Reducing the cost of SOx compliance - learning from ISO9000 implementation

History repeats itself. CFOs looking to reduce the cost of sustaining SOx compliance look no further than their Quality Management organization. The techniques that helped a manufacturer reduce the cost of staying compliant with ISO 9000 will also enable a CFO to sustain SOx 404 compliance at significantly lower costs.

When US manufacturers started implementing the quality management standard - ISO 9000, the initial cost of compliance was very high. Every process had to be documented, almost every employee had to be trained and change control procedures for process and documentation had to be put in place. As a result, ISO 9000 certification and its ongoing compliance were widely assumed to be only fit for companies with lots of resources. However, as time went by a process-based approach to the job became a part of company's DNA. Overlay resources (external consultants) were no longer needed to perform documentation and change control activities. By making these activities a part of the day-to-day job of every employee, the overhead associated with these activities dropped significantly. Today, it is hard to find a 'preferred supplier' in America who is not compliant with ISO 9000. These companies have sustained compliance at significantly lower costs than estimated earlier. A study co-produced by McGraw-Hill and Dun & Bradstreet shows that about 25 percent of all ISO 9000-registered companies have less than 150 employees, and 29 percent of registered companies have between 150 and 500 employees. In other words, more than half of ISO 9000-registered companies in the United States are considered small and medium-sized businesses.

In order to sustain ISO 9000 compliance, these companies have successfully implemented the following practices within their environment:

• Ensure that documentation of key operating procedures stays accurate by implementing strict change control procedures
• Ensure that no process can be changed without documentation change control
• Collect continuous improvement ideas, seek appropriate review and ensure any changes to a process go through change control
• Audit existing processes on a regular basis
• Identify and track any material or process non-conformance from any audit or inspection, formulate and implement corrective actions and ensure that the corrective action has resolved the issue
• Provide visibility to management and stakeholders

Such practices have become completely embedded inside the daily work activities of employees at these companies. In addition, most companies have implemented compliance software to ensure document management/change control and to streamline the audit management, issue tracking, closed loop corrective action deployment and management reporting processes. As a result, the cost of sustaining ISO 9000 compliance has reduced further.

Drawing upon the experiences gained from reducing the cost of ISO 9000 compliance, CFOs/SOx program managers must ensure the following:

• Implement continuous employee training to ensure that the process team members clearly understand current processes/controls and know that no changes should occur to systems, practices and business processes without appropriate change control on documentation. This behavior should become a part of company's DNA.
• Implement standard documentation methods to ensure that common tools and standards are used to document a process/control across all subsidiaries within a company.
• Implement comprehensive document control with a well defined review process to ensure only people with the right authorization can update and review the documents. This is essential to making sure that the process and control documentation is always correct.
• Ensure standardized tests for any internal control across the enterprise with automated scoring & reporting to ensure that internal controls are tested in a consistent manner across all operations within the company and over time. Only authorized people such as the internal audit staff or process managers should be authorized to update these tests.
• Ensure that scores for an internal control that are 'below acceptable value' are automatically flagged as deficiencies in internal controls and tracked within the company.
• Ensure that the remediation process is automatically triggered, corrective actions are successfully implemented and an audit is completed soon-after to ensure that the deficiencies have been corrected.
• Provide dashboard-based visibility into the compliance process status to notify all stakeholders with evaluation status, deficiencies uncovered and their remedial status.

While the above steps can be implemented using a spreadsheet-based manual process, it is highly recommended that the organization invest in a software system that addresses the above-mentioned requirements.

By learning from the experience of an ISO 9000 implementation and embedding the steps listed above in the employee's daily work, SOx Program managers can deliver SOx compliance at significantly lower costs.