What Can SOX Do For You?

Risk Management,  Apr 2008  by Singh, Gaurav

• E-mail
• Print
• Link

With Sarbanes-Oxley (SOX) compliance spending estimated at more than $6 billion in 2007, companies would be wise to ensure that this money is not being wasted. Many see SOX solely as a burden, but the resources used for compliance provide opportunities to improve operations. Smart companies have successfully automated workflows, reduced errors and turnaround time of processes, and redesigned workflows to improve efficiency by implementing the following measures:

Analyzing Business Processes

There are striking similarities between Six Sigma's proven process improvement methodology, DMAIC (define, measure, analyze, improve and control), and compliance activities such as controls documentation, testing and remediation. Both require definition of objectives, measurement of performance, remediation of weaknesses and continual monitoring. Companies that have already performed documentation and testing activities for compliance are in an excellent position to identify process improvement opportunities. In the billing process, for instance, a key objective is to accurately invoice customers. By documenting and testing the billing process, companies can identify key performance indicators to measure the health of their billing process. An analysis of billing errors can streamline the process.

Automating Processes

Companies should focus on automating processes rather than automating controls. Process automation streamlines the entire chain of activities and enhances the reliability of process outputs. An automated procurement tool, for instance, can automate purchase requisitions, approvals and recording of goods received at the warehouse. This system can help reduce turnaround times for procuring raw materials and associated inventory holding costs.

Automation also enhances internal controls over financial reporting (ICFR) by ensuring that purchase orders are not processed prior to approval, incoming materials match the quantities ordered and payment is made only for materials received. Process automation not only improves operational efficiencies but produces more accurate financial statements.

Automated processes can also curtail operational losses. In a high-volume process such as payments to vendors, it is virtually impossible to manually detect duplicate payments. An automated system that analyzes purchase order, invoice and material receipt numbers for a given vendor, however, can quickly identify redundancies.

Preventive Controls

Preventive controls avert errors before they occur, saving time and money spent on error detection, investigation and reprocessing. For instance, aligning shipping documents with customer orders prior to delivery and invoicing enables proper shipment of goods and accurate billing. This ultimately reduces the costs of sales returns, customer complaints, error investigation, return materials handling, invoice reversal and accounting for change in revenue recognition.

Preventive controls can also diminish operational losses. Segregation of incompatible duties is a preventive control that can reduce operational losses when dealing with incidents of fraud. For example, a bank employee who adds new customers, applies transactions to customer accounts and reconciles customer accounts has incompatible system access rights. This employee could add themselves as a new checking account customer, overdraw on the fraudulent account and conceal die overdraft transaction by not reconciling the transaction to source documents such as the customer instruction.

Optimizing Controls

Risks and controls do not have a one-to-one relationship. One control may mitigate multiple risks and, conversely, multiple controls may mitigate a single risk. Obviously, it is best to implement controls that mitigate multiple risks. For example, a bank may perform a daily reconciliation of its ATM transactions to ensure that they are accurately recorded in die general ledger. This control also augments the bank's capability to detect failed ATM transactions. A bank can perform a daily reconciliation of its ATM transactions to mitigate the two risks as opposed to instituting multiple controls for each. Because SOX compliance requires periodic testing of key controls, the cost of compliance will decrease with the reduction of key controls. More importandy, optimization of controls can reduce the cost of performing redundant activities.

Singh, a certified internal auditor, serves as an assistant vice president in the risk advisory services division of EXL, where he helps clients review, evaluate and implement internal control systems that address operational and financial risks.

Copyright Risk Management Society Publishing, Inc. Apr 2008
Provided by ProQuest Information and Learning Company. All rights Reserved