SOX Compliance Systems 2572



  • Hi,%0AI was wondering how people here have went about ensuring SOX compliance for their companies.%0AI’m coming to the end of a near two year project where we developed an in-house system which serves to both document all our processes and controls globally (inlcuding things like online approval process for changes, version history, audit trail of changes, comparison of versions, full publishing of documentation in PDF format etc…) and also to act as a global birdseye monitoring system for the performance/sign off of controls. This uses a diary/calendar type feature that ‘pushes’ information about controls to users who are responsible for performing/signing off - this then allows the control owners to upload evidence in relation to the performance of the control along with various other standardised input information and then sign off the control online. Where controls are not performed/signed off automated email reminders etc… are sent out to chase up the people to do their job. The result of this is an accumulation over time of a wealth of control evidence in relation to the performance of our controls globally which internal and external audit uses (along with the online process and controls documentation) in their audit process. Having all this information in one place which can be accessed globally has led to significant decrease in the internal and external audit costs of sox compliance. Additionally regional SOX teams have a real time dashboard type view onto what is being done (or more importantly what is not being done) in their local regions. We now have our 4 main global centres on this system (UK, Europe, Japan and United States)%0AAt the outset we looked around on the market for a system which would do all of the above but although we found a lot of system available which handled the documentation side of things, there didn’t seem to be anything that handled the ongoing monitoring of control performances and the related reporting/audit aspects of this. A big benefit of this system is that it has moved information which was previously stored in a disparate and fragmented manner over numerous methods of storage (local word documents, local excel files, access database, sharepoint sites, emails etc…) and brought it all into one place in a standardised manner which opens up much better reporting opportunities. This along with the addition of the control performance and monitoring module has made a huge difference to the burdens of SOX compliance in our company.%0AWhat I was interested in is how other people have approached the control performance monitoring aspect of SOX compliance - do you use automated systems or is it just a matter of relyng on the individual people performing/signing off the controls and keeping all the evidence in relation to that locally? When we first got audited for SOX something like 60% of our control failures related to control performers not being able to produce evidence to prove controls were performed when they should have been, so this was the main driver for developing the control performance and monitoring part of the system and it has worked a treat as we now have next to no issues in this area anymore.



  • Hi Ross,%0AI read with interest your post in this forum. It was nice to hear that you have been able to implement a system that has significantly reduced your internal/external compliance costs.%0AAlot has been written about audit fees in connection with the SOX audit after the first year and on a sustain basis. In short, it would be helpful if you can share the percentage reduction in audit fees that is directly attributable to the implementation of the SOX Compliance System.%0AI fully respect your obligation to maintain confidentiality of financial information. However, if you can provide even an approximate range of the hours reduction (in % terms) and fees reduction (in % terms), this would be helpful. As well, I am sure that other persons on this forum would also be appreciative.%0AAgain, no need to disclose anything sensitive, but simply a request to share your experiences gained from implementing the SOX tool or compliance system.%0AKind Regards,%0AMilan



  • Unless his registered public accounting firm specifically disclosed the % reduction in audit hours or dollars that is attributable to the new internal control evaluation system in the audit budget or final invoice, it will be difficult to isolate this factor.%0AOtherwise, we would at least need to know in which year of section 404(b) compliance the company is in and whether it is a foreign private issuer that now uses IFRS and was no longer obliged to do a reconcilation to US GAAP in 2007. In 2007 Auditing Standard No. 5 and the discontinuation of the US GAAP reconciliation should also work to reduce audit fees. In addition audit fees depend on the industry and company size (among other factors). So it would be good to know the total assets, sales revenue and the SIC industry code in order to compare audit fees with the fees of comparable companies.%0AI am currently doing research on audit fee changes paid by foreign private issuers from EU and EEA member countries as well as Swiss companies.



  • Hi Ross,%0AI read with interest your post in this forum. It was nice to hear that you have been able to implement a system that has significantly reduced your internal/external compliance costs.%0AAlot has been written about audit fees in connection with the SOX audit after the first year and on a sustain basis. In short, it would be helpful if you can share the percentage reduction in audit fees that is directly attributable to the implementation of the SOX Compliance System.%0AI fully respect your obligation to maintain confidentiality of financial information. However, if you can provide even an approximate range of the hours reduction (in % terms) and fees reduction (in % terms), this would be helpful. As well, I am sure that other persons on this forum would also be appreciative.%0AAgain, no need to disclose anything sensitive, but simply a request to share your experiences gained from implementing the SOX tool or compliance system.%0AKind Regards,%0AMilan %0AHi Milan,%0AFirstly i would say that the cost savings were not the main driver of designing and implementing the system, the primary reason was to have a robust single global repository for all SOX information, so qualatative considerations were first and foremost in mind at the outset (we had previously been experiencing a high amount of deficiencies due to annoying things like control owners not being able to find evidence to provide to audit to prove they had performed controls etc…). That said, cost savings are an obvious by product of achieving the increased quality across the whole sox compliance process, so the two things do tend to go hand in hand to an extent here.%0AThe majority of the cost savings have been experienced in the Internal Audit function (which are relatively easier to measure than external audit costs), with roughly a 15-20% reduction in the overall cost of SOX auditing from that area. There has been savings in the external audit costs as well, but as gmerkl has pointed out it’s hard to isolate exactly what these are, but I would estimate something like a 5% reduction in the overall sox audit costs could be attributed to the new system. A further cost saving also arises by a reduction in time ordinary members of staff have to spend with internal and external audit now that substantial amounts of information can now be accessed by these functions directly from the system, so it’s brought a lot of benefits to the hundreds and hundreds of ordinary control owners throughout the organisation, but we have not yet attempted to quantify those savings.%0AI don’t want to give too much away in terms of information, but the cost savings mentioned above have already paid for the development/project costs of the system, so the vastly increased quality of the sox compliance process in our organisation as a result of the implementation of the system have effectively been achieved at no cost.



  • Hi Ross,
    Thank you for sharing your experience and thoughts.
    Kind Regards,
    Milan


Log in to reply