Sarbanes-Oxley, year two: the glass is half full.
Change is never easy, and change that includes individual responsibilities, organizational processes, supplier relationships and new technologies can be downright intimidating. As it turns out, initial evidence indicates that this is one of those rare circumstances where the tactical and the long-term approaches are closely aligned. While calling for a modified approach, the total cost of ownership and the time of completion should not be negatively impacted in order to automate SOX compliance activities that are flexible enough to accommodate other regulatory topics such as CoBIT, Code of Conduct (SOX-related mandates) and other nonregulatory control frameworks tied to performance and other aspects of your business. How can organizations stay focused on the immediate requirements of SOX filings while positioning themselves for an integrated ERM approach to regulatory, operational and financial compliance?
Step 1: Define an approach go SOX that separates the control framework from processes (assessment, testing, remediation, etc.) and the organization that must execute those processes. Managing SOX as a collection of well-formed relationships dramatically simplifies the specification and ongoing change management of SOX requirements (a short-term win) while setting the stage to automate and integrate other mandates and control frameworks (a long-term win).
Step 2: Align your compliance activities with the elements of an effective compliance program as defined by the U.S. Sentencing Commission. In order to receive an unqualified opinion, your organization is going to have to demonstrate a well-defined operational approach to risk management and ongoing compliance management. The U.S. Sentencing Commission's definitions are clear, directly tied (although not exclusively) to SOX compliance and reduce potential fines by up to 95%. While these guidelines are certainly not the only way to implement an effective compliance program, it makes good sense to align with the only approach that inherently reduces the risk of prosecution and is a key component of the formula that the courts use to calculate fines.
Step 3: Partner with service and technology providers that understand Steps 1 and 2 and have aligned their products and services accordingly. While the enforcement standard for SOX is clear, the rigor of enforcement and the acceptable practices for compliance will be established over the conning years. The ability to offer flexible support for SOX, remain aligned with the U.S. Sentencing Guidelines and manage the changes that are an ongoing part of any business are the basic criteria for a lasting SOX compliance infrastructure.
The good news is that external mandates such as SOX and internal mandates tied to operational best practices both benefit from the same effective process discipline, consistency and measurement. There is no good reason that SOX infrastructure should not serve as the first in a long list of mandates supported within a shared compliance framework.
The future is one where businesses clearly define what risks they are going to take, create defined procedures to operationalize these risks and real-time measurement to align outcomes with goals. Change and evolution of best practices, enforcement rigor and appetite for risk requires broad management of issues even in the context of tactical compliance initiatives. The role and impact of enterprise risk management is likely to grow significantly in the wake of evolving SOX compliance processes which, in the end, will be good for business performance.
Sebastian Holst is vice president, marketing for Axentis, a leading provider of governance, risk and compliance software based in Warrensville Heights, Ohio.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Regulatory compliance proving its mettle|
|Comment:||Sarbanes-Oxley, year two: the glass is half full.(Regulatory compliance proving its mettle)|
|Date:||Mar 1, 2005|
|Previous Article:||Three simple rules.|
|Next Article:||Navigating D&O in a Brave New World.|