A few weeks ago, we sat down with four IT, systems and audit experts to discuss SOX compliance and business systems. You can watch the full discussion on demand here — but one of the key takeaways was that, for our panelists, preparing their team was just as important as preparing their systems.
Systems and processes are important — but the people who will implement and maintain these systems and processes are arguably even more critical to success. Our panelists all agreed that alignment between teams, between departments and across the organization as a whole was critical to reducing stress around audits.
But what does that look like in practice? Our experts highlighted for four key areas:
Alignment goes deeper than just letting everyone in the company know about an upcoming audit. Management, internal audit teams and external audit teams all need to communicate in advance and agree on timelines and scope. Additionally, IT and Finance teams, led by their supporting management (whether it’s a Controller, CIO or Business Systems Director, etc.), should be looped into the process early, since they’ll be doing the technical work of building appropriate controls.
“Accounting and Finance are always generally aware of what it’s gonna take [to get compliant]” panelist Dave Witty told us. “It’s more difficult for the rest of the business, for example a Sales department that really doesn’t like controls… It can be a big shock to the rest of the organization.”
Financial systems compliance should never be owned by the same team that manages it day-to-day — people responsible for controls and approving changes shouldn't be the same people implementing those changes. Auditors will want to see that this segregation is enforced, both among management (ie, your CIO should not be leading your compliance program), and at the process level (whoever owns a financial system is not the same person reporting on it).
“In lots of organizations, NetSuite ends up falling under the CFO, because it’s a financial system. Auditors don’t want to see that,” Amy Carlson told us.
Our panelists recommended transitioning responsibility for your ERP from your finance department to a business systems or operations team that rolls up to IT. As well, the lead-up to an audit is an ideal time to conduct an access review — auditors will want to see that risks around Admin access, for example, are being mitigated properly.
3. Learning… and Teaching!
Like any complex process, knowing where to begin is arguably one of the most important aspects of your audit journey — but it can also be one of the trickiest. The best way to overcome this — one of the reasons we hosted this discussion in the first place — is to speak with others who have been through it before.
Talk to others — both systems leadership and auditors — to get a sense of what’s in scope and how the process will work. Then — and this part is critical — share that information with your team! The more informed everyone is, the better they’ll understand how their specific requirements fit into the big picture.
(It’s also a great idea to support this by building out a detailed calendar, with time built in for testing and reviewing your data. Bringing on board a project manager to oversee the process can be invaluable.)
Once you start building controls, you’ll likely find that the work involved in tracking material changes or implementing segregation of duties is more than your team can handle. And while you can hire additional people, the smarter and the more cost-effective way is to build automation into your processes.
All three of our panelists have used Strongpoint to do just that. “We use Strongpoint,” said panelist Christy Schwartz. “That’s really the only tool from a SOX compliance perspective... [it] has been incredibly helpful for NetSuite.”
Strongpoint helps public and pre-IPO companies automate the hardest parts of compliance, so IT teams can focus their efforts where they're needed most. We have plenty of resources on our site that go into greater detail about this. Some great places to start include our NetSuite and Salesforce SOX pages, the case study we prepared on Witty's previous company, ZoomInfo, and of course the panel webinar we've drawn much of this post from.
If there’s one key takeaway from this post, it’s that you need to start communication, planning, adoption and implementation as early as you can. Start by getting buy-in from management, then get your entire organization onboard. Look for gaps and determine what can be filled by new hires, and what can be filled by automation. And remember, compliance is an ongoing process — the work you do now to build smart controls and effective processes will mean easier audits for years to come.