How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
Companies with revenues between $1B – $4.9B spent about 0.16%
Companies with revenues between $500M – $999M spent about 0.27%
Companies with revenues between $100M – $499M spent about 0.53%
Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Check our similar posts

Field service and customer transparency

These days, a business is as good as it is transparent. Businesses are on unsteady ground because of the ever changing face of social media and a never-seen-before demand for information. With many sources of info on the internet, being credible is a sure way of building trust and loyalty among clients.

Here is an example. Customers will always believe what they see. If they see the work you put into furnishing their favourite products, you have a greater chance of getting their approval. They can invest more in what they see. The clothing merchandise Patagonia did this for their Footprint Chronicles line to show how their jackets are made and worked out fine for them.
Transparency is a must. Nowadays, customers never forget when they feel cheated. It is even harder to ensure transparency because many clients are also experts who scrutinise every detail. So, how can you keep transparency at the forefront?

Have transparent workforce management

Customers always look for new information and want to be in the know. There is nothing worse than not being able find a product manual or an easy way to set up appointments. By giving your clients a self-service option, they can pick the services they want. This leaves more time to get stuff done rather than answering unending service calls from dissatisfied customers.

For instance, you could have a field service customer self-service application that allows customers to look for personalised services, a machine manual, book appointments, or solve any other problem. Customers then get feedback anytime. This one-on-one approach can help customers feel like their questions are being answered. They?ll also not go through the hassle of long hold times to reach an available customer service representative.

Create transparency in field service repair projects

If field technicians have access to field service software, it allows technicians to be more open to customers. This gives them vital information like customer history and the ERP, so that they can explain changes that were made after past enquiries and what is being done in current products. Such information can be a guide for future updates or let the techs suggest products that suit a client’s taste. Unlike always staying offline and out of touch with your client, using field service software can allow entry of allowances and mileage, and also let the customer know the delivery time for their products.

Show customers what they’re paying for

With field service automation, billing will also be transparent. By using the available information about your field service solution, the station can send updated service reports to the customer like mileage, allowances, parts, hours worked, and photos of broken parts from the service. After the customer authenticates the transaction with a signature, the field service agent can generate and sent to the customer an invoice based on the agreed upon services. In case allowances and mileage can be forwarded to the customer, it will be shown on the invoice.
Because you use field service automation, it means that the customer will receive the invoice really fast ? in days rather than weeks ? and transparency will skyrocket because the whole experience of the service will leave a permanent mark in their mind.

Mistaking information for transparency

Being honest with your customer is the one thing. Wasting their time with unnecessary information is another. Here is an experience I had with a small retailer. Tracking information is only useful if it has recent updates and is accurate. If the company want to use real time tracking, let them do so under one condition ? updates should be regular and on time so as not to leave the customer frustrated because they also make plans based on the same information. Late updates shed light on the nature of the service command. Everyone hates cooked-up real time information.

A company must not always have a one to one exchange of information with customers to maintain transparency..

Use simple language that all customers can understand
Don’t use abbreviations that only employees know
Never ever air your failures and flaws to your customers

It is interesting that most of the tools we use to keep in touch with our clients and servicing their requests can also be used to gather data and iron out possible errors to improve products and services. This is a good chance for service providers to evaluate and make necessary amendments.

There are some areas that will need improving while others will not, nevertheless, the client needs to always be informed and know why things are the way they are. Not all details should be told, so filter what you share.

5 ways field service supports customer service

Sales organisations are always in motion, working to deliver the right product to their customers. To keep customers smiling all times is hard and only needs close communication and fulfilling promises that were made to them. This is where the field service delivery team comes in. Field service can either meet this demand or fall short plummeting satisfaction rates.
This is a task that relies on right people using various parts and information to get the job done. No matter what, the customer always expects to get exceptional services whether it be over the phone, chats, in the field, online messaging, over email, or social media.

These five field service points are suitable for any business model and guarantee excellent company-client relations.

Proactive service

A proactive service gives more to the customer. More attention is given to the customer so that the right actions, deliveries and repairs are done. By getting everything right the first time, the customer has less to do ensuring that they are satisfied with the services.
However, the field service technician is flooded with a myriad of unpredictable situations; overheating equipment, stalled machines, and insufficient precaution. But through field management software, they get more data about the customer and type of service or parts expected and they easily ride through any storm and prevent future damage.

Transparency

Nothing frustrates a customer more than a schedule that delays repairs. They easily ditch you for better services elsewhere. By offering the customer a service where they book appointments based on their own availability, we can easily sync this to the technicians and manager?s calendar. This not only saves time but also money from otherwise idle equipment.

On-site and off-site collaboration

Having seamless communication between field and office technicians is vital. Field technicians need to know more about parts, repairs, client maintenance history, and predict what should be changed in the long run. The faster they do this the better.

There should be a system that creates and automates communication between field and office technicians. Let each have the upper hand when providing parts, products or services to the customer.

Flexibility

Information is key to field service agents. They make the first impression since they make the initial contact with clients. Regardless of the resources, the field technician must always be armed with mobile tools they will need to access online resources and be ready for any emergency.

Actionable performance improvements

Customers demand excellent service a company could offer. But as the game constantly shifts, the service management technicians must also come up with plans to stay up to par with competition. All these stems from coming up with KPIs, measuring them and turning them into a workable plan for the future.

2015 ESOS Guidelines Chapter 2 – Deadlines and Status Changes

The ESOS process is deadline driven and meeting key dates is a non-negotiable. The penalties for not complying / providing false or misleading information are ?50,000 each. Simply not maintaining adequate records could cost you ?5,000. The carrot on the end of the stick is the financial benefits you stand to gain.

Qualifying for inclusion under the ESOS umbrella depends on the status of your company in terms of employee numbers, turnover and balance sheet on 31 December 2014. Regardless of whether you meet the 2014 threshold or not, you must reconsider your situation on 31 December 2018, 2022 and 2026.

Compliance Period	Qualification Date	Compliance Period	Compliance Date
1	31 December 2014	From 17 July 2014* to 5 December 2015	5 December 2015
2	31 December 2018	From 6 December 2015 to 5 December 2019	5 December 2019
3	31 December 2022	From 6 December 2019 to 5 December 2023	5 December 2023
4	31 December 2026	From 6 December 2023 to 5 December 2027	5 December 2027

Notes:

1. The first compliance period begins on the date the regulations became effective

2. Energy audits from 6 December 2011 onward may go towards the first compliance report

Changes in Organisation Status

If your organisation status changes after a qualification date when you met compliance thresholds, you are still bound to complete your ESOS assessment for that compliance period. This is regardless of any change in size or structure. Your qualification status then remains in force until the next qualification date when you must reconsider it.

Be pound poor and become Penny rich

Energy management is and should be perceived as a long-term investment by organisations. Having said this, the need for all organisations to implement energy management strategies now cannot be overstated as these strategies will save their costs of running the business in future.

Many organisations may shy off from implementing energy efficiency measures in place opting to save the associated costs or to use the cash for other projects that may be perceived as high priority in the short run. This is most likely to occur when cost cutting is a priority. Long-term planning is however critical for energy efficiency programs. Taking steps to improve building management and energy efficiency will and does pay dividends in the near-term and may be a competitive tool in the long-term.

Be energy smart
All energy management projects begin with being energy smart which calls for the understanding of energy usage. Use of Smart Meters that give real time readings of energy usage, can dramatically help businesses understand the benefit which energy management brings to the organisation.

Smart meters also cut the amount of time businesses spend on administration by allowing them to pay accurate bills, based on accurate readings. Some suppliers also support businesses to identify areas of energy wastage/inefficiency and help setting targets for energy reduction that guide behavioural change with regard to energy in the organisation.

Use of technologies that record the energy usage at the water or electricity meters putting data into a system where the users can graph it has made it easy to compare energy consumption in various departments, sites or buildings. Appropriate measures can then be implemented to improve the efficiency.

Partnerships between businesses and energy suppliers
Since the long-term benefits of reduced energy consumption is beneficial to both suppliers and consumers; the responsibility of managing energy consumption is being taken by both. Businesses should work with the suppliers on cost reduction strategies through identifying areas where energy is being wasted and advising businesses on how to save energy. Of key importance when choosing an energy supplier therefore is their depth of understanding of a business’ energy management needs.

Capitalise on government incentives
Businesses should always explore varied financing mechanisms for their energy efficiency programs e.g. government schemes generating electricity and selling it to the grid.