Fifteen years ago, the Sarbanes-Oxley Act (SOX) became law. Soon after there was a massive scramble by companies who needed a way to comply. This also gave rise to a wave of software implementations that were necessary and needed to be in place and functioning very quickly. Needless to say, this required use of technology that was available at that time. For many, the tie to this technology has not been broken.
Certainly there have been upgrades, and for some, migration to new versions and more recently to cloud based systems, but for many (about half if we use the typical generation length of around 30 years), the system they are using was put in place by a prior generation of auditors, and those who are subject to the record keeping and reporting requirements of SOX.
More recently there has been greater emphasis on risk-based approaches. It is often not possible to do absolutely everything required (and certainly it is not cost effective), so many organizations have developed risk-based approaches. In 2002, there wasn’t a great deal of emphasis on risk. The major risk standard at that time was probably AS:NZS4360:1999 and it wasn’t until 2009 that ISO 31000 appeared,which now forms the basis for risk in many other standards (note: ISO 31000 is under review and a new draft international standard was published Feb. 17, 2017). While reform of SOX may be under consideration, the general consensus seems to be that this will be more focussed on reforms for financial institutions, but whatever happens, the changes could be as sudden as the tsunami-like changes set off by SOX in 2002.
There are, however, changes brought about by technology that may make this next wave simpler to manage for those who are prepared. Firstly, the cloud. While many still debate the rights and wrongs of having SOX data on the cloud, there has been an increasing acceptance of the use of the cloud. Major advantages include:
- Speed to implement
- Speed to update
- Security. Think of the major cloud providers who have hundreds if not thousands of highly specialized people and systems protecting the system and data, compared with the IT resources of most companies.
- Cost. The shared cost of the cloud infrastructure is typically much less than on-site implementations.
Secondly, the integration of the SOX process into all the niches of the organization has given rise to Integrated Risk Management – where risks in any part of the organization are managed consistently and rely in the interconnected data to ensure there is a single instance of the facts, so better decision making can occur and potential problems can surfaced before they become major incidents.
Thirdly, “Big Data” is here. While this can be a challenge in itself, the key is the layering of data visualization tools that sit above the data, providing insights into this massive pool of data and presenting these insights in ways that are readily understood and enable the decision makers to make informed decisions based on current data. But on-site implementations may not have the capability to take advantage of this wave as effectively as cloud based systems.
The cloud is here to stay, and now could be the best time to be considering a move.