EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
EY IA services can help your business define the IA vision to create value from thought leadership, digital insights, and risk management. Learn more.
Read more
Where we hope to be tomorrow
If we do not transform our SOX program to keep pace with the business, it will remain a compliance exercise and fail to unlock the value the business deserves. Picture this scenario — we select a sample of 25 invoices for testing and find that one was not approved according to policy. We take that exception to the business owner and, while they agree it is an issue, they are not concerned. How can that be?
As we continue to discuss the single sample, they bring up a live dashboard used to monitor exceptions on a real-time basis. Of the 100,000 invoices processed by their function to date, they can pinpoint the sample we happened to select — along with four other examples of late approval. They also can provide evidence of follow-up on these samples to obtain the appropriate approval and provide coaching to the control owner. In this case, we must ask ourselves a couple of questions: how can it be that we are still testing a sample of 25 invoices when the business is monitoring 100% of its transactions? Are we even testing the right controls? If the business is that far ahead of us, how can we add value?
This is a simple example to highlight a complex issue. Transforming your SOX program is not a one-time, big-bang exercise, but an ongoing opportunity to do better and be better. The road map will not be the same for every program, but it is important to have a formal plan with targeted goals and action plans.
What can you do today to catch up to tomorrow?
- Evolve your operating model: keep pace with the changes in your organization through a flexible and dynamic approach to managing and evaluating internal controls
- Explore new ways to innovate through technology: consider enhancing automated capabilities across all aspects of SOX, such as digital risk assessments, automated scoping tools and analytic testing procedures
- Upskill your workforce: look for new opportunities to cross-train on business processes and IT general controls; refresh control owner training and feedback processes
- Build trust with the business: ask for feedback on the SOX program; consider using an impartial third party (internal or external) to gather feedback; develop a plan and take action
- Challenge the nature, timing and extent of testing: ask whether you are doing too much in any area or not enough in another; determine whether control classifications are accurate and aligned to the appropriate risks (manual vs. automated)
- Consider a facilitated visioning session: focus on governance structure, operating model, talent pool, use of technology and strategy