companies adopt the key principles of Risk Management and Internal Controls?  Absolutely.

It makes huge business sense, creates efficiency, and ensures that fraud and errors don’t disrupt your business.

I love SOX.

If it makes sense to you too, here’s info about tools that can help you achieve SOX compliance (or equivalence) efficiently.