South African Company - need to become SOX Compliant 1515

  • Hi All,
    I am based in South Africa and very new to SOX. We have a number of US based clients and are in the process of being bought out by a US company. I have been given the resposnibility of handling the SOX Project. We have SOX Controls in place for our IT Systems, but that is all we have done so far.
    I have researched alot and have a fair understanding about the SOX Act now, but i am trying to decide where we should start. I have purchased the SOX Toolkit where i have received most of my information from.
    Is it a good idea to first set up a steering committee and then perform a risk assessment or should there first be an audit committee with members of the board, principal officers,etc ? Any advise would be greatly appreciated. Thanks

  • Hi Seal and welcome to the forums 🙂
    I’ll share some high-level ideas (30,000 foot viewpoint) below:

    1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything)
    2. Perform an inventory of all your IT applications
    3. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing
    4. Perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)
    5. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)
    6. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.
    7. Evaluate the SOX 404 standards for best practices associated with IT control improvements. Set up a plan to implement and work these in over time.
    8. Work closely with both internal and external auditors and gain their approvals for the work that will be done.
    9. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.
    10. Make sure senior management backs the process as well, as that’s a successful aspect for implementing the ‘human’ changes and additional work that will be needed to gain compliancy. SOX may increase costs somewhat, but if it’s done right your company might also benefit by having more accurate financial information and sometimes even better workflows (that might help offset the additional work some?)

  • Thanks for the info - greatly appreciated.
    I am actually doing a presentation on SOX for management and their requirements next week to get them aware of what SOX is all about and what roles they will need to play in the whole process. I don’t think they realise the work ahead to become SOX compliant.
    As a matter of interest - how long (average) do most companies take to become SOX compliant ?

  • Gavin:
    I agree with Harry’s 30,000 foot view. In re your comment/question:
    I don’t think they
    You must understand that NO ONE really understands SOx difficulties until they’re in it. Even then, you will be surprised as you become compliant how management may lack any understanding of the quagmire that SOx can be (especially if you don’t spend enough time planning and organizing, as Harry recommends).
    On average, a SOx gig takes a minimum of six months to complete. A very small company can get the basic work done in less time, but then will be faced with remediating–which can be significant.
    (The main reason it takes so long is that you will need to fit your work into and around the day-to-day activities of the process owners and management. The second reason that it takes so long, is because it’s an immense undertaking, especially if the organization has no documented policies and procedures–which is common. In addition, the organizations that DO have procedures documented are more likely to have ‘how-to’ manuals for entering data into the accounting system and generating reports, rather than processing steps and control activities, let alone having identified key controls.)
    Having said that, you are not starting too soon. And, not to put additional pressure on you before your presentation, but the better you present the challenge ahead (to management), the easier your project will be. To the extent possible, I suggest meeting with the independent auditor and getting their audit manager and SOx guru on board so that you can have them back you.
    Hope this helps.

  • Another thought:
    I suggest that you make sure that management understands the cost of complying. Nothing kills SOx projects faster than being underfunded from the start. By the time that most companies discovered that they should have applied more resources earlier in the project, it was too late.
    While I think that the average SOx compliance costs are overstated, you should cite the published average costs (for a acompany of your size based on revenue categories).
    Then, once you have an adequate budget, proper staffing will follow.
    If management thinks that you are going to do this alone, they will be dissapointed (but not more than you, I am sure)
    Again, hope this helps.

  • Thanks for all the information once again - you’ve been a great help.

Log in to reply