Do you want to upgrade your SOX program?
Even though organizations have been doing this for years, my experience tells me that perhaps 90% of them could make significant improvements.
I am not talking about the ‘suggestions’ the external audit firms are making in response to so-called new PCAOB requirements (they have only re-emphasized existing requirements).
I am talking about the opportunity to get the scope right, eliminating focus on controls that are not key controls.
I have a couple of suggestions.
The first is an update to my very popular book, Management’s Guide to Sarbanes-Oxley Section 404, 4th Edition (all proceeds go to the IIA Research Foundation).
The second is to join me in February for my SOX Master Class. (We are also planning one for April).
A closing question:
If you have identified control deficiencies where there is no reasonable possibility of them leading to a material error or omission, why are they in scope?
Happy Holidays to all.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman – Although the number of SOX systems to which I’ve had exposure is unlikely to be as large as yours, my experience is about the same as yours – at least 90% could benefit from significant improvements.
The issue you raise of controls labelled as being “key” that have absolutely no impact at the consolidated corporate level is one that has shown up in every SOX system I’ve reviewed. In the companies I’ve worked with, that problem existed because controls were identified at the business unit level, then rolled up automatically in the SOX compliance software without much additional review. At the business unit level, the control could well be “key”, even if at the corporate level that entire business unit could disappear from existence and would be no more than a rounding error in the corporate financials. None of the SOX compliance software I’ve seen in use allows categorizing key controls by the corporate reporting level of the entity where the control exists. The business unit key control needs to be monitored by the management of the business unit with warnings sent to the next higher level of management if there is failure. However, no one at the corporate reporting level should have their time and attention diverted by those low-level key controls.
The other issue related to the business unit level key controls that I haven’t seen addressed in SOX compliance software is aggregating the impact of the same business unit key control across multiple business units. As a result, the potential materiality associated with the risk of concurrent control failure across multiple business units is not addressed. Concurrent control failure across multiple business units can happen and it could result in a material impact, especially if it is a control that has a knock-on or flow through effect for other controls.
The biggest concern I have based on the SOX reviews I’ve done is that SOX compliance systems and their supporting software have become entrenched routines that seldom result in either additions to or deletions from established control registers. For some organizations, SOX seems to have become nothing more than a practice of rote compliance with established norms. Organizations change, as do the political, economic, technological, market, and financial environments in which they exist. I haven’t seen corresponding changes occurring in SOX compliance systems to reflect the changes in controls driven by organizational and environmental change.
Small Aside – For a person who claims to be cutting back and retiring, it looks like you are going to have a very busy schedule. 😉 Great to see that those of us who appreciate your many contributions to the profession will still have you around as a source for thought leadership and to challenge our thinking on a broad range of issues around governance, risk, controls, and audit. Great to see all the nominations you are getting for professional recognition. They are well deserved.
Richard, thank you for your comment – especially the nice words at the end.
Aggregation is tough. People forget their high school math, that the likelihood of two separate things happening is the product of their individual likelihoods. So, if you have what appears to be the same control operating at different locations with different people and different sources of information, the likelihood of both failing and causing an error at the same time and in the same direction is in fact far less than the product of their likelihoods. I teach the concept of a single point of failure.
Best for the holiday season and 2018.