I recently re-read a 2006 Harvard Business Review piece by Stephen Wagner and Lee Dittmar entitled The Unexpected Benefits of Sarbanes-Oxley and was impressed again by the authors’ prescient view that more companies would eventually see the business performance value that controls and structures demanded by SOX could provide. Much of what they predicted about the future of SOX compliance is reflected in OCEG’s new illustration on Performance-Driven Sox Compliance Management.
Before reporting on how some forward-thinking companies had already started to implement better information management and stronger control frameworks in response to the law, the authors note, “As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.” They go on to note that many improvement projects were identified but parked for later attention so that the immediate need to satisfy the first year of the law’s requirements could be addressed.
A decade later, many of those projects remain delayed or incomplete, while others are stuck in a first or second generation version of control systems. The irony is that SOX provoked attention to needed change in detective, preventive and responsive controls, as well as documentation and reporting capabilities, but at the same time initially sucked up so many resources through overreaching consulting projects and inappropriately broad control testing that the opportunity to focus on performance improvement largely was lost in the shuffle.
As with so many projects, a “set it and forget it” mindset and general complacency about revisiting processes and systems once established have won the day. Too many compliance officers admit, behind closed doors or in quiet conversations, that they know their old but still operating approaches are too costly and too unreliable, yet few have the stomach to tackle a redesign.
Today, though, advances in GRC technologies and expansion of the role of internal audit converge to enable SOX and other aspects of compliance as critical enablers of business performance. The shortcomings in compliance and risk management across the board, not just in financial reporting, highlighted by Wagner and Dittmar in their 2006 article, can finally be addressed in a holistic way. There is an opportunity now to make the business case for change in SOX and take advantage of ways a current systematic approach can provide meaningful insights that can drive better business outcomes.
When SOX was first implemented, GRC technologies were in their infancy. They were still largely developed for addressing separate needs, and were used by distinct teams. Internal audit had their tools, finance had theirs, compliance had tools for each area of concern, and spreadsheets still were the mainstay of many companies. So it is no surprise that the consulting firms grasped the SOX opportunity and ran with it, designing huge and control implementation and testing projects. The control testing (and I mean testing of every control) approach did initially satisfy regulators, but it provided little to no usable information for business planners and operators.
Since first setting up these systems, many companies have made virtually no changes to their controls or testing schemes, despite sometimes obvious need for change. The fear of having another time-sucking, resource-eating project is just too great.
But things have changed. There is technology today that can streamline SOX processes to support required reporting and, at the same time, provide real insight into risk that can drive better business strategies and outcomes. Instead of establishing zillions of controls and testing them all (and all of the time), processes and controls can be selected based on risk assessment and information can be viewed and analyzed for various needs. New systems support collaboration and communication between business operators, executives and auditors. The benefits seen by the handful of forward-thinking companies discussed in the Wagner/Dittmar article have expanded and are available to all at a fraction of the cost of legacy SOX approaches.
It’s time for a do-over. We need to step back and take a fresh look at how best to meet the SOX requirements with processes and technologies that provide transparency into things that have an impact on performance. While SOX was enacted to improve the reliability of financial reporting, its most valuable by-product has been revealing the sorry state of information management, understanding of risk, and compliance in many organizations. This added knowledge, if addressed by changes in the way we do business, can make any organization leaner, more agile and more successful.