By CYRIL TUOHY, managing editor of Risk & Insurance®
Oh, how risk managers would love to the lock SOX in a box, throw away the key and toss it off the dock.
If Dr. Seuss had penned the Sarbanes-Oxley Act, risk managers might have derived some pleasure out of reading the weighty document, passed into law in the wake of the Enron, WorldCom and Tyco International scandals a decade ago.
Instead, many risk managers are slogging through the law's compliance mandates, a job often made more difficult because many companies are not looking at Sarbanes-Oxley as a chance to innovate, automate and gain competitive advantage.
The findings are contained in a new survey titled "Thinking Outside the SOX Box.," by Ernst & Young. The survey, released Aug. 1, queried 225 global executives about their Sarbanes-Oxley compliance functions.
"Sox isn't dead," said Bob Cullen, a partner and global internal control leader with Ernst & Young, in an interview with Risk & Insurance®. "It's not going anywhere, and it's still a concern."
There's hope and help, however, particularly for companies looking to automate their controls, sending many of the functions associated with Sarbanes-Oxley offshore, taking advantage of a gamut of information technology resources, and innovating around Sarbanes-Oxley execution, said Ernst & Young.
"Testing is the most time-consuming process related to SOX controls," said Gerry Dixon, global risk leader for Ernst & Young. "Most respondents agree automation would free up both time and money."
A total of 22 percent of respondents have between 1,000 and 2,499 Sarbanes-Oxley-related controls, and another 13 percent of respondents have 2,500 Sarbanes-Oxley-related controls or more, the survey found.
Sarbanes-Oxley is a "tremendous drain" on resources, particularly those in internal audit, that could be deployed on more value-added tasks, the report found, the report said. Outsourcing or "cosourcing" is one way to help managers "offload" the law's compliance, lower-value functions. "If done properly and done right, you can lower your cost with outsourcing and cosourcing," Cullen said.
Cosourcing is a practice where a service is performed by staff from inside an organization and by an external service provider.
Ernst & Young, to whom many companies have outsourced their functions, has experts globally and offshore resource specialists in its global talent hub in India. Additionally, other companies use offshore resources in Sri Lanka, the Philippines and China, Cullen also said.
If companies redirected some of their information technology power to more deeply scope out their risks, it would turn their technology into a competitive advantage, the survey found.
The survey found that 37 percent of respondents never used data analytics, 39 percent never used automated testing methods, and 88 percent never used predictive modeling as part of their control testing process.
Information technology investment can be "a tremendous asset in gaining a competitive advantage and be beneficial when applied to SOX functions," Dixon said.
"But let's be clear: leveraging your information technology investment goes far beyond turning on various automated controls in the systems and automating testing," Dixon also said. "There is a real opportunity to use technology more strategically."
Passed in 2002, the Sarbanes-Oxley Act set tougher standards for U.S. public company boards, management and public accounting firms in the wake of the collapse of Enron Corp., and the scandal surrounding the company's accounting firm Arthur Andersen.
Proponents hailed the law as a necessary step to hold managers accountable and protect investors in the wake of the Enron collapse. Detractors labeled Sarbanes-Oxley as a compliance headache that was onerous, unnecessary and would end up costing companies millions of dollars.
Sarbanes-Oxley, now more than nine years old, requires annual certification by the C-suite and Cullen called the law "a complex and continual challenge."
As companies push into new, global markets, and acquire new subsidiaries and divest themselves of old ones, Cullen said companies will need to find ways to operate more efficiently under Sarbanes-Oxley.
Despite this, opportunities for applying innovative practices to the Sarbanes-Oxley function were relatively untapped option, the survey found.
August 9, 2011
Copyright 2011© LRP Publications