WHILE most large and medium-sized companies have finished their first round of compliance, smaller businesses are still working on the provisions of Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). I have been helping clients with SOX compliance since 2003, and, in working closely with management, I have found two challenging areas. The first is evaluating the design of internal controls, and the second is promoting the idea that, in general, the implementation of effective internal controls and/or processes could provide the company increased processing efficiencies and potential cost savings. Never mind SOX--how much time and money could a company save if management knew they could take proactive steps to implement key controls around significant processes? In 2004, how many companies had to test the same key controls multiple times before the operation of control appeared "effective?" How much more time and how many more resources did it take for the company to perform this undertaking?
In a survey about SOX compliance, internal auditors said that a company's three most common control issues were a lack of process control-related documentation, formal review and approval gaps, and not enough or proper segregation of duties. In light of these and other SOX compliance issues and concerns, five cost-saving opportunities have emerged that should enable smaller companies, who will be required to comply with SOX in 2006, to jump ahead of the learning curve and incorporate some valuable procedures and controls that will help them operate more efficiently and effectively.
1 Take Advantage of Checklists
The importance of a checklist expands beyond providing evidence about the performance of a key control; it clearly defines the scope of an employee's job responsibility and adds accountability. Realizing that clients struggle with showing they maintain clear audit trails for reviews, reconciliations, verifications, and other transactions, I have recommended that management use checklists to support employee accountability and to document the performance of key control activities. Moreover, I have seen smaller companies with less savvy IT operations come to appreciate the fact that paper checklists can reduce or eliminate their need to maintain volumes of paper to document reviews and approvals. Checklists also give management the ability to monitor whether recurring processes and tasks are completed on time. An example of a common checklist is a summary listing of all month-end journal entries that the preparer and reviewer initial and date to show evidence that the review and approval process was performed. The checklist is then included in the journal entry binder. The same type of checklist can be used for quarter-end financial statement preparation and review procedures, scheduled tax filings, etc.
In helping companies walk through and document significant processes, I have found that it becomes relatively easy to identify those controls that can be incorporated into monthly or quarterly checklists. In addition to the monthly or quarterly journal entries, some of the most useful checklists are for complex invoice reviews/reconciliations, budget-to-actual variance analyses, and quarterly/ annual financial statement reporting processes.
2 Update Policies and Procedures
Existing policies and procedures serve as building blocks for SOX process documentation and define employees' roles and responsibilities. Once companies have identified significant SOX processes, documentation begins with evaluating those existing policies and procedures. The SOX documentation process is the most practical time to recommend ways to update any outdated or inadequate policies and procedures to avoid future pitfalls or control deficiencies.
One good example is recommending that management update their travel and reimbursement policy to account for changes in IRS regulations …