How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

that you have reviewed the report;
that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
that you are responsible for establishing internal controls over financial reporting; and
that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Technology and process improvement

Tightening organisational flow to improve productivity and minimise costs is a growing concern for many businesses post the Global Financial Crisis. Businesses can no longer afford to waste time and personnel on inefficient processes. Organisations using either Six Sigma or Lean techniques better manage their existing resources to maximise product out-put. Both of these techniques involve considerable evaluation of current processes.

What is Six Sigma?

Six Sigma is an organisational management strategy that evaluates processes for variation. In the Six Sigma model, variation equates waste. Eliminating variation for customer fulfilment allows a business to better serve the end-user. In this thought model, the only way to streamline processes is to use statistical data. Each part of a process must be carefully recorded and analysed for variation and potential improvements. The heart of the strategy embodied by Six Sigma is mathematical. Every process is subject to mathematical analysis and this allows for the most effective problem solving.

What is a Lean Model?

Lean businesses do not rely on mathematical models for improvement. Instead, the focus is on reducing steps in the customer delivery cycle, which do not add value to the final deliverable. For example, maintaining excess inventory or dealing with shortages would both be examples of waste behaviour. Businesses that operate using Lean strategies have strong cash flow cycles. One of the best and most famous examples of Lean in action is the Toyota Production System (TPS). In this system, not only is inventory minimised, but physical movement for employees also remains sharply controlled. Employees are able to reach everything needed to accomplish their tasks, without leaving the immediate area. By reducing the amount of movement needed to work, companies also remove wasted employee time.

Industry Applications for Lean and Six Sigma

Lean businesses reduce the number of steps between order and delivery. The less inventory on hand, the less it costs a business to operate. In industries where it is possible to create to order, Lean thinking offers significant advantages. Lean is best utilised in mature businesses. New companies, operating on a youthful model, may not be able to identify wasteful processes. Six Sigma has shown its value across industries through several evolution’s. Its focus on quality of process makes it a good choice for even brand new businesses. The best use is the combination of the two strategies. With the Lean focus on speed and the Six Sigma focus on quality combined, the two organisational processes create synergy. By itself, Lean does not help create stable, repeating success. Six Sigma does not help increase speed and reduce non value-added behaviours. Combined, these two strategies offer incredible value to every business in cost savings.

Using Technology to Implement Lean Six Sigma

Automation processes represent an opportunity for businesses to implement a combination of both Lean and Six Sigma strategies. Any technology that replaces the need for direct human oversight reduces costs and increases productivity. A few examples of potentially cost saving IT solutions include document scanning, the Internet, and automated workflow systems.

Document Scanning – Reducing dependency on paper copies follows both Lean and Six Sigma strategies. It is a Lean addition in that it allows employees to access documents instantly from any physical location. It is Six Sigma compliant in that it allows a reduction on process variation, since there is no bottleneck on the flow of information.
The Internet – The automation potential offered by the Internet is limitless. Now, businesses can enter orders, manage logistics and perform customer service activities from anywhere, through a hosted portal. With instant access to corporate processes from anywhere, businesses can manage workflow globally, allowing them to realise cost savings from decentralisation.
Automated Work Systems – One of the identified areas of waste in any business is processing time. The faster orders are processed and delivered, the greater the profits for the company and the less the expense per order. When orders sit waiting for attention, they represent lost productivity and waste. Automated work systems monitor workflow and alert users when an item sits longer than normal. These systems can also reroute work to an available employee when the original worker is tied up.

Each of these IT solutions provides a method for businesses to either reduce the number of steps in a process or improve the quality of the process for improved customer service.

Identifying Areas for Lean Six Sigma Implementation

Knowing that improved processes result in improved profits, identifying areas for improvement is the next step. There are several techniques for creating tighter processes with less waste and higher quality. Value Stream Mapping helps business owners and managers identify areas of waste by providing a visual representation of the total process stream. Instead of improving single areas for minimal increases in productivity, VSM shows the entire business structure and flow, allowing management to target each area of slow down for maximum improvement in all areas.

Seeing the areas of waste helps management better determine how processes should work to best obtain the desired outcomes. Adding in automated processes helps with improved process management, when put in place with a complete understanding of current systems and their weaknesses. Start with mapping and gain a bird’s-eye view of the situation, in order to make the changes needed for improvement.

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

2015 ESOS Guidelines Chapter 1 ? Who Qualifies

The base criteria are any UK undertaking that employs more than 250 people and/or has a turnover in excess of ?50 million and/or has a balance sheet total greater than ?43 million. There is little point in attempting to separate off high polluting areas. If one corporate group qualifies for ESOS, then all the others are obligated to take part too. The sterling equivalents of ?38,937,777 and ?33,486,489 were set on 31 December 2014 and apply to the first compliance period.

Representatives of Overseas Entities

UK registered branches of foreign entities are treated as if fully UK owned. They also have to sign up if any overseas corporate element meets the threshold no matter where in the world. The deciding factor is common ownership throughout the ESOS system. ecoVaro appreciates this. We have seen European companies dumping pollution in under-regulated countries for far too long.

Generic Undertakings that Could Comply

The common factor is energy consumption and the organisation’s type of work is irrelevant. The Environmental Agency has provided the following generic checklist of undertakings that could qualify:

Limited Companies	Public Companies	Trusts
Partnerships	Private Equity Companies	Limited Liability Partnerships
Unincorporated Associations	Not-for-Profit Bodies	Universities (Per Funding)

Organisations Close to Thresholds

Organisations that come close to, but do not quite meet the qualification threshold should cast their minds back to previous accounting periods, because ESOS considers current and previous years. The exact wording in the regulations states:

?Where, in any accounting period, an undertaking is a large undertaking (or a small or medium undertaking, as the case may be), it retains that status until it falls within the definition of a small or medium undertaking (or a large undertaking, as the case may be) for two consecutive accounting periods.?

Considering the ?50,000 penalty for not completing an assessment or making a false or misleading statement, it makes good sense for close misses to comply.

Joint Ventures and Participative Undertakings

If one element of a UK group qualifies for ESOS, then the others must follow suit with the highest one carrying responsibility. Franchisees are independent undertakings although they may collectively agree to participate. If trusts receive energy from a third party that must do an ESOS, then so must they. Private equity firms and private finance initiatives receive the same treatment as other enterprises. De-aggregations must be in writing following which separated ESOS accountability applies.

Field service and customer transparency

These days, a business is as good as it is transparent. Businesses are on unsteady ground because of the ever changing face of social media and a never-seen-before demand for information. With many sources of info on the internet, being credible is a sure way of building trust and loyalty among clients.

Here is an example. Customers will always believe what they see. If they see the work you put into furnishing their favourite products, you have a greater chance of getting their approval. They can invest more in what they see. The clothing merchandise Patagonia did this for their Footprint Chronicles line to show how their jackets are made and worked out fine for them.
Transparency is a must. Nowadays, customers never forget when they feel cheated. It is even harder to ensure transparency because many clients are also experts who scrutinise every detail. So, how can you keep transparency at the forefront?

Have transparent workforce management

Customers always look for new information and want to be in the know. There is nothing worse than not being able find a product manual or an easy way to set up appointments. By giving your clients a self-service option, they can pick the services they want. This leaves more time to get stuff done rather than answering unending service calls from dissatisfied customers.

For instance, you could have a field service customer self-service application that allows customers to look for personalised services, a machine manual, book appointments, or solve any other problem. Customers then get feedback anytime. This one-on-one approach can help customers feel like their questions are being answered. They?ll also not go through the hassle of long hold times to reach an available customer service representative.

Create transparency in field service repair projects

If field technicians have access to field service software, it allows technicians to be more open to customers. This gives them vital information like customer history and the ERP, so that they can explain changes that were made after past enquiries and what is being done in current products. Such information can be a guide for future updates or let the techs suggest products that suit a client’s taste. Unlike always staying offline and out of touch with your client, using field service software can allow entry of allowances and mileage, and also let the customer know the delivery time for their products.

Show customers what they’re paying for

With field service automation, billing will also be transparent. By using the available information about your field service solution, the station can send updated service reports to the customer like mileage, allowances, parts, hours worked, and photos of broken parts from the service. After the customer authenticates the transaction with a signature, the field service agent can generate and sent to the customer an invoice based on the agreed upon services. In case allowances and mileage can be forwarded to the customer, it will be shown on the invoice.
Because you use field service automation, it means that the customer will receive the invoice really fast ? in days rather than weeks ? and transparency will skyrocket because the whole experience of the service will leave a permanent mark in their mind.

Mistaking information for transparency

Being honest with your customer is the one thing. Wasting their time with unnecessary information is another. Here is an experience I had with a small retailer. Tracking information is only useful if it has recent updates and is accurate. If the company want to use real time tracking, let them do so under one condition ? updates should be regular and on time so as not to leave the customer frustrated because they also make plans based on the same information. Late updates shed light on the nature of the service command. Everyone hates cooked-up real time information.

A company must not always have a one to one exchange of information with customers to maintain transparency..

Use simple language that all customers can understand
Don’t use abbreviations that only employees know
Never ever air your failures and flaws to your customers

It is interesting that most of the tools we use to keep in touch with our clients and servicing their requests can also be used to gather data and iron out possible errors to improve products and services. This is a good chance for service providers to evaluate and make necessary amendments.

There are some areas that will need improving while others will not, nevertheless, the client needs to always be informed and know why things are the way they are. Not all details should be told, so filter what you share.

5 ways field service supports customer service

Sales organisations are always in motion, working to deliver the right product to their customers. To keep customers smiling all times is hard and only needs close communication and fulfilling promises that were made to them. This is where the field service delivery team comes in. Field service can either meet this demand or fall short plummeting satisfaction rates.
This is a task that relies on right people using various parts and information to get the job done. No matter what, the customer always expects to get exceptional services whether it be over the phone, chats, in the field, online messaging, over email, or social media.

These five field service points are suitable for any business model and guarantee excellent company-client relations.

Proactive service

A proactive service gives more to the customer. More attention is given to the customer so that the right actions, deliveries and repairs are done. By getting everything right the first time, the customer has less to do ensuring that they are satisfied with the services.
However, the field service technician is flooded with a myriad of unpredictable situations; overheating equipment, stalled machines, and insufficient precaution. But through field management software, they get more data about the customer and type of service or parts expected and they easily ride through any storm and prevent future damage.

Transparency

Nothing frustrates a customer more than a schedule that delays repairs. They easily ditch you for better services elsewhere. By offering the customer a service where they book appointments based on their own availability, we can easily sync this to the technicians and manager?s calendar. This not only saves time but also money from otherwise idle equipment.

On-site and off-site collaboration

Having seamless communication between field and office technicians is vital. Field technicians need to know more about parts, repairs, client maintenance history, and predict what should be changed in the long run. The faster they do this the better.

There should be a system that creates and automates communication between field and office technicians. Let each have the upper hand when providing parts, products or services to the customer.

Flexibility

Information is key to field service agents. They make the first impression since they make the initial contact with clients. Regardless of the resources, the field technician must always be armed with mobile tools they will need to access online resources and be ready for any emergency.

Actionable performance improvements

Customers demand excellent service a company could offer. But as the game constantly shifts, the service management technicians must also come up with plans to stay up to par with competition. All these stems from coming up with KPIs, measuring them and turning them into a workable plan for the future.