SOX compliance engagements are not as big and disruptive as they once were http://goodcoachoutlet.weebly.com, but they remain a reliable source of income for consulting firms because companies continue to wrestle with internal controls management and monitoring.
EK: What are the primary internal controls issues you see large and mid-sized companies dealing with? How about smaller companies?
DW: Smaller companies may have been glad they dodged the SOX mandate but now are realizing these controls – like SODs – are just good business. So, they are voluntarily adopting more controls. There’s also a shift beyond SODs and compliance towards improving processes. In other words, we see more interest in the “G and R” (Governance and Risk) of GRC. Better governance of the enterprise makes you more agile. For example, the focus on continuous controls monitoring (CCM) has a real payoff by better managing risk, where SOX was more about demonstrating compliance. A better controlled enterprise can be more agile and modify its business processes quicker.
EK: What do you see as the biggest hurdles to addressing the internal controls issues you mentioned?
DW: More companies are adopting GRC tools but they all follow their own timeline. Not every company is “ready and mature” for these kinds of GRC initiatives sale oakley sunglasses, meaning they must first recognize that better controls are needed and have a corporate culture that will accept better controls in business processes. Often companies start to adopt internal controls as a response to auditor findings on a single pain point, and may seek a solution to address that specific pain. Other companies experience fraud or lose a critical customer and that teachable moment helps them decide they must implement better controls. It’s too bad they must experience a loss to want to invest in preventing a loss.
Size also matters. While many smaller companies avoided the exhaustive and confusing SOX compliance exercises that larger companies experienced from 2002 through 2004 http://goodcoachoutlet.weebly.com, they are beginning to realize that better controls translate to greater business agility – a must-have capability in a highly volatile economic period.
Detective reporting from some software means less time sampling data and compiling after-the-fact reports, and violations are reported as they occur. The benefit is that you don’t discover violations too late, after the financial close or after an employee has run off with the cash. Many tools help you discover something after the fact in an investigation, but next generation GRC tools provide contemporaneous reporting so you know something has happened in a timeframe when you can still do something about it.
A second driver for internal auditors is addressing concerns of their executives. For example, the executives are asking for better controls over business processes. For example, not paying duplicate invoices or changing purchase orders after they are approved. Internal auditors are trying to take it to the next level so they aren’t the unappreciated policemen or an operating expense, but rather are perceived as the drivers for innovation and a business asset.
To help organize my understanding of current SOX compliance efforts, the state of internal audit and the adoption of continuous auditing, I recently chatted with SymSoft Corporation CEO and President Dan Wilhems.
One of the past problems with adopting controls is the hassle of manual methods and things like after-the-fact sampling. However, next generation GRC tools are really paying dividends by reducing time required and getting ahead of the risks. I think these improvements will make a big impact on adoption this year, especially when coupled with the trend of auditors continuing to broaden areas of review. So it makes sense to for companies to fix current audit concerns now, to prepare for future broader concerns and adopt the tools that will help them through all this.
Ask a veteran of a Big 4 firm or any mid-sized to large consulting firm (with strong corporate finance services) what one of their most reliable sources of revenue is and, chances are, you’ll hear a blast from the past: Sarbanes-Oxley compliance.
EK: On a scale of one to 10 how far along do you feel U.S. companies are in the adoption of continuous monitoring and auditing capabilities?
DW: More than half of the large public companies have adopted CCM so we’ll give them a Seven, but smaller publicly traded and large private organizations are more like a Five. And we’ll give small and midsize enterprises (SMEs) a Two. Ironically the companies most likely to experience fraud or critical errors in business execution are the SMEs. That’s true because many SME staff members wear multiple hats sale oakley sunglasses, they have limited budget to implement controls, and less budget to do auditing. Unfortunately the SMEs are also less able to withstand a $1 million error compared to a large enterprise. Putting CCM in place helps these companies find big problems early.
Eric Krell: What are the primary areas you see internal audit departments focus on improving in 2011?
Dan Wilhems: Often it’s the external auditors that drive the agenda for internal auditors, and we see external auditors trending towards broader audits and larger areas of concern. When SOX passed there was a lot of work around Segregation of Duties (SOD) sale oakley sunglasses, but now the focus is shifting towards broader IT compliance controls like batch job management and configuration change management.
Part of the problem is that, in many companies, the internal audit function’s hand-off of compliance and controls responsibilities to operations was at least partially interrupted by the economic crisis. Many organizations whacked costs (and people) from back-office functions, including internal audit, so these functions clicked out of value-add mode and into “do more with less mode.” In practice, that really meant doing the same with less.
Related:
没有评论:
发表评论