For companies struggling to meet SOX 404 compliance requirements, internal control problems can usually be traced back to people, process, or technology issues. In fact, companies are making the same series of common mistakes, all of which carry substantial risks.
The silver lining to the ubiquitous nature of these problems is that proven solutions already exist. By asking the right questions, organizations can identify the root causes of people, process, and technology mistakes and how to correct them moving forward.
People: Do you have the right skill sets and authority levels in place to ensure SOX compliance?
All organizations rely on their staff to maintain internal controls effectively. But sometimes these individuals don’t have the necessary expertise to spot control deficiencies. This is common if they’ve held the same role for a long time but haven’t evolved their skill sets in tandem with changing interpretations of SOX compliance requirements. It can also occur when an organization has trouble attracting, hiring, and retaining staff with the requisite level of experience. While these challenges are expected in a tight labor market, another consideration is a company’s perceived “culture of compliance;” those with a poor culture will be less attractive to qualified candidates.
Having the right skill sets in place is just the first step. If experienced staff lack the authority to remediate faulty controls, the risk of noncompliance increases. Any of these issues, if large enough, could have a domino effect that creates much broader business concerns. For example, if an issue is identified resulting from an ineffective control environment, this could be a symptom of a material weakness or potentially a material misstatement. That could in turn damage the business’s reputation and decrease confidence among shareholders.
To adopt a better approach, identify control owners and champions with the right skills to detect potential or existing issues. Then, give them the authority they need to drive change. If you outsource certain control functions, remember that the outsourced party is not the control owner; that responsibility — and the ultimate authority to act — still rests internally in the organization. In all cases, empower your team through education, reinforce accountability, and engage subject matter experts when needed. These best practices all support SOX compliance and offer protection from much bigger consequences.
Process: Have you established proper segregation of duties?
Segregation of duties (SOD) ensures critical responsibilities are dispersed among several team members, so that no sole individual can unilaterally impact processes. While SOD is a fundamental business principle, it’s often not followed to the extent it should be. The reason why is usually quite simple: the human resistance to change. Many companies are overly dependent on how things have always been done and neglect to adapt their SOD when needed. However, other circumstances could also be at play. For instance, lean organizations often find their hands are tied when it comes to SOD, if a smaller staff size makes it impossible to divide key responsibilities between multiple people.
These factors are certainly understandable, but they nonetheless drastically increase the risk of SOX noncompliance — not to mention fraud. That’s why organizations should perform an SOD analysis to identify conflicts, remediate key controls, and introduce mitigating controls as needed to detect improper actions. For new or growing organizations with a smaller team, verify that the preparer of required reporting doesn’t also act as the reviewer. If it’s the same person, engage an independent party to perform the review instead, which won’t increase headcount.
With SOD in place, organizations have greater assurance they’re doing all they can to prevent fraud. They’ll also catch and prevent human error, which can be equally damaging even if it isn’t carried out maliciously.
Technology: Can you rely on your IT systems to enforce SOX compliance?
Mistakes are bound to happen if control owners have an “if it ain’t broke, don’t fix it” mindset when it comes to technology. If a system has been in place for several years and hasn’t been updated, there’s a chance that it’s in fact broken, but the symptoms simply aren’t visible.
For example, organizations that track changes made to their IT systems will be able to diagnose whether reporting errors were ultimately caused by those changes. But many older systems don’t have the advanced audit trails and tracking capabilities that newer systems have. And without them, you might not be able to truly understand how a problem occurred and how to prevent it in the future.
Additionally, to enforce SOD, IT systems should exercise proper access management through password protection and user access restrictions based on role, including separate roles for the test environment and production environment. These qualities are important for any system that impacts financial statements, such as accounting, timekeeping, expense management, procurement, inventory, shop floor management, and IT ticketing systems.
Each of these systems could potentially fall under the umbrella of SOX compliance. But when defining the scope of their review, many organizations mistakenly leave out one or more key systems. For example, perhaps your primary accounting system adheres to stringent requirements, but what about your IT ticketing system? This system should probably be included in scope if it’s used as evidence that technology settings or user access were changed in accordance with protocol.
To prevent these issues, regularly review which systems are deemed to be in scope and make sure the right IT general controls (ITGCs) are in place. Resist the urge to rely on legacy systems solely because they’ve been trusted in the past. By taking a proactive approach, you’ll have peace of mind in the systems you’re relying on for accurate financial reporting and SOX compliance.
Next up: Guard against SOX compliance issues with our checklist
While these examples of people, process, and technology mistakes are relatively common, that doesn’t mean you can afford to make them.