Sarbanes-Oxley section 404 compliance is a very important issue for companies today. However, it is often quite a difficult matter to define what level of control is really required. SOX compliance can become unwieldy without the proper top-down approach of asking:
- What control items are we looking to substantiate?
- How can we achieve these controls?
Well now you can with the ActiveModeler Avantage SOX Inspector!
Such controls need to be planned in conjunction with your corporate business process model to keep things in one place.
Just imagine - if you could define your business processes to an international BPMN standard and then add the control items to the full COSO standard as an extension to this business model...
The SOX Inspector allows you to add control checkpoints to your business processes at the task level and importantly at the higher entity level. A report of all control points is output in Excel for your analysis. You can see here when the control items were last updated and reviewed by both internal and external auditors.
An Integrated Solution |
Fully linked to the BPMN Corporate model. In this way your SOX efforts can benefit your organization in other ways e.g. efficiency, process analysis etc. |
Centralized Corporate Repository |
A safe central store with version control to track changes. |
Cost effective |
A simple to use system in which company users can participate to reduce expensive consultancy billable hours. |
Workflow |
ActiveModeler Avantage allows tests to be optionally verified by the integrated ActiveFlow workflow system. |
Lets see how this looks in operation.
1. First you define your business process with Avantage to the BPMN standard (click on image to see a full size picture)
2. Then you capture data at the relevant points in the process model - this is how the data capture looks
You just select an item in the diagram (or the BPTree) and then change its SOX properties directly with the SOX inspector view.
You can report on these control items easily :
and all reports are shown as an Excel table (click the image below to see a detailed image).
There have been many reports that companies have spent considerably more than they had budgeted on SOX 404 compliance.
Moving forward, companies are looking to find ways to make compliance with SOX sustainable at lower costs.
The Avantage SOX Inspector based on your corporate process model, can help you to both reduce the cost of compliance and have better compliance control information at your fingertips.
In the early stages of SOX 404 compliance:
◆ Expensive external consultants were typically hired to bring specific expertise not present in the company
◆ Internal consultants were added to the SOX team so as not to strain internal resources too much
◆ Accounting firms were used to audit the compliance efforts
◆ Internal management were also heavily involved, often at a considerable cost to the overall business performance
◆ Standardized tools were often not used
While such an approach may have been useful in the "honeymoon" period of SOX compliance, a more sustainable long term solution needs to be introduced.
While we still need the centre of excellence of a SOX internal specialist and certainly internal/external auditor review, the Avantage approach is that many aspects managed by a separate and dedicated team can become part of the way of doing everyday business.
In this way, process owners become responsible for a large majority of the compliance documentation and testing of controls. The internal audit staff or SOX specialist will oversee the SOX compliance initiative and will be responsible for managing the quality of the process by conducting high level reviews to make sure controls and procedures are effective.
Another advantage of this approach is that process owners start to understand their processes better and we will instill the concept of business process re-engineering or transformation into the organization.
First you have to have a standardized tool for process definition which is easy to use and deployed across the organization. Such standardization ensures that process definitions and controls can not be misinterpreted by different process teams within an organization, as the documentation/testing responsibility shifts to process owners.
ActiveModeler Avantage has the benefit of being an easy to use tool which complies 100% to the international BPMN standard so all company process documentation is developed to an accepted standard.
Train your employees so that process owners can document their own processes and importantly, to the right level of detail. This is easy with Avantage. You can be sure that all employees will document processes in the same way as well. After a 1 day training course, your employees can be documenting processes to the international standard. All the graphical elements are strictly controlled and defined. Documents and specifications can be captured as well.
Your company needs to implement comprehensive document control with a well defined review process to ensure only people with the right authorization can update and review the documents. This is essential to making sure that the process and control documentation is always correct. Such process documentation can be put into a CVS repository if required for version control. This acts like an electronic data vault and is useful for larger organizations in particular. Updates to documentation can be strictly controlled and are checked in with full audit control. Avantage has an easy interface to the CVS repository, with simple check in/check out commands.
After process documentation is in place, we need to add controls to this documentation. This is where the internal SOX experts will be essential to give top down guidance and training to the process owners on what type of controls are necessary and how to test these internal controls. It has to be remembered that SOX is about control points and not just documenting procedures. Avantage allows you to highlight these control points and document the control procedures. All control points could be shown in say red, on the process maps.
In the past many companies implement too large a number of SOX controls and assessments. This is why the top down approach is necessary to determine exactly what type of controls are necessary. Avantage allows controls to be introduced at the process task level or at the higher entity level.
After training, process owners will be able to recognize good and weak internal controls or good/unsatisfactory documentation. They should have a clear understanding of all the process documentation requirements and knowledge of all the internal controls for the process they manage. A procedure should be in place to to improve the compliance process, normally by reviewing with internal auditor and SOX specialist. Training for process owners and team members should be triggered off automatically when deficiencies are identified in internal controls for that process or a certain time period has elapsed since the last training.
Avantage has standard reporting of the process controls and test results to ensure that internal controls are tested in a consistent manner across all operations within the company and over time. This requirement is critical to successfully installing the compliance process within the business. Only authorized people such as the internal audit staff or process managers should be authorized to update these tests. Once a test for internal control is updated, only the latest version should be allowed to be used for testing that internal control across any operation within the company.
Avantage allows easy visibility within Excel of below threshold scores for internal controls. These can be automatically flagged as deficiencies and tracked within the company. Key process owners and internal audit staff can have visibility into such deficiencies.
Corrective actions for any below par controls need to tracked within the organization to ensure that the deficiencies have been corrected in an agreed time frame.
High Functionality |
Risks, Control points, Assertions, COSO attributes, Ratings,Tests and Evaluations can all be captured for a BPMN process |
Risks at various entity levels |
Risks can be defined at Diagram, Pool, Lane or Task level. |
Table editors |
Standard sets of Risks, Control Points, Assertions, COSO attributes, Ratings and Tests can be edited and set up exactly how your organization needs them. |
Colour coding and prefix marking |
Tasks with a risk can be highlighted with a colour according to your preference. An additional marker can be given (useful for organization units and monochrome printing). |
Audit trail |
Updates and internal and external audit reviews are recorded and time stamped and versions can be kept in the CVS repository. |
Excel Risk Control Matrix |
The RCM is output in Excel. The analysis can be for one process or many processes depending on the analysis point selected in the process tree. |
Excel formatting |
The RCM sheet can be produced, formatted as you want it according to your preferences. |
Contact your local distributor or sales@kaisha-tec.com