Reconciling Sarbanes-Oxley Compliance and Process Improvement

“How do we ensure that improvements to processes to remove waste do not accidently remove the controls needed for Sarbanes-Oxley (SOx) compliance?” Is this a problem that you are grappling with?

The same question could also be asked about controls needed for compliance to other regulatory frameworks or standards, such as the Financial Conduct Authority (FCA), or ISO.

For the rest of this article I shall refer to Sarbanes-Oxley (SOx) only, but please be aware that the approach set out applies equally to compliance to other regulations.

Why might SOX controls be removed during process improvement?

It is very easy during a process improvement project focused on increasing efficiency, to remove a control activity on the basis that it doesn’t add value. The activity might be identified as wasteful and the decision made to improve the efficiency of the process by removing it.

In fact of course, Control Activities (which ensure Sarbanes Oxley compliance) are adding a great deal of value, but this may not be immediately obvious.

It is nervousness about this apparent conflict of interest that can lead the Compliance team and the Continuous Improvement team to want to work independently with their own supporting systems.

However, this wasteful approach really isn’t necessary.

What are Control Activities?

Control Activities are the activities undertaken to ensure compliance with the Disclosure Controls set out in SOx Section 302 and the Assessment of internal control set out in SOx section 404.

In brief:

• Section 302 mandates a set of internal procedures designed to ensure accurate financial disclosure. This covers the financial reports required and certifications that:
  • The signing officers have reviewed the report.
  • The report does not contain any material untrue statements or material omission or be considered misleading.
  • The financial statements and related information fairly present the financial condition and the results in all material respects.
  • The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings.
  • A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities.
  • Any significant changes in internal controls or related factors that could have a negative impact on the internal controls.
• Section 404 requires management and their external auditor to publish information in their annual reports, on the adequacy of the company’s internal control on financial reporting.

Control Activities ensure that there is compliance to these requirements.

Identifying Control Activities

Compliance with Sarbanes-Oxley requires a methodical approach:

• Firstly, the organisation has to identify their internal controls within a framework which captures all the components necessary to achieve compliance.
• Secondly, they must capture all their processes, procedures, documents and policies
• Thirdly, they must identify the Control Activities in the processes.

Process Mapping and Data-Driven Visualisation

The capture of all processes, procedures, documents and policies is best achieved by process mapping.

For more information on process mapping please read: Process Mapping: Who does it and why? 

With all processes mapped out, linking to documents, policies and procedures, data-driven visualisation can be used to show the Control Activities.

What is Data-Driven Visualisation?

Data-driven visualisation is when an object on a process map alters its appearance based on a property of the object. It is a very powerful technique to convey useful information in an efficient and accessible way.

Accordingly, using Data Visualisation on the Process Maps captured will display a SOx icon against activities that are required to be compliant; easily and obviously identifying Control Activities.

The images below show properties being updated to show requirement for SOx compliance and an icon added to an activity to show that it is a Control Activity.

This results in Control Activities being clearly indicated in the process maps, so that it is immediately obvious that they are mandatory and cannot be removed.

With data-driven visualisation, the appearance (the presentation layer) is separated from the business rule (the data layer). Therefore, any icon to indicate a SOx Control Activity can be used. Furthermore, data can be updated as a batch process and consistently and accurately represented across all maps.

This allows one set of process maps to be utilised by the whole organisation, accessible through a central system. The Compliance team, Continual Improvement and end users can all use one set of maps in one management system without fear of conflict of interest.

Reporting on Control Activities

Using reports to list all section 302 and 404 Control Activities, also helps to ensure that they are clearly identified and should not be removed.

Sarbanes-Oxley Compliance and Control Activities

Using the approach set out, clearly identifies Control Activities in a manageable and maintainable way. It allows for reports to be run on them and ensures that they can never be removed by accident during a process improvement exercise.

Triaster has helped many hundreds of companies to reconcile the requirements of Sarbanes-Oxley compliance and process improvement with our software platform. If you are wondering if we may be a good fit for your requirements, we would love to discuss them with you.

Related articles:

 Process Mapping: Who does it and why? 

How to stop wasting money in your business: 10 cost saving tips

Achieving ISO 9001:2015 with Business Process Management (BPM)