The comeback of SOX: Are businesses ready for the challenges?
The Sarbanes-Oxley Act of 2002 (SOX) has been in place for many years, and US-listed companies are well-practiced in complying with it. Indeed, they are so well practiced, in the years following its introduction, the cost and effort of complying has declined significantly, as SOX has become ‘business as usual’.
However, in recent years, and contrary to expectations, the cost and effort of SOX compliance has started to increase again. A Protiviti 2017 report entitled ‘Fine-tuning SOX Costs, Hours and Controls’, highlights that for two out of three companies, SOX compliance hours have increased by more than 10 percent since 2016.
A significant driver for this the US Public Company Accounting Oversight Board (PCAOB) are coming down hard on auditors for audit failures and violation of the Board’s quality standards to enforce SOX compliance by organizations. Faced with potential fines in the region of millions of dollars, auditors are redoubling their efforts to scrutinise their clients’ internal audit controls over financial reporting, assessing and responding to risks of material misstatement, and measurements.
One impact of this is that auditors are extending their audit scope to cover business processes that make extensive use of spreadsheets.
In the past, SOX compliance has driven business towards using centralised IT systems, where the SOX compliance controls for business processes are available ‘out-of-the-box’. In the past auditors have reviewed these controls and outputs as part of their normal audit duties. CEOs and CFOs have used these reports and controls to sign-off on shareholder reports that comply with the regulations.
Now auditors are extending client audits to cover their spreadsheet estates, as they recognize how pervasive spreadsheets are in many key SOX-related business processes, which might include cost management controls, revenue recognition processes and controls, as well as separation of duties.
This reflects the way spreadsheet have remained central to key business processes – despite the widespread use of complex corporate IT systems – as users wish to leverage the power and flexibility of spreadsheets to bridge the gap between what the business needs now and what IT can provide in a timely way. This is also reflected in the Protiviti report mentioned above, which found that 64% of their respondents had experienced increased focus on their deficiencies by their auditors.
The spreadsheet challenges of SOX
Spreadsheets remain an invaluable resource for businesses, because their ease of use, flexibility and powerful functionality, helping them remain agile, generate new insights, model the development of their business, as well as provide accurate and timely reports.
In a SOX context, this very power can be a source of problems, if the key spreadsheet estate is not managed effectively. It works in two ways.
Firstly, the very flexibility of spreadsheets means that errors can quickly emerge in spreadsheets, which can then materially affect the accuracy of results. The scope for this spreadsheet risk can grow significantly if complex formulas or macros are used, or if a spreadsheet is linked to other spreadsheets, or other applications or data sources.
In the SOX framework, these results can easily, if unwittingly, generate reporting errors that can compromise the quality of financial reports. There are numerous examples of businesses having the restate their earnings through calculation errors in their quarterly or annual reports. This can cause a host of reputational, regulatory, commercial and legal headaches.
The other problem is the absence of data governance and controls in Excel estates prevent Corporate Officers from being able to signoff the results as being an accurate picture of the company’s results. If they, or their auditors, are unable to verify the results generated by business processes underpinned by its key spreadsheets, due to inadequate controls, then they would be in violation of SOX and would likely be subject to a range of sanctions.
Sharing the mantle of importance with enterprise systems
Organizations need to grant spreadsheet applications the same level of importance as their highly controlled and maintained enterprise systems – without removing any of the powerful capabilities, flexibility and sheer business value that spreadsheets give to users and the business alike. This will help them overcome the challenge of the extra scrutiny they face from their external auditors for SOX compliance, while to ensuring the business remain dynamic and flexible.
Best practice approach to spreadsheet management for SOX compliance
A best practice-led approach to spreadsheet management is now indispensable for SOX compliance. Typically, it involves a three-step process. Initially organizations need to conduct a process of discovery to get visibility of how spreadsheet are used in their SOX processes. This visibility will enable them to identify the key spreadsheets that affect SOX compliance, and their often complex relationships with other spreadsheets, applications and data feeds. This allows them to risk assess these files, so they can be tiered and inventoried based on the risks they pose to SOX compliance (and indeed broader governance), and their criticality to the business. A monitoring process can be used to identify approved changes to these spreadsheets as well as highlighting flaws that can impact the quality and accuracy of company reports. This capability also provides the auditability of the critical spreadsheet estate that mirrors that found in the corporate IT environment.
This approach, leveraging automation, allows organizations that need to comply with SOX the same levels of visibility and auditability that have long benefited the corporate IT function. It also ensures that users retain the power and flexibility that spreadsheets provide. This approach helps the ‘square the circle’ of managing spreadsheets under SOX, and should allow business to reduce, once again, the time effort and resource applied to SOX compliance. It can also provide peace of mind for managers, knowing they have all their SOX bases covered.
By Henry Umney, CEO, ClusterSeven