SarbOx Sustainability

Raleigh, NC

This installment of our series on SOX Sustainability concerns the “Business Process Issue.”  In Part 1, we introduced Business Process as the one of the significant SOX sustainability challenges.  Additional issues and sustainability planning will be addressed in other articles in the series.

Business Process

SOX sustainability is a significant Business Process Issue.  Without solid process with which to execute the business plan, and to derive compliance as a by-product of solid performance, the internal control assessment process will always be an afterthought and headache.  If SOX compliance is not built-in to what the company does or how it normally operates, it will always be a “bolt-on.”  Bolt-ons are seldom efficient, unless they are custom-designed for the company and its capabilities.

Let us consider a handful of realities.

1. SOX will not be a one-time thing.  Although some of the §404 rules are still being interpreted for the first time, corporations are in for years, if not decades of internal control assessments.  Small corporations may get some measure of relief from certain §404 requirements, but relief will not be total.  The SEC’s rationale for postponing §404 for small companies is/was to allow them more time to efficiently (as opposed to expensively) achieve an effective control universe.
2. When people are forced to swallow additional workloads, they tend to adapt, either for better or worse.  To add something new requires dropping or changing something old.  Whether you plan to change your internal processes or not to accommodate SOX, they will change anyway.  The staff will see to that.
3. Few companies are/were “pre-optimized” for SOX.  That is, few if any companies are or were prepared to satisfy SOX requirements without losing any steps along the way.  Instead, they are meeting their initial compliance requirements by having their staffs do more than normal, and by juggling priorities to get SOX done. 
4. Integrating new technologies or software systems will necessarily drive changes in internal processes.  What may not be apparent at first glance is the extent to which processes will change with the arrival of new system(s) and new obligations.

Based on this, it would seem that every company faces inevitable change connected with SOX, whether they see it now or not.  If doesn’t matter if they plan for it now or not.  The changes may be obvious, substantial and fast, or they may be subtle, moderately widespread, and periodic.  But they will occur.  The question is how to best plan for the process changes and optimize them to derive some business performance benefits as the changes unfold.  Change can’t be avoided, it can only be managed.

Management can either take the bull by the horns to try to determine where and how to evolve processes (financial, disclosure, regulatory and operational) or allow the processes to evolve on their own timelines.  Adaptive process changes by staff-members are seldom optimal for the organization at large.  Treating SOX as something that the organization can effectively assimilate without planning and integration will likely breed control weaknesses and sub-optimization as the culture tries to swallow something it wasn’t prepared to eat.  Optimizing business processes (today) to deliver the goods efficiently and to derive compliance as a by-product requires conscious choices, thoughtful integration, planning, and maybe training.  It may also require an axe and welding torch, but at the very least it requires thoughtful integration.

The first step in determining what Processes and Process changes are appropriate is a critical assessment of those processes and methods that the entity can readily assimilate (today).  The second step is a critical assessment of those processes and methods that are important for the organization two to five years downstream that the organization should move toward.  The third step is a critical assessment of those capabilities and processes that really should be handled from outside for the foreseeable future.  SOX is a business challenge that requires its own solution and integration timetable.  Some things can and should be done inside, and some should be done outside.  The trick is in determining the mix that is best for the company,

Intrinsic Processes are those that the organization handles today or can readily handle tomorrow.  Extrinsic Processes are those the organization must currently outsource or stretch to integrate.  Processes that fit with the entity’s native capabilities, talents and culture are easier to integrate and sustain.  However, bolt-on processes (extrinsic) may be functionally necessary where/if the entity presently lacks key capabilities or technologies necessary to efficiently assimilate certain compliance drivers.  Over time, well-conceived and implemented bolt-on processes can become intrinsic.  This past year many companies outsourced key compliance functions such as internal audit to satisfy §404 requirements because they lacked the necessary, onboard internal audit resources.  But does it make sense to bring internal audit into the culture or leave it outside going forward? These types of questions must be addressed if a company is to determine how to optimize itself for future control requirements.

To review earlier articles in the series please visit Visage’s website at the URL below.

VisageSolutions is a group of experienced operational executives focused on providing efficient, repeatable complinace (including Sarbanes-Oxley) solutions. By working carefully with their clients VisageSolutions provides customized solutions that focus on reducing the “operational cost” of sustained compliance through an optimum combination of existing and new technologies and tools, and business process integration.  See www.visagesolutions.com for more information and related links.