A few weeks ago Deloitte published a really useful, short whitepaper titled
"Under
Control: Sustaining Compliance with Sarbanes-Oxley in Year Two and Beyond."
(You can download the paper for free, but access requires registration.)
Recognizing that meeting first year SOX 404 compliance requirements was a
real fire drill for many companies, the paper asks the important question of how
to turn this into something that is sustainable. You should download and
read the full paper, but I will pull out a couple of observations that seemed
particularly important:
- Many companies approached their initial SOX compliance efforts as a
"project." To the extent that the project focus helped
meet the deadlines, it was a good thing. But it is also a potentially
crippling attitude that companies must consciously undo over the coming
year. Internal control and SOX compliance requirements never
end. They need to become part of daily operations, not a special
project. Facing the need to "change gears" squarely
will be important.
- The internal audit team often emerged as a central part of the
compliance "project" in year one. That made sense for the
first year, but may not be the right approach over the long
run. Without more staff and resources, continued work on SOX would
displace important internal audit work. Perhaps even more critically,
if if internal audit becomes responsible for implementing and managing
controls, they will not be in a position to provide an objective
evaluation of those same controls.
- Information technology was often not well integrated into first year
compliance efforts — the focus was on meeting the deadline, not on
building a workable, sustainable system. Many companies will find that
it is possible to make the process more efficient and sustainable by
making strategic technology investments.
The paper is a nice overview of the problems faced by companies now that
initial deadlines have been met. It is the kind of paper that I put in my
files for future reference.
