With most companies in their third year to prove that controls are effective to meet SOX requirements, companies seem compelled to reduce costs for their respective SOX projects   The key point is that each year, organizations need to prove that their controls are effective.  Unfortunately many in senior management have the misconception that their companies only needed to make the initial investment the first year in order to implement and sustain SOX compliance.  Unfortunately most companies spent an exorbitant amount of money the first year to meeting the SOX requirements which has contributed to the drive to reduce SOX project costs in subsequent years.   

The implementation of SOX controls were either preventive or detective controls.  Unfortunately many of the controls which were implemented were detective controls.  Detective controls require a review process to identify the incidents which requires follow-ups and formal investigations.  For instance, the control for “IDs to either be suspended after five invalid logon attempts in a single day requiring administrator reset or are monitored” would require a report of IDs which had 5 invalid logon attempts in a single day to be followed up by an individual to assess whether this was an attempted break-in to an ID.  An ongoing resource commitment is required to support these detective control review processes.  If the review processes were shut down because of SOX cost cutting, then the control would not be effective which could transpose into a SOX significant deficiency for an organization.   

Another form of resource requirements needed to sustain SOX compliance is the task to periodically validate the set-up of controls.  These validations could be comprise of a revalidation of security settings (i.e., password construction parameters), validation of security access entitlements assigned to individuals, or the validation of the set-up of automated controls (i.e., verify that automated email notification for backup failures are set-up properly).  Organizations have approached validation of these control set-ups differently.  One approach is to list them as controls within the Risk Control Matrices and perform a SOX test for a sample number of environments to ensure that they are properly configured.  Other organizations have transferred this validation of set-ups from a SOX test to a compliance functions which performs these validations on site determined basis.  The SOX test in this case would be to verify that the compliance function performed these validations.  The advantages of performing compliance validation instead of SOX tests is that if a setting is not set correctly it can be remediated as part of the compliance validation and therefore an organization would need to list these as SOX issues.  In addition, performing these reviews and compliance functions reduces the expertise required within the SOX team to perform the test since they will only be validating whether the compliance review was performed instead of constructing tests to validate individual settings.

The final area where a resource commitment is required to sustain SOX compliance is the testing requirements.  Management needs to maintain a staff of individuals to perform SOX testing to support their assertions of the effectiveness of controls which impact financial reporting.  Although the data collection component of the SOX test can be automated to reduce the resource requirements, the actual analysis of whether the test condition passed or failed and the overall workpaper requirements to support the SOX test performed will still require a sustained commitment of resources.

In summary, sustaining SOX compliance requires a continuous commitment of resources.  I concur with the view of a colleague of mine who stated that SOX is not like the Y2K project where once it is proven through testing that Y2K compliance has been achieved and once 1/1/00 passed, there was no additional resource requirements needed.  Unfortunately, 11/14/04 passed for SOX at which time controls were required to be effective.  However, SOX initiatives are required each year to sustain the effectiveness of these controls and prove that they are effective.  Each year in the “world of SOX” is treated separately, which will require a sustained commitment of resources to support an organization’s contention that their controls over financial reporting are effective.

.

______________________________________________________________________

Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs al types of Integrated Audits,  IT Audits and SOX testing services.  Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss how Audit Serve can provide cost saving solutions.