Sarbanes-Oxley was enacted in 2002 in the wake of Enron, Tyco, WorldCom and a host of executives being arrested and forced to do the “perp walk,” being led away in handcuffs and usually hitting the evening news. Bluntly, SOX introduced real teeth into the world of corporate responsibility, holding the CEO and CFO fully responsible for compliance with the legislation, and threatening large personal fines and jail time for messing up.
The problem then, and today, is just how can you be sure that the policies and controls you have instituted in the wake of SOX are actually being followed down on the ground?
SOX Compliance: Your Own Bed or ‘Club Fed’
Let’s look at a scenario involving IT and the back-up of data which if lost, will materially impact the financial statements.
The back-up schedule is a daily incremental back-up after business hours, with a full weekly back-up on Saturday evening.
Monthly back-ups are also conducted, as well as a quarterly full data and application back-up.
In each case, policy and control dictate that the back-up tape is sent off-site each day.
As the CFO or CEO now certifying your financial records (s302: Corporate Responsibility for Financial Reports) and also certifying you have adequate internal controls which are effective (s404 Management Assessment of Internal Controls) ask yourself these two questions:
- How do you know the daily incremental back-up took place on any particular day?
- How do you know that for any particular back-up, the tape was in fact sent off-site to your secure DR location?
Your answer may be that you have a log, maintained by IT, that shows on this date “John Smith” performed a back-up and sent the tape offsite.
The policy has been instituted and the control was executed – you’re in compliance you say, and here are all the sub-certifications that prove it.
However, now you have a SOX audit, and for some reason the IT department is suddenly a very frantic place to work with lots of people working late nights and weekends, and there is an aura of apprehension and unease.
The auditors report that while you have a policy and control, you cannot evidence irrefutably that a backup took place when your records claim, nor a tape sent offsite as indicated. As the data subject to back-ups was financially impacting, you fail your SOX audit for lack of effective controls.
Now go and fix the problem.
A more brutal outcome is that, very disturbingly, the signatures on the manual log of daily back-ups all seem to be written in the same color ink for every day of the year, in the same handwriting, and in that style that indicates someone has simply been repeating themselves again and again as they fill in the checklist.
(As a former auditor, I was trained to look for just such things with manually maintained records, as a validation that the dates and information recorded were in fact credible. Records such as spreadsheets or manual sign in sheets, can be created or modified by anyone at any time, and therefore cannot be relied upon to ensure that a control is properly complied with in fact.)
The auditors decide to do some digging, and to your horror they report that “John Smith” did not in fact back-up data on the dates in question, and accordingly there were no tapes to send off-site, the entries had in fact been simply made up in anticipation of the audit.
While you had a policy and internal controls, they were not effective at demonstrating you were in compliance, nor ensuring your people did what they were supposed to when they were supposed to actually do it.
At this point, you’re probably kicking yourself, your trusted people, and especially “John Smith”, but you’re still responsible because trust is not an internal control!
Now, as CEO or CFO, you have a personal problem which will need an army of lawyers and a ton of luck to fix and you didn’t actually do anything wrong.
The real point is that there is a fundamental problem with this form of internal or management control, and it is this which generates SOX fear.
No visibility between the control and the work actually being done
CEOs and CFOs must therefore ‘trust’ that what they are being reported is actually correct, with audits being the only way to test whether controls are effective. It is not unusual to see a senior executive refuse to sign a certification if juniors have not submitted their own sub-certifications first; they feel they cannot sign-off because the person closer to the work has not signed off.
So, in essence, CFOs and CEOs are not certifying the underlying credibility of the financial statements, nor of the presence of effective internal controls. They are instead certifying that someone junior has signed off, no doubt hoping that this will ultimately protect the CEO and CFO from criminal allegations of deliberate misstatement or alteration. Except this does not tackle the root problem, being compliant in reality, nor comport with the purpose of the law itself.
Another problem is that audits look at history, and if there is a problem, it is typically discovered because someone has been bypassing or ignoring controls and has now been caught. Either way you’re still on the hook for ineffective controls and having previously certified your financial statements are accurate , you must hope there is nothing materially impacting.
The Lean BPM Solution for SOX Fear
HighGear’s Lean BPM approach to SOX compliance creates visibility into the work being done, or raises flags when it is not getting done or is late. So, taking our back-up example, the execution of the control to perform a back-up and send the tape offsite can be evidenced and reported on with direct visibility into what happens almost as soon as it takes place.
For instance, recurring, automated tasks can be created for daily, weekly, monthly, and quarterly backups, with responsibility assigned to named staff or a work queue. Notification and escalation alerts to a senior manager can be established, and in cases of serious delay, escalation as far up the management structure as deemed necessary.
The IT employee marking a back-up task as completed within the system, is also providing their digital signature that they have done what they say they have.
When it comes to sending the tape offsite, “John Smith” must take a photo with his cell phone of the receipt from the dispatcher transporting the tape to the DR site – this photograph must be uploaded to the task within HighGear before the system will allow it to be marked as completed. You now have contemporaneous proof of dispatch offsite which tracks alongside the task and which cannot be subsequently manipulated.
Detail of Daily Back-up Task – notifies VP-IT and IT Director of task status, and note the Required Before Close addition of a cell phone photo of the dispatcher receipt
HighGear will also date and timestamp who did what and when – you now have an audit trail that cannot be altered by anyone (perfect for any auditor or regulator).
What you have done in this Lean BPM scenario is provide the ability to instantly see when backups are scheduled, which are due today, this week, or this month, and which are overdue or failed.
You also can see who is doing the work, “John Smith” or someone else, and are now able to see that they sent tapes offsite when they say they did.
HighGear will also record all of this in a form which makes reporting simple and fast, for both senior executives who need a high-level view, and audit teams and managers drilling into the weeds.
Here we’ve just used a back-up scenario, but HighGear can manage any and all SOX processes, instituting real internal control which is backed by a full audit trail, state-of-the-art security and the ability to establish the policy guard rails in between that people, processes, assets and technology must operate.
And if any of these things do not happen when they need to happen, they can be escalated as high as is necessary, to the CEO or CFO if need be; after all, they are the ones signing their lives away.