Periodically reviewing and updating job descriptions
Such controls are tested more frequently; less essential ones may be deemed to fall outside the scope of the testing plan entirely.
Many companies have achieved cost savings in the second year of SOX compliance, without any reduction in control effectiveness, by rationalizing their controls in this manner.
Some spoke of putting their planned initiatives in a “parking lot,’’ with the hope of pursuing them the following year.
As SOX went into effect, more and more executives began to see the need for internal reforms; indeed, many were startled by the weaknesses and gaps that compliance reviews and assessments had exposed, such as lack of enforcement of existing policies, unnecessary complexity, clogged communications, and a feeble compliance culture.
But what exactly is a control structure composed of?
A control is a practice established to help ensure that business processes are carried out consistently, safely, with the proper authorization, and in the manner prescribed.
Monthly reconciliation of cash accounts, for example, is undertaken to ferret out such conditions.
An essential element of any Sarbanes-Oxley compliance program is the testing of controls.
In some cases, the matters being tested were too unimportant to contribute to a material misstatement in the financial reports.
The first year of implementation was costly and onerous, far more so than companies had been led to expect.
In the view of a few open-minded firms, however, the second year of compliance turned out to be not only less costly and less onerous (as doing something for the second time usually turns out to be), but a source of valuable insights into operations, which management has translated into improved efficiencies and cost savings.
They were thinking not only of protecting stakeholders and shielding their companies from lawsuits but of developing better information about company operations in order to avoid making bad decisions.
However, the burdens of implementing SOX for the first time, in 2004, were so great that this more forward-thinking group could give little time to developing and adopting policies and practices that went beyond literal compliance.