Making It Happen
SOX regulations and implementation have provided a series of best practices to help companies improve risk, control, and governance, even if technically they are not required to comply.
Identify and remove conflicts of interest that affect your business. These can involve auditors, management, the board, vendors, outside consultants, etc.
Ensure that your external auditors and internal auditors are independent by having their continuing employment, performance rating, and compensation determined by the audit committee or board.
Help to ensure that financial disclosures are transparent and fairly describe the organization’s performance by using a disclosure committee and management representation letters.
Insist on a robust top-down risk assessment of financial reporting processes. The extent of testing to perform (the primary cost-driver) can then be determined appropriately.
Capture risk and control information in compliance database software. User-friendly software that can be customized and administered by non-IT personnel is available at very reasonable prices.
Establish risk committees at the senior management and board level. These committees can direct risk management efforts and help the audit committee to focus on financial reporting matters.
Develop reporting of operating metrics that are predictive of financial results and share it with the audit committee and board.
Communicate periodically to the audit committee any significant deficiencies identified (financial or otherwise) and management’s progress towards remediating them.
Use the financial reporting effort and framework to initiate or improve an ERM program.
1 Office of the Press Secretary, The White House. “President Bush signs corporate corruption bill” (Sarbanes–Oxley Act 2002): www.whitehouse.gov/news/releases/2002/07/20020730.html
2 Lucas, Nance. “An interview with United States Senator Paul S. Sarbanes.” Journal of Leadership & Organizational Studies (June 22, 2004).
3 Levitt, Arthur. “The numbers game.” Speech dated September 28, 1998. www.sec.gov/news/speech/speecharchive/1998/spch220.txt
4 Financial Executives International (FEI). News release “FEI survey: Average 2007 SOX compliance cost $1.7 million.” fei.mediaroom.com/index.php?s=43&item=204
5 Ibid. A complete cross-referenced index of SEC filers, audit firms, offices, CPAs, services, fees, compliance/enforcement actions and other critical disclosure information can be found at: www.sarbanes-oxley.com
- Page 6 of 6
- Previous section Case Study