How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Check our similar posts

Outsourcing

Are you ready to outsource? Do you even need to outsource? We’ll help you answer those and other questions regarding outsourcing and your company.

Once we’ve determined that outsourcing will render your organisation more focused on your core competencies, more cost-effective, and more flexible, we’ll offer you the full spectrum of our services. Our specialists can assist you in every stage of the entire outsourcing life-cycle.

Starting from evaluating what can be outsourced, through finding the right outsourcing service provider, building the contract and agreements, getting everything in place, and managing the outsourcing relationship – we’ll be with you every step of the way.

Learn more about some of the outsourcing services we offer:

Outsourcing Contracts and Agreements

When an outsourcing project fails, both customer and service provider are quick to put the blame on the other party. But in most cases, the actual culprit was really just sitting there since day one – a poorly planned and implemented agreement.

We understand how costly and disruptive a failed outsourcing project can be for your business. That is why we put utmost attention to each contract and SLA (Service Level Agreement) that our customers enter into. This always reduces the likelihood of having unmet expectations, one of the major reasons why some outsourcing relationships fail.

We make sure that each agreement is fair, not only for our customers but also for the service providers themselves. Why? Because a disadvantaged provider will most likely end up delivering poor service as an offshoot of efforts to improve its profitability and ROI.

To accomplish this, we’ll thoroughly assess the infrastructure, resources, and expertise of your potential service provider to ensure they have the capability to meet your expectations. We’ll also make sure that their expectations are realistic and clear to you as well.

Here’s what you can expect from us when we start managing your outsourcing contracts and agreements:

  • A thorough assessment of your specific needs and the service provider’s profile to determine whether you have the right match before proceeding with any agreement.
  • Professional assistance when the time comes for you to discuss the scope of work, expected service levels, and when negotiating for appropriate pricing. We’ll also help you set up provisions for possible changes in the scope later on.
  • Expert counsel during drafting and finalisation of the contract and Service Level Agreements. Whenever applicable, we’ll help you propose penalties whenever service levels are not met and rewards when they are exceeded.
  • Regular reviews to determine whether everything agreed upon in the past, like pricing and service levels, are still realistic or competitive enough in view of current technological advancements and the prevailing social and economic environment.
  • Mediation expertise whenever the outsourcing project appears to be falling apart. We’ll work with you and the service provider to resolve conflicts and avoid the expensive exercise of having to terminate the contract. But if the best solution is to part ways, we’ll make sure you make an exit with the least disruption, missed opportunities and financial loss.

Application Outsourcing

I’m sure you’ve come to realise that to gain competitive advantage these days, you really need to invest in IT applications.

There are applications for enhancing your customer relationships, speeding up production, streamlining processes, advancing collaboration, protecting your systems from malware and many more. Selecting the right application, testing it, implementing it into your system, and then managing it can deviate resources which would have otherwise been used in other areas to build business value, increase profits, and enhance innovation.

Wouldn’t it be nice to unload yourself of the management processes which usually accompany IT applications? Actually, you can – through application outsourcing. Application outsourcing providers possess the expertise to either partially or fully assume responsibility of your IT applications.

Our job is to see to it that you link up with the provider who can best answer your needs. The overall proficiency of these providers spans both proprietary and opensource solutions, allowing them to cater to a wide range of preferences and budgetary limits. At the very least, they can provide professional support for well established applications.

If needed, they can develop applications for your organisation, taking charge of every step in the system development life-cycle: starting from system initiation, requirements analysis, through design, construction, acceptance and eventually to implementation.

Here are some of the benefits you can enjoy once we start managing your application outsourcing initiatives:

  • Freedom from time-consuming tasks such as installations, upgrades, configurations and repairs.
  • Reduced total cost of ownership (TCO).
  • 24/7 support from well-trained personnel. This can substantially cut downtimes caused by inexperienced troubleshooting.
  • The option to have your applications housed in more secure and reliable environments with much higher availability and much lower planned/unplanned downtimes.
  • Dedicated specialists who can focus on providing better regulatory compliance and risk mitigation initiatives.

Infrastructure Outsourcing

Keeping up with the competition nowadays usually requires technological advancements as well as the capability to manage and maintain the infrastructure that has to support them. These undertakings can suck your resources dry.

If you’re looking to reduce costs even while improving the performance of your networks, servers, databases, firewalls, desktops and mobile devices, you might want to consider IT infrastructure outsourcing among your top options. Infrastructure outsourcing service providers have the resources dedicated to a stable, secure, scalable and always available IT infrastructure.

Typical service provider facilities include data centrers equipped with high-speed networks, reliable power, dependable security, as well as provisions for upgrades, consolidation, disaster recovery, or even business continuity.

These providers employ specialists and staff who can manage and maintain all of these for you. While your provider juggles your core IT-related tasks, you can keep your eye on the ball and refocus on your company’s business goals.

Here are some of the benefits you can enjoy out of infrastructure outsourcing:

  • Freedom from time-consuming tasks such as installations, upgrades, configurations and repairs.
  • Since service providers, who are expected to have better horizontal and vertical scalability, will deal with the technological intricacies, your company’s strategic development initiatives can proceed unhampered.
  • Greatly reduced electricity expenses as a result of consolidation.
  • Easier, faster, cheaper, and more reliable disaster-recovery solutions through virtualisation.
  • Lesser risks of disruptions caused by power outages, cyber attacks, or Internet connection downtimes.

Business Process Outsourcing

With the sheer number of business processes your company has to attend to, it wouldn’t be surprising if you rarely have room to innovate.

Through business process outsourcing, we can free a considerable part of your financial and manpower resources which are currently focused on routine activities. With more resources to drive innovative initiatives, you’ll be able to accelerate production, improve customer service, enhance overall business value, and arrive at a stronger bottom line.

Some of the business processes that may be outsourced include data entry, finance and accounting, form processing, procurement, and HR, among others. If you’re interested in finding answers to the what, how, who, and where of BPO, specific to your organisation, we’ll be happy to enlighten you.

Here are some of the benefits you can enjoy once we start managing your BPO initiatives:

  • Professional guidance to ensure that your BPO undertakings will really result in substantial savings and significant improvements to your organisation’s business value.
  • Careful monitoring of service levels to ensure faster turnaround, accurate data, and high quality outputs.
  • Expert evaluation of information handling processes to guarantee full confidentiality.
  • Professional and unbiased management dedicated to establishing a strong, reliable, and fruitful relationship between you and your provider.
2015 ESOS Guidelines Chapter 7, 8 & 9 – Sign-Off, Compliance & Appeals

This is the final chapter in our series of short posts summarising the quite complex ESOS guidelines (click on ?Comply with ESOS? to see the details). This one addresses the legalities to follow to complete your report – and how to appeal if you are not happy with any of the Environment Agency?s decisions.

  1. Director Sign-Off

This is by no means an easy ride. Confirmation of the work at individual or lead assessor level locks the company into the penalty cycle in the event there are significant irregularities. By signing off the assessment, the board level director(s) # agree that they have

  • Reviewed the enterprise?s ESOS recommendations
  • Believe the enterprise is within the scope of the scheme
  • Believe the enterprise is compliant with the scheme
  • Believe the information provided is correct

Having an internal assessor requires a second board-level signature.

  1. Compliance

You report compliance on the internet. This is free and you can do it at any time within the deadline. You can dip in and out of the process as many times as you wish, but must use the link in the receipting email. While this is something a board member must do, there is no reason why the lead assessor should not complete the basics. The online compliance notification addresses the following topics:

  • The ESOS contact person in the enterprise
  • Any aggregation / dis-aggregation during the period
  • The names and contact details of the lead assessor
  • The proportion of energy consumption per compliance route

The Environment Agency will acknowledge receipt. This does not constitute acceptance. You should keep the ESOS evidence pack in a safe place with at least one backup elsewhere.

  1. Compliance & Enforcement Issues

In the event the Environment Agency decides your enterprise has not met ESOS requirements, it may either (a) issue a compliance notice with instructions, or (b) apply one of the following civil penalties:

  • A fine of up to ?5,000 for failure to maintain records
  • A fine of up to ?50,000 for failure to undertake an energy audit
  • A fine of up to ?50,000 for a false or misleading statement

Any enterprise has the right of appeal against government decisions. In the case of ESOS, this is via:

  • The First-Tier Tribunal if your enterprise is England, Wales or off-shore based
  • The Scottish Minister if your enterprise is based in Scotland
  • The Planning Commission if your enterprise is Northern Ireland-based

The notice you appeal against will supply details of the appeal steps to take.

This blog and its companion chapters concerning the ESOS Guidelines as amended 2015 are with compliments of ecoVaro. We are the people who break ESOS data into manageable chunks of information, so that board-level directors have greater confidence in what they sign.

Implementing Large-Scale Complex Business Change

Sometimes, driving your people to work harder is not enough for your organisation to withstand the pressures laying siege to it. With uncertain economic conditions, unpredictable fresh competition, and looming threats from the environment or even pandemic-grade diseases, empowering your people to not only ‘think’ but also to ‘step’ out of the box is currently the name of the game.

However, such initiatives typically require sweeping changes throughout your entire organisation … and to think even the slightest change is often met with hard resistance.

Whether you’re about to undergo an M&A, relocate due to a major catastrophe, scale down to a skeletal workforce, or implement a brand-new company-wide strategy, our systematic approach to large-scale complex business change can help you make the transition as seamless as possible.

We understand the importance of the human aspect in change management. That is why we’ll focus on making your people appreciate the benefits of having to learn new skills, perform new tasks, employ modern technologies, and go through new processes in order to tone down the resistance level.

Our entire process spans from top to bottom, wherein we’ll start with your sponsors, down to your managers, and then to other stakeholders in making them appreciative of the needed changes and in order to achieve alignment with your organisation’s goals. Our top to bottom approach is also aimed at casting a positive “shadow of the leader” on people down the line, enabling them with an optimistic view despite the gruelling tasks before them.

We invite you to have a look at the steps we take in implementing large-scale complex business change to win over a strong and lasting commitment to it.

Evaluating the Required Change

Large-scale complex business change initiatives can be implemented expeditiously and economically if you’ve clearly defined the scope of the change as well as the forces that shape your organisation. You’ll want to know which areas yield easily and which are hard to change to determine where and how you’re going to focus more of your efforts on.

To arrive at a sound and systematic plan, we first gather as much information as needed and analyse them. We determine whether your departments have the required capabilities and how we can arrive at a clear organisational alignment. That way, we don’t waste time, effort and resources when the moment comes to carry out the plan.

These are some of the diagnostic procedures we perform in evaluating the required change.

  • Change complexity analysis. We’ll assess the contribution of people and task factors to the overall complexity of the change project. This will help us determine how to approach the problem efficiently.
  • Causal analysis. By establishing cause and effect relationships, we can identify root or circular causes. This will allow us to pinpoint problem areas and prevent a repetition of past mistakes.
  • Structural analysis. Any company is propped up by a number of structures: organisational, process, motivational, social, and physical, among others. Understanding the structures that drive, motivate, hamper, connect, and influence your people’s behaviours can provide insights as to how or where structural change can best be executed.
  • Context analysis. We’ll look into market forces as well as political, economic, social, technological, legal, and environmental factors enveloping your business. We’ll also analyse your driving objectives, organisational alignment, and organizational capabilities. By analysing the internal and external environment in which your business currently operates, we can formulate a customised strategic and effective plan of action.

Managing Stakeholders

Change initiatives won’t prosper without total commitment from all stakeholders. Stakeholders refer to people in your organisation who either have interests in the change project or can be affected by it.

We deal with your stakeholders starting from the top because if we can’t gain full commitment from those already in the best position to spur the diverse entities in your company into active cooperation, striving to secure commitment from other areas will be futile.

That is, if you don’t have the full support of your key and principal sponsors, i.e. the people who have the biggest say and have greatest control over resources in your organisation, you can’t hope to sustain the change endeavour, let alone provide the much needed spark to get it started.

Here’s how we carry out our stakeholder management actions.

  • Conduct research to identify all stakeholders: the sponsors, your internal and external partners, the main targets of the change, and all interested parties. That way you can “switch on” implementors of each change action in the proper sequence.
  • Not everyone will offer resistance to your change endeavours. We’ll help you identify those stakeholders and sponsors who are willing to offer support, evaluate the level of support they are willing to give, harness all available supports and utilise them extensively to benefit the change.
  • Gain a deeper understanding as to why certain stakeholders are willing to lend support. In doing so, we can implement the right strategies that will encourage them to continue supporting you.
  • Assemble a leadership team that will champion your change initiatives. We’ll facilitate effective collaboration among its team members, transforming them into a cohesive force designed to carry out plans and motivate everyone else down the line.
  • Upon realisation of the change project, we’ll see to it that all stakeholders get a taste of the carrot at the end of the stick. This will encourage them to continue active cooperation in future change initiatives.

Planning for the Change

Anyone who has experienced having their car stuck in the mud knows that stepping on the accelerator will only get the vehicle trapped even deeper. Without the aid of a towing truck, getting the car out will require careful planning since different combinations of pulling, pushing, lifting, rocking to-and-fro, and stepping on the accelerator may be needed.

Of course, some combinations are just better than others. The same principle holds when effecting change.

Our approach to change management typically varies depending upon the information we obtain from the different analyses performed earlier. For instance, since not all organisations are suitable for a collaborative approach, we will employ either collaborative, consultative, directive, or coercive change management strategies wherever applicable.

A well-planned change will result in a smoother, less costly, and less disruptive transition. Here’s how we’ll help you plan your change initiatives.

  • When put in a predicament similar to the car-in-the-mud, the basic strategy entails identifying the current resisting forces and predicting what other resisting forces may be encountered along the way. After researching and pointing out your organisation’s resistance forces, we’ll lay out the most appropriate facilitation, education, and negotiation techniques.
  • To bring down wastage to the lowest possible levels, we’ll engineer a change delivery plan that involves the most cost-effective sequence of driver, process, technology, organisational, and people alignment.
  • To win and maintain a high level of trust, confidence and commitment from all sponsors and stakeholders, we’ll present a clear road map of the change process as well as landmarks that will prove how far we will have gone. These landmarks will then be brought to each sponsor’s and stakeholder’s attention each time they are arrived at in order to build up assurance and continued commitment.
  • We’ll design measurement tools and schedule reporting deadlines so that you’ll know what to look forward to and when to expect them.

Managing the Change

Your company will hold a better chance of maintaining a sizeable lead over the rest of the pack if you constantly establish a rally point and instil in your stakeholders the drive to rally to that point from the get-go. To make this happen, your company must undertake the unfreezing, transition, and refreezing phases of change skilfully in order to bring all stakeholders into the right mindset.

Our specialists’ systematic and efficient methods for each of these phases are designed to simplify the management of each phase as well as provide a seamless shift from one phase to the next. This is what we’ll do:

  • Set up a change project management office to ensure that everything associated with the change initiative is given the needed attention and resources even while all the other usual processes in your organisation run concurrently.
  • To unfreeze your people and get them started on the road of change, we’ll employ unfreezing techniques wherever they are most appropriate. We’ll resort to different kinds of methods ranging from presenting persuasive evidence justifying the need for change to showing a motivational vision for inspiring your people to embark on the change process.
  • Since it is during the transition phase when your people can find themselves groping in the dark, we’ll offer executive coaches for your senior managers; facilitators to provide guidance during team meetings and other change activities; coaches to educate and inspire them to meet the change with the right attitude; trainers to teach new systems, procedures, and technologies; as well as employ a variety of other techniques in order to make the transition phase as seamless as possible.
  • Although your people should always be ready to undertake the next major change after a previous one, there should be points in between where they can taste the spirit of success, establish a temporary base to rejuvenate, and immediately gain a deeper understanding of the nearby terrain so as to envision the next rally point. We’ll see to it that this vital phase of change is carried out completely.

Ready to work with Denizon?

Contact Us Today