In a recent release the global business consulting and internal audit firm Protiviti, published their Annual Sarbanes-Oxley Survey, and the results show that companies are investing increasingly in their SOX Compliance. A significant number of large companies even spend over $2 million on average every year. Interestingly, these investments turn out to be great drivers for finance transformation and reporting process effectiveness.
SOX Drivers for Continuous Reporting Process Improvement
Additionally, the research shows that most companies make SOX Compliance initiatives part of their overall continuous improvement projects for financial reporting; 78% of the organizations that participated in the survey use SOX Compliance to boost their finance transformation, and 52% confirm significant improvements in their internal financial reporting controls since adopting SOX Compliance. So SOX Compliance is not just about getting ready for an audit, there are some serious efficiency effects as well.
Drivers for SOX Compliance
The effects are reciprocal; Improving the efficiency and agility of a company’s financial reporting processes and controls significantly improves their ability to comply with SOX. There are 3 specific effects of implementing a reporting solution that impact SOX Compliance:
- Control who has access to what content
- Control on commentary: who entered comments, what was entered, when?
- Control on changes in security and reporting
Full Reporting Audit Trail
SOX Section 404 requires companies to “… publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting.” And to “…assess the effectiveness of such internal controls and procedures.” Since the release of version 6.1 CXO Software offers full reporting audit trail functionality, allowing to review and export all reporting activities such a report usage, creation, and changes including all time, report and user details. The ability to provide external auditors with these kind of details contributes to the proof in case of an audit.
CXO Software 6.1 Audit Trail Example
In this example we take a look at the reporting audit trail export of ACME Corp. as it is offered in CXO Software 6.1. In the following screenshot (Figure 1), it is clearly displayed that a user accessed a report they were not allowed to access according to his job profile. The audit trail records details such as the time and date, the action, the organizational entity, and additional user details such as the email address and web browser from which the report that was accessed.
Investigating the incident and taking a closer look at the security audit trail, the Reporting Manager finds out that the Marketer, by mistake, had been added to the “Board” User group, giving him access rights to the P&L Reports.
According to the Protiviti survey, future compliance investments focus on the automation of control processes; well over half the companies plan to invest in automating their financial reporting controls. Up to 86% of the surveyed companies confirm they already leverage their substantial investments in SOX compliance efforts to improve their finance processes. But these efforts seem to stop right before the final mile of the finance cycle; the reporting process. Many companies still revert to Excel-based tools as their reporting platform, and by doing so, frustrate their SOX Compliance: Excel-based reports and human errors still remain a big threat to data security and integrity.
Replacing decentralized and unmanaged Excel-based reporting processes with centrally managed applications such as the CXO Software platform that connects directly to underlying EPM sources, making it the single source of truth. This solves the SOX compliance by not relying on disconnected exports or analytical data-layers that can lead to minimizing human error drastically.
Information Management Security
According to Section 302 a company’s executive officers are required to personally accept personal responsibility for all internal controls and information security. While financial data and EPM systems are increasingly being moved to cloud based systems and are subject to multiple software solutions and vendors, the integrity and information security of these vendors also become more and more critical. CXO Solutions, provider of CXO Software has obtained the ISO 27001 certification for Information Management Security, underlining the continuing commitment to data protection and integrity.
SOX Compliance is not a goal that stands on its own. In most cases it is part of a broader and continuous improvement process of the finance controls. Additionally financial reporting transformation allows improving, automating and centralizing financial reporting processes that contribute to complying with the Sarbanes-Oxley act.