I was pleased to participate in a recent roundtable discussion at The Institute for Financial Excellence’s Sarbanes-Oxley conference in Baltimore, Maryland. It prompted a lively discussion, moderated by John Hagerty from AMR Research. My fellow panelists were Lee Dittmar, principal and leader from Deloitte Consulting, Michael Duffy, president and CEO of OpenPages, Charles Sansbury, CFO of Vignette, and Mike Malwitz, senior product manager from Hyperion.
As panelists, we represented different perspectives on the types of technology and services required to support Sarbanes-Oxley compliance. As you know, demonstrating SOX compliance has proven to be a time-consuming, labor-intensive process and it’s not one that’s going away. There’s virtually universal agreement that there is no “silver bullet” for achieving sustainable regulatory compliance. The conference panel discussion highlighted some of the technologies and approaches necessary to create an enterprise compliance framework that can enable companies to plan, implement, manage, and maintain ongoing testing and monitoring of the effectiveness of the internal controls related to financial reporting in support of SOX 404 compliance.
Audit tools and financial transaction monitoring capabilities – security and infrastructure controls, and process and documentation controls solutions – all play an important role in achieving compliance. These solutions can feed SOX compliance management, business intelligence, or business/corporate performance management solutions to provide greater and timely visibility and assurance of the controls health of the organization.
One of the more lively discussion points from the roundtable centered on the role of internal audit on compliance teams. Hagerty described AMR’s Active Compliance Framework to break down who is typically involved, what tasks are required and how compliance should be achieved within an organization. This led to questions about the independence of internal audit. Let me explain. Internal auditors are the experts in internal controls testing within companies. Suddenly new legislation is passed that requires organizations to document, test, and certify as to the effectiveness of those controls. This left many organizations scrambling and they found that their own internal audit departments were an excellent resource for helping them implement and monitor controls. And while this has been a good short-term solution and auditors should play an important strategic role within compliance teams, we’ve been hearing growing concerns voiced by our internal audit customers that their independence is being compromised by the tactical nature of this compliance work (manual testing of the controls).
Having internal audit design, implement, and test the internal controls that they are then expected to assess and validate puts audit impartiality at risk. As the controls experts in their organizations, internal audit’s insight and understanding of the COSO internal controls framework was critical to tackling compliance with this new legislation. And the testing and monitoring of internal controls is by far one of the most difficult aspects of SOX compliance. But companies are going to have to automate the ongoing testing of controls – with responsibility for this task sitting squarely with the business unit manager, compliance officer, and financial management – and let audit get back to their role of being independent reviewers.
This led to several questions from the audience about what’s not getting done if internal auditors are focused on tactical compliance issues rather than their traditional areas of IT, financial, and operational audits. The answer, of course, varies by company, but it is unquestionable that bandwidth constraints will impact audit’s ability to deliver on its traditional mandates.
We also discussed the trade-offs taking place between the internal and external audit teams, how external auditors have picked up part of those responsibilities in some cases and how that’s reflected in their escalating fees. Automation of the testing of controls will be an important consideration going forward, so both external and internal auditors can get back to their role of providing independent oversight, and allow financial professionals to better monitor and test critical control areas on a sustainable basis.
The audience was also interested in how the CEO can develop a SOX compliance program that provides his or her company with a competitive advantage by leveraging compliance requirements to achieve operational efficiency gains. Hagerty had three suggestions: improve dashboard reporting, automate controls testing and refine compliance management to make sure the program in place has the right people and tools to support it. These are three areas that have provided many of their clients a quantifiable ROI when done to strengthen compliance and increase an organization’s “operational intelligence”, a term AMR is using to describe these needs.
We also heard from Lee Dittmar of Deloitte about leveraging the role of external audit and having them work closely with internal auditors to ensure both can utilize and leverage the work done on internal controls testing, and potentially even rely on the same tools for testing. Dittmar suggested organizations look to not only new financial compliance management technologies, but also to the tools they already have, to help them with compliance. This is not necessarily reinventing the wheel, but giving the engine that drives it more power.
Hagerty summarized with a reminder that there would always be a need for cross-platform solutions that can bridge the complicated IT structures that exist in most organizations. This was a good reminder of the need for technology vendors to continue to work together to provide customers with best-of-breed solutions that can be seamlessly integrated, in the areas represented by the roundtable panelists – business intelligence (Hyperion), SOX compliance management (OpenPages, Vignette), and business assurance analytics (ACL Continuous Controls Monitoring). For organizations dealing with complex business, competitive, and regulatory challenges, this will provide a compliance framework capable of meeting unique company requirements, while providing a technology infrastructure capable of both sustaining compliance and optimizing business performance.
Everyone agreed that the challenges of SOX and other compliance mandates were not going away any time soon. There was consensus that technology must be leveraged to address the current concerns of cost, efficiency and sustainability, and that business improvement and a return on investment ought to be natural by-products of a strategic approach to these challenges.
Written by Harald Will, President and CEO of ACL Services Ltd. More information at www.acl.com.