SOX Section 404: What Does It Mean? What Should You Do?
Sarbanes-Oxley (SOX) Section 404 is a looming requirement for businesses of your size, yet in the early stages of the financial regulation's life, few companies fully understand the law and its implications. And it's no wonder why; the entire section is embodied in less than 250 words.
SOX 404 requires that the annual report of a public company include a statement by management on the company's internal controls over financial reporting and the underlying systems and IT processes affecting the financials. That statement must also be affirmed by an auditor.
This can be a particularly difficult challenge when businesses lack the large IT budgets necessary to manage a compliance process effectively, in addition to day-to-day operational controls. This is precisely why the SEC decided to defer mandates for compliance with SOX 404 by businesses with a market cap of less than $75 million from July 2005 until July 2007.
It's expensive for companies of your size, too. According to a recent study done by the Small Business Administration, smaller businesses pay an average of 46 percent more per employee in meeting federal regulations for compliance than their larger counterparts. This is due in large part to the very nature of a business of your size having a workforce that is lean and nimble. It also stems from having to deal with an auditing process that appears overwhelming and loosely defined, and often entails a process of "rediscovery" of the circumstances surrounding events of long ago.
The problem lies in the fact that most companies with a market cap of less than $75 million that have IT departments lack the IT manpower, expertise, and resources necessary to begin a dedicated audit process. Whatever IT budget and manpower exists is prioritized for systems that directly drive product or services, versus controls initiatives.
In contrast, large corporations are able to rely on their own internal expertise to put controls and processes in place before an external auditor identifies areas of weakness. When businesses begin the audit process they often can use specialized consultants or external advisors who make recommendations of where internal processes and controls can be improved. That forces those companies to pay for the audit review process twice, but they usually get it right the first time.
Buyers Beware
With the deluge of attention being given to SOX today, many companies have come to the market claiming to have effective SOX solutions. But buyers should be wary: Very few one-stop compliance services are available in the market today. There are, however, a few steps a business of your size can take to get the ball rolling on the way to compliance with SOX 404.
The first step you should take is to identify the gaps within current internal financial controls. While this may require the assistance of an outside expert, it will get you closer to the final solution before the audit begins.
Some companies may be reluctant to invest the time and money now in a problem that doesn't have to be dealt with for two years. But a prudent course of action would be to understand the critical focus areas of a Section 404 audit, and begin a planned, measured course of correction for potential deficiencies well before a looming deadline damages the quality of the process.
Obvious attention is required for the systems development and maintenance of financially significant applications (FSA). However, companies cannot focus just on applications, because changes to infrastructure components such as servers and networks also fall under SOX 404 inspection. An investment to institute internal controls to the satisfaction of your auditors now will save time, money and manpower later, if a company is found to have material weaknesses when its required SOX compliance audit is carried out.
This early analysis may unveil a commonly held misconception: that the first step in the audit process is to automate all internal controls. This is simply not the case. While automation is certainly one step on the road to compliance, it's often not the first step. For many businesses of your size, it is beneficial to consider the larger picture and alter only the processes for those functions that affect financials. Often the first wave of these controls can be accomplished manually and refined as needed during audit testing and verification activities.
Once this is done, you are ready to take the plunge into automation. Solutions are available that track key aspects of the Systems Delivery Life Cycle (SDLC) and IT production environment. The integration of traditional change management solutions with configuration management tools is rapidly becoming an area of focus for software vendors and service providers.
Many of these solutions can be customized to suit the particular needs of your business and automatically document and track the flow of information and approvals throughout the SDLC. If a change to the production environment is needed, these solutions ensure that control processes are enforced and an audit trail is documented from start to finish. This allows businesses to rest easy, knowing that their production environments and IT processes and controls are secure and compliant without relying on inefficient paper-based systems.
Spend Now, Save Later
The SEC's decision to delay SOX compliance for businesses of your size should not be seen as a get-out-of-jail-free card. Rather, it should be seen as a chance to begin implementing the necessary steps to lessen this onerous burden, while at the same implementing financial controls and better-practice disciplines that will improve effectiveness of the IT organization. Businesses of your size should heed the struggles of your larger counterparts and begin putting the pieces for an audit in place now and tightening up your day-to-day IT processes.
John Lerch is the chief operating officer of Change Dynamics, a company focused on implementing solutions for improved IT processes and controls.