The Sarbanes-Oxley Act has been called the most comprehensive reform of corporate law since the Securities Exchange Act was passed in 1934. The effects of SOX are far reaching. Its provisions govern actions by management, audit committees, and boards of directors of public companies.
Like it or not, Sarbanes-Oxley is here to stay. Its impact on IT departments is major and growing. The reaction of many IT groups is to document everything in sight in an attempt to cover themselves. In the end, this can be counter-productive, expensive and wasteful.
SOX calls for corporate reforms to combat fraud and imposes a variety of higher standards of corporate governance. Legislating new rules of corporate conduct is relatively easy compared to laying out processes and procedures that people can actually follow without carrying around a 300-page manual.
Not every corporate artifact and action must be documented. The point is to focus on operating procedures that relate to financial recordkeeping. Think about efficiency, accuracy and privacy in handling data. By focusing on the things that matter to your business, you can keep SOX documentation clear and simple while fully complying with the regulations. These five tips will get you started.
Begin by reviewing the Top 10 SOX Questions accompanying this article. The questions are not all inclusive but give you a good idea of what preparations need to be made. Now let’s turn our attention to the documentation.
Tip 1: Specify accountability
Technically the CEO and CFO are ultimately responsible for financial reports but they will want to know who provided the information. Create a list of major functional areas related to SOX and clearly identify who is accountable. This is not an org chart nor is it simply a list of senior managers. Identify the following: Who handles financial information? Who has the final say in deciding that the information is technically accurate? Who is in a position to modify or reclassify the data? Be clear and concise. If CEOs have a question, they should be able to pick up this list and call the responsible person directly. Break it down by business unit, division or whatever segmentation makes sense in your firm. Keep it electronic and easy to update.
Tip 2: Clearly define the businesses processes for managing financial information
Business process documentation can become a multi-volume encyclopedia if you let it. Don’t!
Not all business processes need to be documented and tested – only the ones that are critical and material to the production of financial statements and disclosures. Keep reasonableness in mind. This is not a torture test.
Simple diagrams showing process steps in rectangles and decision points in diamonds are usually the best way to go. Each business process should fit on a one- or two-page diagram. If there are too many steps in the process, either your steps are too granular or you should break up the main process into several subprocesses.
There should be associated documentation for each step showing the following:
• The person that performs or oversees the activity
• The systems involved in the activity
• The information required to complete the activity
• The information resulting from the activity
• The business rules that govern the activity
• When and how often the activity is performed Simply reporting financial numbers is not enough. You must be able to show how the numbers were derived.
Tip 3: Define all the computer systems that handle the data.
It is not sufficient to simply say that you use an enterprise resource planning application like SAP or Great Plains to perform your financial analysis. The underlying database and the reporting tools must also be factored in.
Most companies use Microsoft Excel for at least some of their analysis and reporting. While Excel is a marvelous tool, its simplicity makes it easy to introduce calculation errors. Many financial reporting errors occur after the data leaves the accounting software.
Make sure you fully understand how all the numbers were derived. You’ll need documentation for the software including version and patch levels. You should also have detailed information for the operating environment such as the version of Windows and any add-ins that are used.
(Note: This is basic asset management. In this case, we are focused on assets that have a direct bearing on the reporting of financial results.)
Tip 4: Write up a code of conduct and get it signed
Having good processes and systems are not enough. Your staff needs to buy in. There should be an employee code of conduct that encourages people to be honest, diligent and willing to follow the rules. Everyone in the company should sign such a document and have it placed in their personnel file.
You could limit the code of conduct to employees handling financial data. However, if are going to go to the trouble of preparing and distributing such a document, why not just have everyone buy in? While this may seem excessive to some people, the SEC requires that CEOs and CFOs certify the accuracy of the results they report. Requiring that employees agree to abide by company polices and procedures in writing, seems not only sensible but essential in convincing auditors that the information provided is truthful and accurate.
Tip 5: Conduct a risk assessment and develop mitigation measures
This tip is last because it is the most complex. Risks vary widely from firm to firm. It is essential to show that efforts have been made in good faith to identify and evaluate areas of financial reporting where errors may be introduced. Such efforts combined with the development of internal controls to mitigate those risks provide reassurance to auditors. What kind of risks might you face? Here are a few examples.
- Major upgrades or replacements of financial reporting systems
- Major changes to manufacturing or inventory tracking systems
- Substantial increases or reductions in workforce - Security breakdowns and system intrusions - Significant amounts of human intervention in processing results
- System failures, particularly those requiring restoration of data It is essential to document these risks and others that may be unique to your organization. Then document steps taken to mitigate each risk and why you believe that the final reported results will not be impacted.
Testing of the risk mitigation measures is a good idea. To be effective, this requires creation of a test plan. The plan should specify what is being tested, how, and by whom. Define the test cases by simply describing adverse scenarios followed by the steps to be taken in correcting the situations. Run through the scenarios and document the results to provide evidence of this testing. Keep all documentation on file for review by the external auditors.
Think about continuous improvement. As your business grows and evolves, risks will change and response mechanisms will have to be revised. In conclusion, don’t try to document every detail. Focus on the things that matter in the creation of financial reports. If you follow the tips outlined in this article, you’ll be able to show a good faith effort to report accurate results and your CEO will thank you for it.
Vin D'amico is a technical writer with Writing Assistance (www.writingassist.com), a Plymouth, Minn.-based provider of contract technical writing, copy writing and Web content services. D'amico specializes in business continuity plans and secu