simplifying sox compliance white paper
TRANSCRIPT
Simplifying SOX Compliance
!
WHAT IS SOX?
The Sarbanes-‐Oxley (SOX) Act was signed into law by President George W. Bush on July 30, 2002. All public companies, large and small, must comply. Sarbanes-‐Oxley was enacted in response to several major corporate accounting scandals, such as Enron and WorldCom, to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.
As a result of SOX, top management (i.e. CEO and CFO) must individually certify to the accuracy of financial information and maintaining an adequate internal control structure and procedures for financial reporting. Penalties for non-‐compliance and fraudulent financial activity are severe and include very hefty financial penalties and could include a jail term for the CEO and/or CFO!
In response to the perception that stricter financial governance laws are needed, SOX-‐type regulations were subsequently enacted in Canada (2002), Germany (2002), South Africa (2002), France (2003), Australia (2004), India (2005), Japan (2006), Italy (2006), Israel, and Turkey.
HOW DOES SOX IMPACT DOCUMENT MANAGEMENT, REVIEW, AND COLLABORATION?
While SOX requirements cover a broad spectrum within an enterprise that go well beyond documentation, the key section of the Act focuses on internal controls. The executive team’s responsibilities are not only to ensure that adequate internal controls are in place, but that they are being monitored and adhered to.
The Act also requires that the executives sign off that quarterly and year end submissions are accurate and contain no errors.
Both of those activities involve document management, review, and collaboration. Both present an opportunity for productivity improvements and reduced business risk.
INTERNAL CONTROLS
Almost certainly, one segment of internal controls will require signoff by various executives on key documents such as large contracts, inventory or equipment write-‐downs, pricing, and partnering agreements. The magnitude of the impact of the transaction on the corporation will define who has to sign off. The requirements are unique in every company based on that company’s size and market segment. Whatever the case, there will be documents that need to be reviewed and in many cases approved by executives. The internal controls define those requirements and once defined, it is incumbent on the executives to ensure that there is a process in place for monitoring compliance. If
Simplifying SOX Compliance
!
there are no effective monitoring processes in place to ensure compliance, the company could face large penalties and the executives could be liable for jail terms. Think of Enron, WorldCom, and Tyco International as examples of executives going to jail.
Once the internal controls are defined for review and approval levels, SavvyDox provides an ideal lightweight and inexpensive solution for monitoring compliance. SavvyDox enforces document version control, tracks the document approval process, tracks all suggested changes to documents, and retains records in one system that can be used to monitor and ensure compliance.
SavvyDox is a cloud based SaaS solution that accepts documents in Word, PowerPoint or PDF format. It pushes those documents to recipients who can be using a PC, Mac, iPad, iPhone, Android, or BlackBerry10. The documents reside on the recipient’s desktop or mobile device rather than in a crowded Inbox where they can be lost or misplaced. They can be accessed on line or offline and SavvyDox ensures that the recipients always have the current copy of the document. The recipient is notified that they have a new document to review or approve and they can access the document directly from the notification. The reviewer can add suggested changes to the document and they also have an icon to click when their review or approval is complete. SavvyDox retains a record of who the document was sent to, when the required action is to be completed, and can even track progress of a recipient reading a document page by page. Using the SavvyDox dashboard, the complete lifecycle of the document can be tracked and project managed to meet required delivery dates. In one inexpensive and easy to use application, the internal control is implemented AND monitored. When the auditors come in to examine the internal controls and actions to ensure compliance, all the required information is in one location. No more wasting time trying to find emails or manual files to validate each transaction. It will take less time for the person monitoring the process and the auditors and that means lower fees. Less time for the person monitoring the process and for the executives reviewing all the documents means improved productivity. Underlying all of this is the significant reduction in business risk from non-‐compliance to the SOX requirements and the reduction in business risk of an unapproved document inadvertently getting out the door.
REVIEW OF QUARTERLY AND YEARLY SECURITIES DOCUMENTS
Every quarter and at year end, the executive team must review and approve the documents that are required from a publicly traded company. Even privately owned companies send updates to their investors that must be vetted by the executive team.
There is one particular security document (10-‐K) that is normally 100+ pages long that covers every department within the company. Not only does it include financials, it includes comments on key activities, significant competitive threats, go to market strategies, changes in policies, etc. It is a very dry document that is a difficult read. Usually, it is somewhat of a boilerplate document once the original version has been published. There are changes from year to year, but the document is definitely not a complete rewrite. Normally, when the document is circulated to executives for their comments and
Simplifying SOX Compliance
!
approval, it is a clean document without any Word Track Changes so that it can be easily read. However, that means that the executives cannot determine what has changed from the previous version, so they have to carefully re-‐read the entire document. That can take an hour or two of an executive’s time. While it is a necessary step, the lost opportunity cost is huge since it is an enormous waste of the limited time that an executive has available for business planning and execution.
SavvyDox minimizes the amount of time that the executive has to spend reading that 10-‐K document or equivalent. Once the first version of the document is released, all future versions will contain page thumbnails that identify the pages that have changed since the previous version. The executive merely reads those pages rather than having to reread the entire document. The executive also does not have to worry about missing an important change – and that is a real concern when complex documents are reviewed quickly. When the executive opens one of those changed pages in SavvyDox, they see the changes from the previous version highlighted and hovering over the change brings up the previous wording. There are no multi colored Word Track Changes or strikeouts! Instead of hours, the executive review is completed in minutes. If the executive wants to suggest a change to the document, they merely highlight the text to be changed, enter the suggested change in a text box, and if they allow that change to be distributed to all reviewers, everyone sees the suggested change within a matter of seconds. If they wish, the executive may even add a personal note for later follow up. A full parallel review process is in place for all the executives reviewing the document which facilitates improved synergy among executives rather than having each one reviewing the document on their own in isolation. The executives can even reply to each other’s comments providing collaboration capabilities that are similar to a face to face meeting. As a result of the synergistic collaboration, the quality of the document is improved,
It is important to have strict control over who changes the 10-‐K document since the wording is critical. SavvyDox ensures that control by allowing all the reviewers/executives to suggest changes, but only the owner/author of the document can change the source document content. At the end of the review cycle, SavvyDox has captured all the suggested changes and approvals from all the reviewers and the audit trail is in place for the auditors. SavvyDox simplifies the 10-‐K review process, improves executive productivity, reduces business risk, and gathers all the compliance related information in one system so that the follow-‐up audit is quick and painless.
SUMMARY
SOX compliance is mandatory and document management and review is THE key component. SavvyDox can improve productivity, reduce risk and monitor compliance to defined processes in one easy to use inexpensive application that can be implemented in a matter of days. The User Interface is so intuitive that training can be completed in 10 minutes using an online video. Many of SavvyDox customers don’t even need the training – they just jump right in and start using SavvyDox.
For more information and follow up, please contact us by email at [email protected].