Assurance and Compliance Applications
The addition of this topic to the past Top Technology Initiatives Top 10 List reflects a powerful movement by accounting technology professionals to find ways to make compliance with Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 (SOX) more efficient and less costly. This is accomplished by applying process management principles and technology to the activities associated with executing and documenting SOX compliance.
An Integrated Approach
To drive maximum efficiencies, SOX must intertwine with an organization’s broader Enterprise Risk Management (ERM) considerations, including:
- operations risk management;
- compliance with industry regulations, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), GLBA (Gramm-Leach-Bliley Financial Services Modernization Act of 1999), and FFEIC (the Federal Financial Institutions Examination Council); and
- information technology governance.
Accordingly, SEC registrants are increasingly approaching SOX compliance as an element of a broader initiative to institutionalize ERM.
Enterprise Risk Management (ERM)
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released Enterprise Risk Management – Integrated Framework. As defined by COSO, ERM is an enterprise-wide process effected by a board of directors, management and other personnel as part of a broader organizational strategy. The purpose of ERM is to (1) identify potential events that may affect the entity, (2) manage risk as appropriate to the organization, and (3) provide reasonable assurance that the organization’s objectives are being achieved.
Enterprise Risk Management – Integrated Framework also outlined the following six concepts that are fundamental to ERM deployment. To achieve success, you must remember that Enterprise Risk Management is:
- an ongoing process that flows through an entity;
- affected by people at every level of an organization;
- applied in strategy setting;
- applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk;
- designed to identify potential events that, if they occur, will affect the entity and help manage risk within its risk appetite; and
- a method to provide reasonable assurance to an entity’s management and board of directors (relative to design and effectiveness of risk management activities).
Extending Compliance Software to SOX and ERM
Developers of compliance-related software have been quick to respond to the need to streamline the SOX compliance process and extend software functionality to encompass ERM. Here are some descriptions of emerging ERM compliance software and the activities or areas they can support:
Effective SOX and ERM compliance can be complicated and represent significant challenges in terms of being cost-effective. However, companies are increasingly finding it feasible and beneficial to deploy SOX and broader ERM compliance programs by using advanced process and technology concepts like those outlined in the table above.