SOX requires that publicly traded companies listed on U.S. exchanges put controls in place to address the potential of fraud in financial reporting. Like many compliance requirements, SOX compliance is time-consuming and can be costly for the organization. Anybody in your organization’s internal audit department can tell you exactly how much time they’ve spent putting together these reports to explain the organization’s internal controls as well as accounting policies.
These internal control and accounting policy requirements assist the organization in streamlining accounting procedures and enable the organization in responding to a potential incident of fraud and financial misstatements with greater agility. Compliance within SOX doesn’t have to be a frustrating maze of seemingly disconnected and unrelated organizational procedures and policies though.
Decisively mapping out the organization’s business and accounting processes to communicate clearly with the organization’s internal and external auditors, can assist the organization in understanding and changing its current processes to remain compliant with Sarbanes-Oxley.
Business Process Mapping
While SOX has a legacy of eighteen years it is not static. In the past few years the Public Company Accounting Oversight Board (PCAOB) has been putting pressure on external auditors to require greater control over end-user computing (e.g., spreadsheets) as well as requiring process maps and flow diagrams - in addition to the lengthy written control narratives. As a result, external auditors require written narratives of the organization’s internal controls over financial reporting (ICFR) that is supported by detailed process flow diagrams. These show how the process works visually and the risk and control points within that process. Lack of this documentation of your organization’s ICFR calls into question your organizations ICFR processes. It leaves room for an auditor to determine that the lack of detailed process documents might leave them unable to form an opinion on the design and operating efficacy of internal controls.
Overall to actually remain compliant, it is essential to:
Not only does this allow the organization to streamline accounting processes and procedures, but it can also allow for the organization to:
This allows the organization to handle SOX requirements with more ease, as it provides auditors with a clear overview of internal controls over financial reporting. It also assists in demonstrating a clear intent to mitigate any potential fraud and misconduct.
It is paramount for organizations to leverage technology to improve efficiency, agility and effectiveness in SOX compliance efforts and procedures. This regulation significantly expands the scope and responsibility of the organization’s ICFR. Approaching this through siloed in unagile manual processes is facing a nightmare scenario in terms of managing and reporting in a way that fails to give auditors a clear view of the organization’s ICFR. Some organizations find that their internal control and SOX compliance teams spend 80% of their time managing documents and not improving compliance.
However, a technology architecture for SOX compliance, that supports business process modeling, leaves you with a more efficient, agile and effective SOX compliance framework. It allows business processes to be tracked and mapped in order to provide a clear understanding and justification for internal controls within the organizations accounting and financial reporting processes.
Organizations need to leverage a SOX compliance technology architecture in order to fully make internal controls documentation and mapping of accounting processes more efficient and effective in meeting SOX requirements and achieving greater visibility in the organization’s ICFR. This requires that organizations address the overall requirements within Sarbanes-Oxley and the pressure on external auditors by leveraging technology to make these compliances efficient and agile – and to reduce time and cost.
SOX is just a start; many other compliance obligations are also requiring business process modeling. Privacy regulations such as the EU Global Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) also require business process modeling to define how information flows and is used within organizations. Selecting the right technology that supports business process modeling can provide an infrastructure for SOX compliance as well as many other regulatory obligations organizations are facing.