SOX Compliance — An Introduction and Business Process Documentation — Tools and Techniques

In the earlier part we focussed on an overview of the Sarbanes-Oxley Act, 2002 (‘SOX’ or ‘the Act’) and business process documentation requirements u/s.404 of the Act. In this part, we shall discuss how companies can leverage on office automation tools to aid in compliance with documentation and reporting requirements u/s.404.

Technology solutions :

In the first year of compliance, the market saw a tremendous opportunity in assisting companies in their initial assessments and sustaining ongoing compliance requirements for S. 404. Technology solutions included repositories, work flows, audit trails and reporting functionalities. In addition, there were flow-charting tools, audit tools, risk databases, query tools, etc. Company management, after the first initial efforts of documenting its business processes is now looking at executive dashboards to view the status and performance of controls in relation to its financial information. They are also looking at sustaining the business process risk and controls documentation on an ongoing basis. The key challenge many companies face is updation of documentation in light of change in business processes and maintaining version control.

A case for using office automation tools :

Moving forward, let us take a hypothetical example of a large manufacturing company ABC Limited (‘ABC’). ABC is a subsidiary with its parent company being an SEC registrant. The identification of significant business processes has been performed centrally by the parent company. Instructions have been filtered to the subsidiary to document location-specific business processes and controls and subsequent steps to attain SOX 404 compliance.

ABC opted to use Microsoft Office to document its business processes, identified risks, mitigating controls, etc. The factors that contributed to this decision were the staff familiarity with Microsoft Office, the cost of training the staff on flow-charting tools such as Microsoft Visio, and ease of ongoing updation and maintenance.

Figure 1 lists the various sub-processes that have been documented in Microsoft PowerPoint for their Revenue Business Cycle. The Company started with a general overview of the process, identified the main personnel involved in the process, such as sales personnel, key financial information as it relates to the process such as sales and receivables, the scoping for the local business unit such as location covered, type of customers covered, etc.

Figure 2 depicts in general overview and process flow of the process by which the Company sells products and records revenue. The numbers represent different sub-processes within the business cycle.

Figure 3 depicts the first sub-process that of creating and maintaining customer master data. The block arrows are the inputs to the sub-process and the numbers with the blue circle represent the control activity number linked to the business process narrative and risk and control matrix.

ABC decided to extend their business process narratives documentation in PowerPoint as well to keep the flow chart and narratives together for ease of reference.

Corresponding control activities, mitigating control, control owner, nature and type of control, software application supporting performance of the control and its frequency are documented in Microsoft Excel.

This being the first year of documentation, ABC needs to consider the challenges that lie ahead. ABC should consider laying down a process for regular updation and ongoing maintenance of the documents and maintaining version control.

Possible solutions include identifying process champions for each of the business processes. These champions together with senior management and representatives from finance department can together deliberate upon the changes in business processes and controls. Once approved, the respective process champion is assigned the task of updating his relevant business process flow chart, narrative and risk and control matrix. This will assign ownership and accountability for ongoing maintenance of the documentation.

Version control is another key challenge that companies face whilst maintaining their documentation. One way of maintaining version control is of course manually, by the identified process champion. The process documentation would have a cover page on which the owner, version number, date of change and type of change are maintained for a snapshot of the iterations the document has gone through. Refer Figure 6. Another means of maintaining version control could be through use of version-control software. This is more commonly used in software development companies. Other companies may find the costs a bit on the higher side.

Maintaining a repository of all the documents is another key challenge ABC will face. Their auditors are going to expect updated business process flows, narratives, identification of risks and controls and the results of management testing in order to attain an attestation from their auditors.

What we saw above is just one simple example of using Microsoft Office for documenting business processes. There are a number of ways in which office automation tools can be leveraged to aid in the documentation process, such as writing macros to automate the testing and populating testing results, collating results to build reports and executive dashboards, etc.

Going forward, systems that provide management with a panel or dashboard view of the status and performance of controls linked to financial information will be important. This integrated approach will allow users to drill down from financial results to underlying controls, and automatically flag exceptions, unauthorised entries and other inconsistencies. However, companies have to define their requirements before selecting any technology solution.

A tool with low-technology approach (e.g., MS-Office) may prove to be cumbersome to manage on a sustainable basis. Selecting a sophisticated tool will require more customisation, more learning efforts and moreover once purchased, companies may find themselves married to it.