SOX...Check. Now what? 2181

  • Hello,
    Now that we have all been through the push of SOX compliance, where is our place within our organizations? We’ve gotten through year 1, year 2, year 3, and almost year 4. We’ve gone through risk assessments, control optimizations, bought a fancy internal controls applications, and even came up with a clever way to get through spreadsheet testing. Now that we have gotten our SOX compliance effort to a reasonable level, where do we focus our excess attention? We’ve gone through the process of trying to limit our in scope spreadsheets, but at some point, you just have to let IT do their thing. Have any of you found a way to add additional value without compromising your independence? Internal Audit seems to be a logical place to turn, but our internal audit department is more focused on reporting to the board than adding any kind of value. Enterprise Risk Management seems to be a buzz word these days. Has anyone found any satisfaction in pursuing that? Maybe it was the satisfaction I got from process owners thanking our group for a change because we got rid of all the frivolous controls the consultants put in place back in year 1, but I really want to continue to add value to their processes. So my question to you is this…now what?

  • How about process improvement? In my old assignment our department was designed in such a way, that during down times we would work with other departments and grab those projects that were related in some way at automating controls… always plenty of those 😉
    Just an idea

  • ^ I agree … If you can further streamline procedures, automate workflows, reduce paper, and anything else to save real expenses it’s always beneficial. As SOX 404 requirements will change near the end of the year, based on PCAOB recommendations that are pending with the SEC - it’s also important to focus on and plan for any impacts. Some links are in the ‘Other Legislation’ forum related to the upcoming changes.

Log in to reply