Now that the critical period to achieve Sarbanes-Oxley compliance is just an unpleasant memory, it is time for banks to rethink their strategic approaches to SOX requirements. Since the regulation was introduced, experts have espoused that the massive efforts to bring companies' IT systems into alignment with the regulation should be seen as an opportunity. According to Paul Hamerman, VP of enterprise applications for Forrester Research (Cambridge, Mass.), for those companies savvy enough to recognize the act's hidden benefits, now is the time to take their SOX strategies to the next level.
"The first time around with SOX, there was an imposed deadline and everyone scrambled to meet minimum compliance requirements," Hamerman explains. "Now, it's time to look at the underlying systems and processes, and see how they can gain efficiencies from them."
According to Hamerman, SOX compliance can drive business integrity and operational efficiency. Banks' first taste of Section 404 compliance for evaluating internal controls was a trial by fire. In 2006, however, compliance efforts in all industries will have matured and companies will be able to leverage technology to support these endeavors, Hamerman asserts.
Tools of the Trade
Initially, there was not much software to help banks in their efforts to meet the more-stringent requirements, Hamerman notes. But in 2005, he says, he saw a significant ramp-up in the use of tools for documenting internal controls. This adoption will continue as companies learn to record and standardize their controls better, Hamerman contends. "You're going to see more automation and optimization of these controls. Much of it is done manually today," he says, adding that automation is a natural fit for determining segregation of duties and access control, for example.
Though the effort to gain IT transparency was onerous, the task was made even more so by cost. Going forward, that will no longer be the case, Hamerman relates. "One of the things that threw costs [of SOX compliance] up so high was companies' reliance on external advisers," he says. "As time goes by, companies of all kinds will rely more on themselves."
Banks do have their own unique SOX-related challenges, but overall, the similarities to those of other industries are strong, Hamerman notes. "When you look at SOX from an IT standpoint, the challenges are very similar across industries," he comments. "They all need good underlying accounting and reporting systems."
It has been suggested that SOX forced banks to update their massive IT infrastructures, but Hamerman does not agree. "What [SOX] has done is force them to take a closer look at what they're doing," he says. "The level of scrutiny required by SOX 404 has definitely led to changes at banks. But not all of them had to make these changes because they already had good controls in place." **
Making the Best of SOX
1. Fine-tune your approach to focus on risks. Narrow the scope of SOX compliance to attain reasonable assurance that controls limit risks in key areas of financial exposure (i.e., where the money is).
2. Use technology to make SOX compliance repeatable and routine. To make the SOX internal controls evaluation process sustainable, use a purpose-built SOX software solution rather than spreadsheets or other lightweight tools.
3. Consider controls automation and monitoring tools to detect errors and discourage fraud, in lieu of manual, sample-based auditing methods.