If you were a practicing auditor in May of 2002, chances are you have vivid memories of how life changed for our industry. Virtually overnight, our value doubled, but so did our responsibility and workload. Prior to the passage of the Sarbanes-Oxley (SOX) Act, many internal audit departments were auditing at the process level, and many more were concentrating on operational auditing. Few departments were auditing at the control level and finding “documented” policies and procedures to audit was a hit or miss proposition. Section 404 of the SOX Act changed how organizations monitored their control environment and, in some cases, who was doing the monitoring. Many companies re-tasked their internal audit departments to include SOX 404 responsibility, others created a SOX compliance department, and still, others outsourced or co-sourced the function. But in most cases, regardless of which approach you took, one thing was clear— we weren’t ready for the effort that was required nor the cost of compliance.
In May of 2002, I was the Director of Internal Audit for a mid-market manufacturing company in New York and was quickly tasked by the audit committee with the responsibility of ensuring successful SOX 404 compliance. What I didn’t realize at the time but would quickly discover, was that the company I worked for was a worst-case scenario for SOX 404 compliance. We were a fast-growing company, but most of the growth was through acquisitions—coupled with the fact that the PCAOB had not yet adopted a risk-based approach and we were on a path that would require a herculean effort. Our scoping sessions with our Big Four accounting firm inevitably resulted in a “Let’s scope it in to be safe” approach. This resulted in 21 of 25 worldwide locations falling within the scope and virtually all of them were decentralized, thus resulting in essentially 21 separate SOX 404 audits.
When I consider the plan that I utilized to achieve our objective of a clean SOX 404 opinion, I realize that I didn’t have many options because tools such as Wolters Kluwer TeamMate+ Controls did not exist. We utilized Excel, Word, PDF, and Visio to document our project plan, design and test the controls, and report and track the results. I had a department of 8 resources and at its height, the project demanded as many as 40+ resources. You can imagine the effort required to track and assign up to 32 external resources and 8 internal resources across 21 companies each with up to 14 processes and 100 key controls. If I was tasked with this project today, the effort required would be a fraction of what it was without the benefit of a tool such as TeamMate+ Controls.
Years ago, we did well with the tools we had available; but in today’s environment, I feel to wear your SOX well, you’d benefit from the use of a SOX tool. TeamMate+ Controls can greatly increase efficiencies while reducing overall effort and cost of compliance. Some of the major benefits are:
- The ability to build an entire Risk and Control Matrix (RaCM) within TeamStore and have objectives, risks, controls, and test programs linked through to the respective processes
- Performing a control self-assessment that would allow control owners to propose changes to their respective controls, all while providing an audit trail that can be reviewed
- Mapping RaCM to the respective processes within a control assessment and attaching the design documentation, performing a walkthrough, and multiple phases of effectiveness testing
- The issue/deficiency tracking area provides the ability to track the remediation of exceptions/deficiencies noted during the test of controls and report the results as necessary
- Whether performing a quarterly 302 certification or an annual 404 certification, you can set up and track a complete sign-off tree that allows multiple levels of management to certify to the state of their controls, so the CFO and CEO can feel comfortable with their SOX certification
Ultimately, good resources coupled with a good tool can lead to a good SOX process, but a great tool will lead to a great SOX process. Whether you’re a team of 3 or a team of 50, if the goal is to “wear your SOX well,” then incorporating TeamMate+ Controls into your process can get you there quickly and efficiently. Having been involved in SOX since its inception, I wish I would’ve had TeamMate+ Controls on day one!