Sarbanes-Oxley - Not Just for the Big Fish
If any part of your company involves B2B sales, or if you ever plan to expand into a corporation, or if you think you might ever want to partner with a larger corporation on a project, then it is a good idea to become SOX-compliant. It increases your credibility and gives you a baseline from which to operate going forward, requiring less of a transition should you wish to significantly grow your company.
03/24/12 5:00 AM PT
Why should you care about the Sarbanes-Oxley Act (SOX)? If you are the CEO or another executive within a large public company, the answer is obvious: because you have to. If you don't, your business -- and you -- will face serious repercussions, including possible jail time. Not good. If you are an executive in a large corporation and don't know what SOX is or why you should care, you should stop reading this article now and get up to speed -- quickly.
For the rest of you who work in small to medium-sized businesses, the answer can be a bit trickier. Because the regulations do not apply to you specifically, it is easy to think that they have little bearing on your business and your plans for the future. However, the truth is that they do have an effect, and a rather significant one at that.
If you don't have a solid understanding of SOX, you could be costing your company the opportunity to expand, gain clients, or be taken seriously on a large scale. That is because, considering the repercussions for failing to do so, large businesses want to remain squeaky clean under the regulations of SOX and will be wary of associating with any company that doesn't take it seriously. Thus, it is imperative to understand SOX, particularly if you ever plan on doing business with or aspire to become one of the big boys.
So, What Is SOX?
The Sarbanes Oxley Act of 2002 was passed as a response to the heavy economic toll that the Enron scandal brought about. It was meant as both an economic and ethical stabilizer so that corporate managers would be held accountable for their business practices. This is significant because in effect, it means that a manager who signs off on a document will be held responsible should that document be proven false -- even if the manager signing off was not directly responsible for the falsehood.
While SOX penalties may seem harsh, they ultimately serve to increase corporate responsibility and increase stock security. They also make it far more difficult for wide-scale corporate scandals to occur, as management will be directly accountable. Executives can no longer shrug off responsibility to lower-level associates.
More specifically, the major provisions of the act call for criminal and civil penalties for securities violations, auditor independence/certification of internal audit work by external auditors, and increased disclosure regarding executive compensation, insider trading and financial statements.
How Does SOX Function?
In practice, SOX works by spreading responsibility across the organization, with tests that prove the accuracy or efficacy of each process a business goes through. The basic idea is that fraud, whether accidental or purposeful, is less likely to occur with a rigid system of internal checks and balances in place. This can seem fairly complex, but it is actually pretty intuitive when you consider that there is a set pattern to each system. So, basically, the process looks like this:
Process --> Subprocess --> Objective --> Risk --> Control --> Test --> Result
Keep in mind that there can be multiple subprocesses, objectives, risks, controls and tests with different results depending on how the thread branches out, but the general idea is that each phase is defined and executed linearly. To make it simpler, these variables are often labeled in a SOX Control Matrix, which defines each process step by step. So, for example, you might have a Control Matrix that looks like the following:
Compare authorized hours to paid hours
Records of report comparisons
This is just one example, and some matrices are much more complex, requiring software to regulate and effectively order the variables into easy-to-read charts. However, this is basically what dictates the operations of the large companies, and these types of controls allow them to demonstrate adherence to the regulations of SOX.
The Buck Does Not Stop There...
It is a common truth that executives who are facing strict controls are willing to pay others to be even more mindful of those controls. That means that they need anyone they do business with -- product and service providers alike -- to be mindful of these regulations, particularly if they directly influence one phase of the process.
From the example matrix above, it is clear that the control in place for the payroll calculation subprocess is timesheet software. Obviously, if you are the provider of timesheet software for a company, it will expect you to have the tools in place to make that control manageable, which in this case means the ability to authorize tasks that employees are entering time for.
In other instances, corporations may require automated processes within software to provide easy audit trails, and there are of course numerous necessities outside of payroll that apply to businesses that provide different types of products and services. To put it more succinctly: If your product or service is incompatible with a corporation's SOX plan, it will not do business with you.
Should YOU Become SOX-Compliant?
The answer: If any part of your company involves business-to-business sales, or if you ever plan to expand into a corporation, or if you think you might ever want to partner with a larger corporation on a project, then yes, it is a good idea to become SOX-compliant.
It increases your credibility and gives you a baseline from which to operate going forward, requiring less of a transition should you wish to significantly grow your company. The good news is, as mentioned above, there are programs that will make SOX compliance much less of a pain, they and can provide other business solutions as well.
Solving Problems With Minimal Tools
Let's go back to our matrix one last time, and look at the timesheet software control. Clearly, that enables payroll processes to operate smoothly. But what about other major functions relating to financial information that will almost certainly fall under SOX regulations? Do you need to buy software for every process? Thankfully, you absolutely do not.
Time-tracking solutions have evolved to meet the demands of this new business climate. It is no longer necessary to fill out one timesheet for payroll, one for projects, one for time off, etc. The best programs available now operate as a core business process and a hub for anything having to do with employee time. Further, they can automate payroll and billing, providing those easy audit trails mentioned above.
Of course, not all timesheet solutions can provide a comprehensive answer to SOX problems, but there is such a wide selection currently available that you should have no problem finding one that meets your needs. Just be sure to give the company a call and make sure that it can help you. If a provider refuses to talk it over in detail or to give you a live demo, preferably using your information, then that is a major red flag.
Of course, there are other processes unrelated to time entry that a company must perform under SOX. However, by applying this example and making logical connections, it is quite possible to minimize the money and effort spent implementing your SOX solution.
Ultimately, the process will be beneficial to your business and can bring in increased revenue as well as give you distinct advantages when dealing with the big guys. Considering the prevalence of the SOX-related mindset of American businesses, there are enormous advantages to keeping a watchful eye on your own processes and corporate solutions.