RGP was recently invited to participate in the ACS Live SOX and Internal Controls seminar in San Francisco. GRC Senior Practice Leader, Les Sussman was joined by policyIQ’s Managing Director, Chris Burd, in presenting a 90 minute session on Creating Efficiency in SOX Compliance with Technology.
The session generated a great conversation among those SOX professionals in the room. While the material covered all aspects of the SOX (and SOX audit) process, a few topics were clearly top of mind for the attendees.
Risk Assessment: Quantitative versus Qualitative
Pulling the risk assessment into your SOX tool and linking that assessment to your SOX controls and testing can streamline and simplify your scoping process. However, the basic question of what that risk assessment should look engaged the attendees to share their experiences and their best practices.
While most audience members seemed to agree that some degree of quantitative analysis was necessary–numerically driven risk ratings–it was also clear that those coming from an internal audit perspective were far more likely to look for a quantitative assessment, while those coming from a management perspective saw the need for assessments that included qualitative aspects.
What does this mean for those policyIQ clients looking to manage their risk assessments? While we often focus on quantitative examples, we do encourage our clients to provide for a qualitative override and comments that may be necessary when the numbers don’t tell the whole story.
Centralized Access for Control Owners, SOX Team and Internal Audit is Key
About half of the organizations in attendance were still struggling to manage their SOX compliance programs without a centralized SOX application. The complexities of managing access to Excel spreadsheets, narratives and audit testing is a daily effort. Those who are using a SOX application were quick to concur–and add their own experiences–with the efficiencies gained from a centralized tool.
A single source of information allows updates to feed all of the various viewpoints, reports and data needs.
When used to manage multiple compliance programs, that single source of information becomes even more powerful, as the updates (and testing, issue management, etc) can feed multiple compliance programs.
COSO, Issue Management and SOX 302 Certifications
Other areas of interest to the audience included the ease of managing the COSO mapping, the ability to assign and communicate issues and remediation plans, and the ability to create a SOX 302 sub-certification process.
Are you looking to make your SOX process even more efficient? Reach out and let us know if there are still areas of your SOX compliance program that feel klunky and time consuming, and let us help you make a shift!