It's time to take Sarbanes-Oxley compliance to the next level for competitive advantage.
In his first law of motion, Sir Isaac Newton stated that, Every object in a state of uniform motion tends to remain in that state of motion unless an external force is applied to it.
While this law was intended to explain actions in the physical universe, it could easily apply to the corporate universe as well — particularly when it comes to Sarbanes-Oxley (a.k.a. SOX or Sarbox). This legislation, which recently went into effect for most organizations, is intended to increase confidence and assurance regarding the operations of large, public companies. Although Sarbox is broad and implementation-agnostic, many of the strategies that will meet its requirements can be drawn from best practices that will also improve the overall operations of the organization.
Yet like the proverbial Newtonian object flying through space, many of these same organizations would, given a choice, allow momentum to dictate their direction rather than expend the energy necessary to change course — even if on a collision course with a much larger object. As a result, many organizations are doing the minimum required for Sarbox compliance. They're creating additional layers of bureaucracy and approvals for audit purposes. The results are entirely predictable: increased costs, more inefficiencies and frustrated employees. These haphazard, reactionary compliance strategies not only cause stress, they may cause the organization to miss a tremendous growth opportunity that could create a real competitive advantage.
Instead of complying reluctantly, smart organizations will take this opportunity to re-evaluate their processes and make changes, including the occasional wide-sweeping and fundamental, sometimes painful, ones that improve business operations. They'll use Sarbox as a means to streamline their processes and auditing procedures through workflow automation, with compliance a natural byproduct.
Still, that's not quite an apple hitting you on the head revelation. Truly enlightened organizations will take it even further by embedding their auditing procedures right within those automated processes. With embedded auditing, the mere act of performing an action provides instant accountability and transparency. Auditing, therefore, becomes not an afterthought, dependent on the good intentions of the person performing an act, but an integral part of the act itself. Having an automatically generated, real-time audit trail not only makes it easier to assure Sarbox compliance, but also creates a body of metrics that could lead to additional process improvements, lowered costs and, ultimately, a better-run business. That's the kind of momentum you do want to gain.
How Technology Assures Compliance
To understand how embedding monitoring in the process assures compliance, think about an amusement park that receives a mandate from corporate to report its visitor count on a daily basis. Since the park managers feel the day's ticket count is sufficient, they are resistant to the new auditing requirements. The fastest, easiest thing for them to do to meet the mandate is to station people at each entrance turnstile to count each visitor as he or she enters. This brute force approach is an example of a manual and parallel auditing process. It certainly meets the goal of counting actual visitors, but it has some serious flaws.
There's the expense of the people, of course. There's also a great likelihood of human error, particularly because the task is more repetitive. If the count is below expectations and people are worried about their jobs, they may fudge the numbers to line up with goals. To add insult to injury, someone (or several people) in the office will have to take those manually generated figures and sum them at the end of the day.