The 2002 Sarbanes Oxley legislation (new, enhanced standards for all U.S. public companies) was established in response to high-profile financial scandals (Enron etc) in order to protect shareholders and the general public from accounting errors and fraudulent practices. However, implementing SOX in a meaningful way for an organization is far from a no-brainer. A few tips include:
- Understand your business – what are your key business processes? Understand and document those processes, from the financial risk and control perspective. Do not worry about the rest.
- Materiality – this is another way of saying, focus on the 80/20. Focus on those areas that have a large potential financial impact on your business.
- Understand risks – there are endless financial risks in any business. The critical element is to understand which risks are important to your business. Key controls are required for those risks.
- Understand controls – how does your business mitigate the key risks? What options / tradeoffs exist to mitigate the risks?
- Think about what makes sense – it is quite possible to throw out strict, irrelevant rules and instead think about what makes sense for your business – what is logical (remember risks, controls and tradeoffs). Then, it is just a matter of putting it into an appropriate communication format for SOX.
- Evidence – a key word for SOX. Regardless of whether you have the best processes, it might not matter – evidence is the key. In many cases, if you execute effectively in your organization, your processes will not need to be changed. However, it is likely you’ll have to add evidence so that you can prove it to your auditors.
- Segregation of duties – although logical and part of other aspects of SOX, I’ve given this a separate bullet point because it is often one of the more challenging aspects for smaller, flexible organizations to achieve. Remember, logic works so long as it is backed by evidence!