Transcription
SOX compliance: A smarter way forwardA new approach can improve compliancequality, add flexibility, and reduce costsGET STARTED
ContentsClick below to explore our topics:23Sarbanes-Oxley compliance—still challenging, but why?4The state of SOX compliance5It’s time for a new approach6Key to the new approach—taking complexity out of the equation8Managed services for SOX compliance—filling in the gaps10Five reasons to consider change11Retaking the reins of compliance12Let’s talk2019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide
Sarbanes-Oxley compliance—still challenging, but why?Sarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceThe Sarbanes-Oxley Act (SOX) of 2002 has been around longer than smartphones,ridesharing, cryptocurrencies, and modern cloud computing. Babies born the yearit became law are now old enough to drive.So SOX compliance should be well in hand, right? Not necessarily. Increasingdemands, regulatory requirements, and changing market dynamics have madestable processes a moving target. Add corporate activity such as entry into newmarkets, mergers and acquisitions, and digital transformation to the mix, and itbecomes clear why SOX compliance remains a costly, challenging endeavor.But it doesn’t have to be. Although SOX compliance is here to stay, organizationshave the opportunity to challenge the status quo. They can reimagine theirscope, process, and delivery model to achieve SOX compliance at a lower cost;higher quality; and a right-sized, risk-based approach. To better understand themarketplace demands, let’s look at the current SOX compliance landscape.32019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide It’s time for a new approachKey to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk
The state of SOX complianceSarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceFour market realities characterize the SOX compliance environment today, all of which can build upcomplexity in SOX compliance programs.REGULATIONSStandard-setters, such as thePublic Company AccountingOversight Board (PCAOB),are increasing oversight andmandating change at a steadyclip. They then pass oversightalong to external auditors,raising the amount of effortit takes for organizationsto comply with SOX. Theseregulatory requirements arebeing applied with a verybroad brush and very oftendo not take risk into account.42019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide PEOPLEEffective SOX compliance workdemands strategic thinking,technical capability, and deepseated SOX insights—a combination of skill sets thatremains stubbornly scarce ina field some may perceive ashaving little upward mobility.Some basic complianceactivities may be better suitedfor automation, thereforeoptimizing the use of highlyskilled resources towardhigher-risk activities. Alternativedelivery models can helporganizations fill the resourcegap, drive greater capabilities,and align to the right priorities.PROCESSESSOX compliance processes andapproaches have undergonefew changes in recent years.They often rely upon frequentchanges and tight turnaroundtimes that can prompt adhoc adjustments via laborintensive, error-prone manualprocesses. By standardizingprocesses, organizations canchange the way they approachthe SOX life cycle and driveto a more effective process.TECHNOLOGYReliance on often disparatelegacy systems for controltesting and documentationmeans spending excessivetime on managing information.Automation, analytics, andcontinuous control-monitoringtools can enhance the waycompliance professionalswork and drive insights andoutcomes in the process.It’s time for a new approachKey to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk
It’s time for a new approachSarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceIn light of these market realities, a new approach to SOX compliance can reveal opportunities to:ENHANCERESOURCESHow efficiently does thecompliance program allocatepeople, processes, andtechnology, and couldhey be reallocated tomore important, strategicareas or imperatives?ExamplesHigher-risk areas may beunder-resourced while talentacquisition and managementmay take too much investmentrelative to the value they bring.52019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide INCREASERELEVANCYWhere can the complianceprogram sharpen its focus?ExamplesClearly aligning the internalcontrol over financial reporting(ICFR) framework with financialstatement risks can helporganizations rationalizeand standardize their riskand control matrices andfocus on risks that are mostimportant to leadership.INNOVATEWhat are some ways toboost the complianceprogram’s effectiveness?ExamplesLeveraging moderntechnology, such as roboticprocess automation, analytics,and continuous controlmonitoring—along withstandardized controls—can help to refocus theICFR framework.GAIN ECONOMIESOF SCALEWhere can the organizationincrease complianceprogram output to bringdown its total cost?It’s time for a new approachKey to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeExamplesSimilar processes can bestandardized across theoperation; multiple teamscan use the sameanalytics application.Retaking the reins of complianceLet’s talk
Key to the new approach—taking complexity out of the equationSarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceThe guiding principle of any SOX modernization initiative should besimplification. One aspect of a refreshed view on SOX compliance is to revisitthe risk assessment. Performing a robust risk assessment and clearly aligningthe risks of the organization around ICFR with the assertions and the controlscan provide a simpler framework and more streamlined approach.For example, based on risk assessments performed in many organizations,roughly 20 percent of ICFR risks might be considered high risk, while 80percent of them are usually medium to low risk. A more efficient approachto compliance would focus time on the 20 percent, by simplifying andstandardizing the approach to the remaining controls.It’s time for a new approachKey to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk62019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide
Key to the new approach—taking complexity out of the equation (cont.)Sarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceIt’s time for a new approach20%HIGH-RISK AREASA control failure in a high-risk area is more likely to resultin a material weakness or significant deficiency, which anorganization would then have to disclose to the public or theorganization’s audit committee. This could bring the negativeperception that often accompanies financial restatements,additional scrutiny by regulatory agencies, or even potentialfines. High-risk areas merit extra attention, a robust controlsapproach, and additional testing and monitoring.80%MEDIUM- TO LOW-RISK AREASMedium- to low-risk areas are the ones where failure isunlikely to result in a significant issue. For example, accountspayable transactions are similar in most organizations from aSOX compliance perspective. These transactions don’t requirean extraordinary amount of testing or documentation, andthey tend to look the same from one organization to another.As such, the controls around accounts payable could in manycases be standardized to create a more streamlined approach.Many companies approach medium- and low-risk areas with the same mindset as high-risk areas. This doesn’t have to be the case.Standardization can make shorter work of compliance by removing unnecessary steps from the process, while still maintaining highlevels of compliance rigor and quality.72019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide Key to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk
Managed services for SOX compliance—filling in the gapsSarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceEven if it is more efficient, reallocating resources to higher-risk areas can leave gaps inlower-risk areas that still need to be managed. A managed services approach to SOXcompliance can help public companies close resource gaps while reducing complexityby tapping into the staffing, technology, and knowledge capabilities of a capable serviceprovider. The managed services provider takes on long-term management of the SOXprogram—including staying current with compliance mandates—while responding tothe expectations of management, auditors, and regulators.REPEATABILITYof outcomes year over yearPREDICTABILITYof both outcomes and costSCALABILITYusing a flexible talent modelSTANDARDIZATIONof control frameworks, processes, tools, and management82019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide It’s time for a new approachKey to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk
Managed services for SOX compliance—filling in the gaps (cont.)Sarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceUnderpinning the approach—enabling technologiesIt’s time for a new approachReimagining SOX compliance through managed services can have additional positive impacts for the way the program works,the resources it needs, and how it evolves in the face of unrelenting change. But to unpack these implications, it’s necessary tounderstand the role that technology plays along with the interplay between technology and standardization.Key to the new approach—takingcomplexity out of the equationROBOTIC PROCESS AUTOMATIONWith robotic process automation (RPA), software robots mimic the way people interact with applications to carry outroutine business processes—think filling out a form or scanning an email for certain types of data. A standard set ofrisk controls can allow for the design of a single bot to run a test repeatedly throughout the organization.ANALYTICSThe advent of powerful analytics tools has turned massive data volumes into potential sources of intelligence thatcan further the interests of the business. With standardization, organizations can turn analytics from a series ofpoint solutions into a single version of the truth across the SOX compliance life cycle.CONTINUOUS CONTROLS MONITORINGContinuous controls monitoring (CCM) uses technology to keep track of financial transactions in real time, withouthaving to rely on statistical sampling. CCM, on top of a common set of embedded controls, can be an efficient wayto improve business processes, detect risks, and check on compliance across multiple business units or locationswithin an organization.92019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide Managed services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk
Five reasons to consider changeSarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceOf course, there’s always a better mousetrap, even when it comes to SOX compliance. And as many organizations can point out,with some justification, they’ve been getting the job done for the better part of 20 years. So why change?123Basic compliance can be costly.Many organizations don’t realize how much they’re spending on staffing, technology, external audits, andmanagement overhead. A savings of 20 percent could free significant capital for the business to reallocate to highervalue areas or risks.Change doesn’t have to be radical.By and large, improving SOX compliance is less about upending existing programs than about refining their approach,asset deployment, and use of technology. Small steps can produce significant results.Companies can learn from others’ leading practices.Specific challenges of SOX compliance are often common across many companies, making effective practices moreapplicable than many might suppose.4The value can be significant and multifaceted.Among other things, change can result in a lower total cost for SOX compliance, a reduced risk profile, and a greaternumber of quality outcomes.5It can align stakeholders, including management, external auditors, internal audit, and the audit committee.The change management process can improve communication, clarify roles and responsibilities, and articulate thecompliance strategy in terms of better outcomes for the organization at a lower cost.102019SOXessentialcompliance:tax andA smarterwealthwayplanningforwardguide It’s time for a new approachKey to the new approach—takingcomplexity out of the equationManaged services for SOXcompliance—filling in the gapsFive reasons to consider changeRetaking the reins of complianceLet’s talk
Retaking the reins of complianceSarbanes-Oxley compliance—still challenging, but why?The state of SOX complianceSOX compliance is a fact of life for public companies. That said, companies have moreoptions for managing it than many realize. The starting point is a willingness to challengelong-held assumptions about the people, processes, and technology that a well-runprogram requires.Over the years, market realities have led to growing complexity in compliance programs.Why not pause and take a critical look at whe
Reimagining SOX compliance through managed services can have additional positive impacts for the way the program works, the resources it needs, and how it evolves in the face of unrelenting change. But to unpack these implications, it’s necessary to understand the role that technology plays along with the interplay between technology and standardization. ROBOTIC PROCESS AUTOMATION With .
