Sarbanes-Oxley (SOX) compliance is onerous, with heavy penalties that include more than large dollar fines, but serious jail time in a Federal “country club” penitentiary and shades of The Shawshank Redemption. Enacted in 2002, we have been living with SOX for over a decade and companies subject to SOX have been getting better at managing the associated costs which have declined as a percentage of revenue.
But, have companies gotten better at actual compliance with SOX?
Personally, I don’t think so as what appears to be a pyramid of sub-certifications built on sub-certifications has simply created a compliance house of cards, where the responsibility can be passed off. “I signed the certification for SOX because I had all these subordinates certifying everything was OK, “ is a typical CEO or CFO attitude, usually followed by, “I trusted my people to do their jobs.”
The burning issue with this is that trust is not a control.
SOX requires both the CEO and the CFO to certify and vouch for the adequacy of the firm’s internal controls.
Part of the assessment of SOX compliance will be the potential for material impact upon financial statements.
From this requirement will spring “Policies” – for instance:
“All servers containing data the loss of which may create material impact on financial statements, will be backed up once per week and each month 2 sample files from these backups will be recovered and tested to ensure data recovery.”
That’s the policy, but to put this into practice will require a “Control”; so, for instance:
“Once per week an IT Manager will ensure all servers identified as containing data, the loss of which may create material impact on financial statements, will be backed up once per week. Once per month, an IT Director will recover 2 sample files from these backups and run them to ensure backups are working.”
Now you have a degree of compliance with SOX – you have a policy and you have a control.
You have nothing to worry about, right?
Wrong.
How do you know the IT Manager and IT Director are actually following the controls?
How do you know they perform the backups and testing when the policy and control require?
The IT guy signs a piece of paper that says, “We did the backup and test and everything is A OK!” – if you trust that this is satisfactory, you are are failing because trust is not a control.
The reality is you have zero evidence the policy was complied with, or the control executed upon, at the time it was supposed to be. For this reason, you fail your SOX audit because you cannot demonstrate compliance, even if in fact you were and controls were executed upon.
Being in compliance with SOX and demonstrating compliance are not the same thing; you could be compliant in the above scenario, but that was simply because you trusted subordinates in the IT Department to actually be doing what they told you they had done. However, you did not see the execution, nor have a non-repudiable record that proves what is claimed actually occurred when it was supposed to.
This is a big problem that keeps CFOs and CEOs awake at night, because they are literally trusting their personal liberty and bank balances with subordinates to follow the rules.
Here is a scenario using the same information, policies and controls:
The IT Department is so snowed under with work and projects, that getting to get the weekly backup done just slides down the list of priorities.
A week goes by and in short order this becomes several months without backups let alone testing. People know it needs to be done and should be done, but it’s just one of those things that they have good intentions to follow, but there is always something more pressing that takes up the time and resources.
Months pass by, and sometimes we have backups done, sometimes we don’t.
Now a SOX audit notice comes down the pike, and suddenly a lot of people in IT are sweating and scrambling around. Perhaps they’re making the documentation look right, perhaps they’re going to come clean and hold their hands up and hope they don’t get fired, who knows. If it’s the former, maybe the fake documentation and audit trail will pass the audit inspection, and after the relief of passing this time, and they really mean it, IT is going to follow the backup schedule religiously (like they said last year).
As long as the reality of non-compliance is not exposed by the audit or a real life need for data recovery of financially impactful information which you no longer have occurs, then everyone is free to keep passing go and collecting $200.
The worst case scenario is the CEO and CFO end up being fined millions of dollars and get shipped off to a “Club Fed” penitentiary, while desperately trying not to remember how that guy escaped in The Shawshank Redemption.
So, how do you ensure that controls are actually being executed upon, and what is being reported up to you is truthful and reliable?
The Lean BPM Approach to Control Execution and Demonstrating SOX Compliance
Taking our IT server backup example, let’s create a weekly task within HighGear that all servers identified as containing data which could impact financial statements are to be backed up.
The task is created each week on the appointed day and time, assigning the task to a named IT contact, perhaps with a designated backup person (their manager for instance).
They are notified of the backup task by email and within the Lean BPM platform.
If the task is incomplete after 48 hours, an email notification is automatically sent from the system to the IT Manager or whoever in authority needs to be notified.
If the backups are completed, then a time stamp is created along with who completed the backups within the system which provides a tamper-proof audit trail backed by a sign-in to a secure system which acts as a digital signature for SOX. If the tapes are stored offsite, the responsible person can take a photograph of the dispatcher receipt, or have one automatically e-mailed into HighGear which further proves compliance with the control as well as when this occurs.
You now have policy, control and proof that the backup took place on a set day by a named (and accountable) individual and that tapes are safely offsite.
If the backup did not take place on the preset timescale, you also have notification and escalation procedures in place to ensure this is brought to more senior attention who will ensure it gets done, and if not, their superior is notified and on and on all the way up the hierarchy.
Likewise, the IT Director will each month receive a notification via HighGear, that they are to recover 2 sample files from the previous month’s backups, and test the data to ensure successful backup and recovery is in operation.
Again, this recurring monthly task can be escalated if not done within set time parameters, and remember, all of this is being tracked by the audit trail recording who does what and when. If this compliance task is not performed, automatic notifications and escalation processes can take over to make sure it does not get lost between the cracks.
To ensure that recovery of files has absolutely been carried out, the IT Director could be required to attach the two sample files to the task created within HighGear to show which files were recovered and that they do in fact work.
This enforces compliance with your controls, but how do you demonstrate this when you need to?
SOX Reporting & Lean BPM
HighGear has powerful reporting capabilities, allowing reports to be automated and produced according to your parameters and schedule. For instance, a list of all weekly backups for the year can be automatically created at year-end for the auditors (or they can simply log into the system themselves and pull whatever reports and information they require directly).
In addition, HighGear logs every keystroke and interaction within the platform by anyone who uses it. This includes general users and administrators, but the audit trail will also log when workflow triggers an action, such as escalating an item to a more senior level if deadlines are getting close or even missed.
Because everything is logged within the platform, it becomes a much simpler task to audit the reports.
The auditor can select which backups they wish to delve into and the information and proof that the backups and restores took place, and just as importantly you can prove this happened when you said it did. More than this, all the associated evidence and documentation, such as proof of offsite dispatch of backup tapes, or a copy of a restore file, are held with each associated task as further evidence that controls were followed.
You now no longer need to worry about trust being used as a control, because HighGear is keeping everyone honest.
Summary
Establishing policies and controls are a prerequisite for SOX compliance, but these deal with the requirements at a superficial level.
In practice, you must demonstrate that your internal controls are being followed and this means evidence of who executed a control, when they took the action(s), and what the outcome was, plus what happens with the exceptions such as missing a deadline or finding an issue.
Trust is not an adequate control for SOX purposes – indeed, for any auditor, trust is never a control.
HighGear as a Lean BPM platform enforces compliance and execution upon your controls, and escalates non-compliance on a timely basis to ensure action can be taken to remain in compliance.
Lean BPM also makes audit preparation and reporting much easier and simpler, ensuring that the right work is being done at the right time by the right people, and creating a secure log of all activities for auditors is readily available whenever you need it.
HighGear’s Lean BPM ensures controls and policies are followed according to your preset rules. More importantly, it allows you to quickly and effectively demonstrate that what is claimed to have been done did, irrefutably happen when it was supposed to.