MISMATCHED SOX How to Add Efficiency to Compliance PROCESSUNITY WHITE PAPER
01 INTRODUCTION What you re doing is probably good. How you re doing it may merit improvement. It s been more than a decade since Sarbanes-Oxley became the law of the land and the bane of compliance officers almost everywhere. According to a 2015 Sarbanes-Oxley Compliance Survey sponsored by Protiviti1, 58% of large companies spent more than $1 million dollars in 2014 on SOX compliance, support and audit fees. Most companies have a firm grip on what they need to do in order to comply. But the way compliance has been managed has not kept pace with the way technology has evolved. Years after SOX has become mandatory, compliance for many organizations remains largely a manual process. For those that turned to software tools to streamline the process, many are still using (and overpaying for) technologies designed in 2002. As regulatory complexity and the cost of compliance continue to increase, it s time for a fresh look at managing SOX. In Mismatched SOX: How to Add Efficiency to Compliance, we examine the reasons why the compliance status quo is no longer tenable, and show you a practical, readily adaptable way you can leap forward to make compliance easier and more cost efficient. FOUR KEYS TO A SUCCESSFUL VENDOR RISK MANAGEMENT PROGRAM 2
02 STATUS QUO Why your SOX drawer is a mess When SOX became law, compliance officers responded in good faith, meeting the challenge with the most appropriate tools available. But over time, good faith and best practices have diverged, saddling officers with outdated management tools that can compromise both their compliance efforts and their budgets. The following are the most common legacy technology challenges and their impact, or potential impact, on your organization: Manual Processes For many small and mid-size organizations, compliance is still managed through spreadsheets. True to their name, these tend to be spread throughout the organization, maintained by different owners and updated through inconsistent rules. Challenge: Disintegration Important compliance information remains disbursed, resisting the consistent control necessary for effective testing and reporting. Speed and accuracy are compromised by the need to synthesize data from multiple sources into consolidated reports. Version control and audit trails are non-existent, as users access files on shared drives or distribute them via email. Impact: Lost control Miscellaneous spreadsheets defy the very point of compliance to assert and then demonstrate control. Disaggregated data makes testing slow and complicated; the same lack of aggregation resists prompt reporting, turning a simple audit request into a time-consuming hunt-and-peck procedural. 1st Generation SOX Technology Right from the start, larger enterprises invested in software to help officers manage compliance more effectively. The software they use today was initially designed when SOX was new and unfamiliar. As a more mature understanding of compliance evolved, software was patched with new features and functions, but the underlying technology foundation remained the same. Nearly 15 years later, the days of large-scale SOX software deals have ended and software vendors aren t investing in their products. They are content to collect annual maintenance revenues without creating additional functionality. Saddled with legacy systems, officers lack the next-generation automation and reporting they need. FOUR KEYS TO A SUCCESSFUL VENDOR RISK MANAGEMENT PROGRAM 3
Challenge: Expensive software Buying software licenses means investing in on-premise IT. Companies must purchase, install, and maintain the necessary software and hardware infrastructure to run the software. Installation is an additional expense, one that s multiplied by the number of environments/sites at which it must be deployed. Impact: Declining returns Unlike wine, software doesn t improve with age; a once reasonable investment becomes less attractive as the software s functionality fails to keep pace with evolving regulations and user expectations. Maintenance Fees and IT Resource Costs Software licenses, and even preliminary infrastructure expenses, are just the beginning. Everything installed within the company s firewall becomes the company s responsibility to maintain. Challenge: Burdensome IT Annual maintenance contracts include software upgrades, but rarely encompass the service costs of these updates, including consulting, installation and training. At large enterprises, it s not uncommon to see statements of work of +$100,000 to take current software to its next version. Sunsetting Many of the 1st generation SOX compliance software packages have been acquired by larger tech organizations that today view the software as a secondary product offering and have little interest in its progress. Instead of actively investing in innovation, they passively collect annual revenue from maintenance contracts. Challenge: Arrested development Without ongoing research and development, a lot of legacy software is no longer upgraded with new features or functionality, failing to keep pace with regulatory and technological change. Out-of-date tools and interfaces require excessive clicking and unnecessarily slow progress. Impact: Abandonment When development stops, maintenance fees continue but without significant new functionality that would justify the expense. Worse, software ownership often changes hands to new partners who have even less interest in dedicating time and money on non-core technology. Impact: High cost, low priority IT acts as in-house provider that charges business units for their time. While their services add a substantial line item to compliance s budget, that same work so crucial to compliance officers is a low priority for IT. From IT s perspective, compliance is not a Tier 1 system: no customer data is at risk of exposure, and daily operations can be resumed without it. In the hierarchy of priorities, SOX compliance system administration, maintenance and upgrading are at the bottom of the priority list. FOUR KEYS TO A SUCCESSFUL VENDOR RISK MANAGEMENT PROGRAM 4
03 THE CLOUD ALTERNATIVE The better how is here, now Fortunately, it s easy to let go of the past by embracing an alternative that s available right now: cloud-enabled SOX solutions. By moving from on-premise to on-demand technology, you immediately position your compliance program, and your company, for greater advantage: Reduce manual labor Contemporary SOX applications have incorporated thirteen years of lessons into their design. For example, single-stage assessments eliminate the tedious pathways of heavy clicking found in legacy software. Simple configurations allow business users to create, apply and manage their own business rules without calling IT. Increase integration Centralizing compliance on the cloud removes location by location, or silo by silo, barriers to integration. A true shared control library reduces duplication of work and documentation. Through one common dashboard, compliance officers can standardize tests across multiple locations; by drawing on an integrated pool of data, reporting is no longer impeded by distance or disparate data locations. Future-proof your system Shifting to SaaS removes the software/hardware life cycle out of your operations and budget equations. Upgrades and updates are applied automatically, ensuring that your company always works with the latest software version and most advanced functionality. Streamline Migration On-premise software deployment, from sourcing to installation, can be a many-month long project; when moving to a SaaS solution, the average migration time is less than 30 days, including training and data import. Release yourself from IT Compliance system support will never be IT s top priority. But through the simplicity of the application s modern interface and the sophistication of its underlying engine, end-users can filter and/or manipulate data craft reporting templates establish alerts and response protocols set up and confirm testing regimens without relying on IT for guidance or support. Eliminate administrivia Using SaaS shifts almost all the infrastructure requirements, and most of the IT burden, from your company to your provider, eliminating all the costs and hassles of IT administration, maintenance, support, resourcing and more. All the necessary expertise for security, storage and disaster recovery is carried by the application vendor. FOUR KEYS TO A SUCCESSFUL VENDOR RISK MANAGEMENT PROGRAM 5
ProcessUnity offers a tested, cloud-based SOX solution that allows your compliance officers to focus effectively on what matters most: compliance. To experience its ease, power and flexibility, request a demo today. www.processunity.com info@processunity.com 978.451.7655 Twitter: @processunity LinkedIn: ProcessUnity ProcessUnity 33 Bradford Street Concord, MA 01742 United States 170401