A few weeks ago Deloitte published a really useful, short whitepaper titled “Under Control: Sustaining Compliance with Sarbanes-Oxley in Year Two and Beyond.” (You can download the paper for free, but access requires registration.)

Recognizing that meeting first year SOX 404 compliance requirements was a real fire drill for many companies, the paper asks the important question of how to turn this into something that is sustainable. You should download and read the full paper, but I will pull out a couple of observations that seemed particularly important:

  • Many companies approached their initial SOX compliance efforts as a “project.” To the extent that the project focus helped meet the deadlines, it was a good thing. But it is also a potentially crippling attitude that companies must consciously undo over the coming year. Internal control and SOX compliance requirements never end. They need to become part of daily operations, not a special project. Facing the need to “change gears” squarely will be important.
  • The internal audit team often emerged as a central part of the compliance “project” in year one. That made sense for the first year, but may not be the right approach over the long run. Without more staff and resources, continued work on SOX would displace important internal audit work. Perhaps even more critically, if if internal audit becomes responsible for implementing and managing controls, they will not be in a position to provide an objective evaluation of those same controls.
  • Information technology was often not well integrated into first year compliance efforts — the focus was on meeting the deadline, not on building a workable, sustainable system. Many companies will find that it is possible to make the process more efficient and sustainable by making strategic technology investments.

The paper is a nice overview of the problems faced by companies now that initial deadlines have been met. It is the kind of paper that I put in my files for future reference.