Printer Friendly

Sarbanes-Oxley, year two: the glass is half full.

The predictions, prognostications and public outcry surrounding the high cost, energy and questionable value of compliance with the Sarbanes-Oxley Act (SOX) have been loud and clamorous. Yet, many organizations have already begun reassessing their own efficiency and competence as they conclude their first year of operation under SOX. While we all wait to see how rigorously the enforcement standards will be applied, forward-thinking organizations are quickly recognizing that many of the operational changes required for ongoing SOX compliance are, in fact, well-suited to accommodate operational and financial controls that are tied not just to regulatory compliance but to business performance monitoring and broader enterprise risk management. There is a growing consensus that the essential operational and technological ingredients for ongoing SOX compliance are also at the core of a successful recipe for a broader enterprise risk management approach that promises to improve business performance and operational transparency.

Change is never easy, and change that includes individual responsibilities, organizational processes, supplier relationships and new technologies can be downright intimidating. As it turns out, initial evidence indicates that this is one of those rare circumstances where the tactical and the long-term approaches are closely aligned. While calling for a modified approach, the total cost of ownership and the time of completion should not be negatively impacted in order to automate SOX compliance activities that are flexible enough to accommodate other regulatory topics such as CoBIT, Code of Conduct (SOX-related mandates) and other nonregulatory control frameworks tied to performance and other aspects of your business. How can organizations stay focused on the immediate requirements of SOX filings while positioning themselves for an integrated ERM approach to regulatory, operational and financial compliance?

Step 1: Define an approach go SOX that separates the control framework from processes (assessment, testing, remediation, etc.) and the organization that must execute those processes. Managing SOX as a collection of well-formed relationships dramatically simplifies the specification and ongoing change management of SOX requirements (a short-term win) while setting the stage to automate and integrate other mandates and control frameworks (a long-term win).

Step 2: Align your compliance activities with the elements of an effective compliance program as defined by the U.S. Sentencing Commission. In order to receive an unqualified opinion, your organization is going to have to demonstrate a well-defined operational approach to risk management and ongoing compliance management. The U.S. Sentencing Commission's definitions are clear, directly tied (although not exclusively) to SOX compliance and reduce potential fines by up to 95%. While these guidelines are certainly not the only way to implement an effective compliance program, it makes good sense to align with the only approach that inherently reduces the risk of prosecution and is a key component of the formula that the courts use to calculate fines.

Step 3: Partner with service and technology providers that understand Steps 1 and 2 and have aligned their products and services accordingly. While the enforcement standard for SOX is clear, the rigor of enforcement and the acceptable practices for compliance will be established over the conning years. The ability to offer flexible support for SOX, remain aligned with the U.S. Sentencing Guidelines and manage the changes that are an ongoing part of any business are the basic criteria for a lasting SOX compliance infrastructure.

The good news is that external mandates such as SOX and internal mandates tied to operational best practices both benefit from the same effective process discipline, consistency and measurement. There is no good reason that SOX infrastructure should not serve as the first in a long list of mandates supported within a shared compliance framework.

The future is one where businesses clearly define what risks they are going to take, create defined procedures to operationalize these risks and real-time measurement to align outcomes with goals. Change and evolution of best practices, enforcement rigor and appetite for risk requires broad management of issues even in the context of tactical compliance initiatives. The role and impact of enterprise risk management is likely to grow significantly in the wake of evolving SOX compliance processes which, in the end, will be good for business performance.

Sebastian Holst is vice president, marketing for Axentis, a leading provider of governance, risk and compliance software based in Warrensville Heights, Ohio.
COPYRIGHT 2005 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Regulatory compliance proving its mettle
Comment:Sarbanes-Oxley, year two: the glass is half full.(Regulatory compliance proving its mettle)
Author:Holst, Sebastian
Publication:Risk Management
Geographic Code:1USA
Date:Mar 1, 2005
Previous Article:Three simple rules.
Next Article:Navigating D&O in a Brave New World.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters