Sarbanes-Oxley compliance needs to be ingrained within a firm.

With Sarbanes-Oxley stealing fewer headlines, it is easy to think that all has quieted down. But that is not the case. Project phases have given way to activities to ensure there is a business as usual aspect to SOX compliance efforts. The many lessons of the past few years are advancing current compliance projects. Among those lessons are:

• Have a clear business context to avoid runaway IT controls and unnecessary drain on resources.
  • Even after the implementation phases for SOX projects have been completed, there is still a need to establish a prioritization framework to align IT with important business processes. The criticality of various IT controls needs to be established relative to specific business imperatives/processes, their relevance to financial reporting, and regulatory requirements. This will provide a clear "reference point" and a framework for prioritizing the controls that are most relevant to SOX. Controls for the sake of controls inhibit business efficiency, and the right balance needs to be struck.
  • Controls documentation has to be determined using a risk-based approach. Most institutions would have adopted a prescriptive approach to documenting controls, as opposed to a risk-based approach, where one examines the risks in terms of severity, financial impact, and frequency associated with a process and potential breach.
  • Adopting these approaches will answer questions like, "When and where should IT controls be applied?" and "How much control is sufficient?"

• In order to reduce ongoing compliance overhead costs, design effectiveness needs to translate into operational effectiveness.
  • Controls should be designed bearing in mind how efficiently they can be monitored. Audit-related activities to assess design effectiveness ("Do processes and controls look right on paper?") vs. operating effectiveness ("How can you prove it exists? How well is it working?") need to be carefully considered. What looks good on paper may not be practical or may require fine-tuning. The design of controls and processes especially needs to consider the efficiency of testing/monitoring of controls.
  • Even with aggressive automation, it is important to remember that the number of controls documented will contribute exponentially to the effort required to manage, test, and maintain documentation on an ongoing basis.

• Embed SOX thinking in management processes to ensure day-to-day accountability throughout relevant parts of the institution.
  • It is critical that business compliance translates into compliant IT and data governance processes. Even for any change that may be considered "purely technical" -- for example, if the IT department fixes code or automates something related to security modules -- what are the implications for SOX compliance? This sort of thinking needs to be embedded in the mind-set of everyone at the firm. Just as the financial controller tracks collections of outstanding accounts receivable, IT needs to set in place its own checks and balances to make sure its day-to-day procedures and activities do not cause the company unintended losses or take the company down. The compliance bar is being raised to the same level of detail and confidence that business leaders expect from their daily IT operations. They want to make sure that the information received is based on the outcome of a defined process and represents actual activity -- not re-keyed data captures or transaction breaks in day-to-day dealings and information flows.

• Leverage commonalities across multiple regulatory requirements to minimize overall costs and draw out synergies from regulatory efforts.
  • The processes and results from undergoing SOX projects place financial institutions in a strategic position for another upcoming regulation: Basel II. Although timeframes in the US have yet to be firmed up, an understanding of how SOX and Basel II's operational risk portion can be more closely aligned brings benefits, achieving synergies in handling the requirements of the two areas, as well as getting more out of the compliance budget. The following diagram provides a framework for the evolution of risk management practices, and where SOX and Basel II fit in.

More progressive institutions are now reexamining SOX in the context of operational risk and Basel II. These efforts help leverage a common framework and shared technologies, which help the organization and IT department become more efficient.

All in all, in the early years of SOX, many firms have no doubt taken a less-than-streamlined approach to compliance, which can be pricey in the long run if left unchecked. Successful firms will be relentless in pursuing SOX compliance objectives in a sustainable fashion.

Cubillas Ding is a senior analyst at Celent (www.celent.com). Cubillas can be reached at 011-44-207-431-9594; email: cding@celent.com. You may also contact Arielle Weliky, 212-269-7547; email: aweliky@celent.com.