Assurance & Compliance Applications 

    by Dan Schroeder, CPA.CITP, CISA 

    Assurance and Compliance Applications

    Assurance and Compliance applicationsAssurance and Compliance Applications are collaboration and compliance tools that help stakeholders monitor, document, assess, test, and report on compliance with specified controls.

    The addition of this topic to the past Top Technology Initiatives Top 10 List reflects a powerful movement by accounting technology professionals to find ways to make compliance with Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 (SOX) more efficient and less costly. This is accomplished by applying process management principles and technology to the activities associated with executing and documenting SOX compliance.

    Early approaches to SOX compliance were frequently inefficient, expensive and disruptive. SOX filers quickly recognized that to make compliance efficient and sustainable, they needed to institutionalize the management of SOX control functions. Moreover, public registrants and organizations also have come to recognize that while SOX is critically important, it is just one element in an effective approach to corporate governance. 

    An Integrated Approach

    To drive maximum efficiencies, SOX must intertwine with an organization’s broader Enterprise Risk Management (ERM) considerations, including: 

    • operations risk management;
    • compliance with industry regulations, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), GLBA (Gramm-Leach-Bliley Financial Services Modernization Act of 1999), and FFEIC (the Federal Financial Institutions Examination Council); and
    • information technology governance.

    Accordingly, SEC registrants are increasingly approaching SOX compliance as an element of a broader initiative to institutionalize ERM. 

    Enterprise Risk Management (ERM) 

    In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released Enterprise Risk Management – Integrated Framework. As defined by COSO, ERM is an enterprise-wide process effected by a board of directors, management and other personnel as part of a broader organizational strategy. The purpose of ERM is to (1) identify potential events that may affect the entity, (2) manage risk as appropriate to the organization, and (3) provide reasonable assurance that the organization’s objectives are being achieved.

    Enterprise Risk Management – Integrated Framework  also outlined the following six concepts that are fundamental to ERM deployment. To achieve success, you must remember that Enterprise Risk Management is: 

    • an ongoing process that flows through an entity;
    • affected by people at every level of an organization;
    • applied in strategy setting;
    • applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk;
    • designed to identify potential events that, if they occur, will affect the entity and help manage risk within its risk appetite; and
    • a method to provide reasonable assurance to an entity’s management and board of directors (relative to design and effectiveness of risk management activities).  

    Extending Compliance Software to SOX and ERM 

    Developers of compliance-related software have been quick to respond to the need to streamline the SOX compliance process and extend software functionality to encompass ERM. Here are some descriptions of emerging ERM compliance software and the activities or areas they can support:

    Key Enabling Characteristics

    Description/Examples

    Common platform

    ERM software is emerging as a comprehensive repository for the definition of risks, controls definitions, testing activities, test results and mitigation activities. Risk definitions and associated controls encompass financial reporting, operations management, and statutory and industry specific requirements (e.g., FFEIC, HIPAA, GLBA, SOX, etc.)

    ERM solutions are becoming a standard part of the corporate network, much like ERP, with defined responsibilities and associated access privileges.

    Organizational and process structure

    ERM software enables the complete mapping of an organization’s structure (including operating divisions, regions, departments and cost centers) and associated business processes.

    Roles and responsibilities

    Controls and compliance involve ownership and accountability. ERM software allows companies to deploy compliance requirements throughout the company. For example, SOX Section 302 requires quarterly and annual certification statements from CEOs and CFOs. An effectively designed and deployed ERM solution would enable the CEO to monitor the status of all controls throughout the organization at any time. This would also allow sub-certification, where business unit heads and process owners submit their certifications to the next level up in the company.

    Continuous monitoring of risks and controls.

    ERM software enables companies to test controls throughout the year, following an organized approach that reflects control activity risk and frequency.

    ERM software often integrates with ERP and other applications to automatically monitor activities using predefined rules and reporting parameters (e.g., automatically identify disbursements over $xxx for testing.)

    Deployment of ownership and accountability for effectiveness of controls.

    SOX filers are seeking to minimize their dependency on consulting firms for development of controls and conducting management’s assessment. They are working aggressively to lower audit fees that spiked as a result of the increased burden borne by audit firms due to their SOX responsibilities.

     Example: Sub-certification linkage for 302 reporting to business unit management and functional process owners.

    Embedded workflow.

    Deployment of workflow into ERM means the automated assignment of testing and validation requirements to individuals and roles, coupled with predefined and automated routines for notifications, alerts and exception reporting.

    Integration with corporate messaging system(s).

    An important underlying function for workflow and automated reporting is the ability to integrate with corporate messaging systems such as Microsoft Outlook, so reminders, exception notices and other reports can be automatically sent to auditors, valuators, process owners and executives.

    Integration with corporate document /content management systems (DMS, CMS).

    SOX filers and others enacting aspects of corporate governance are increasingly deploying formal change control over policies and procedures, and formal retention over compliance controls. Integration of ERM with DMS systems helps to ensure that policies and procedures are linked to process definitions, control test requirements and test results. DMS can also serve as a repository for test results and supporting workpapers to fulfill both internal and regulatory requirements.

    Effective SOX and ERM compliance can be complicated and represent significant challenges in terms of being cost-effective. However, companies are increasingly finding it feasible and beneficial to deploy SOX and broader ERM compliance programs by using advanced process and technology concepts like those outlined in the table above.




    A A A


     
    Copyright © 2006-2014 American Institute of CPAs.