Since the instatement of the Sarbanes-Oxley Act in 2002, the premise of SOX 404 testing was to assess the operating effectiveness around management’s controls. Since then, Internal Audit departments have been the de facto administrators carrying out testing for those controls.
Why Process Owners Are In the Dark
When searching for a reason for why this framework has persisted in most companies, there are several factors:
- First, SOX is a very administrative task that needs to be centrally managed by a dedicated team.
- Second, due to a lack of management systems that give process owners visibility into their controls, SOX controls currently live in the Excel sheets, shared folders and desktops of Internal Audit teams - far away from process owners.
- Finally, due to this lack of visibility into their controls, process owners’ main organizational framework for their day-to-day activities is driven by their own version of tasks, outside of the context of their controls.
This self-perpetuating system naturally prevents process owners from seeing and managing their own controls.
How Can Process Owners Start Owning Their Controls?
One of the biggest factors hindering process owners from having visibility into their controls is the fact that control information is documented on spreadsheets managed by Internal Auditors. Process owners only gain visibility into their controls when Internal Audit sends them their controls, once a quarter.
AuditBoard is one of the leading tools today enabling Internal Auditors to push out control documentation and control activities on a much more frequent and real-time basis. AuditBoard’s centralized database of single page web forms empowers smarter collaboration between process owners and Internal Auditors by allowing them to work on a control in a single place. Testers and reviewers can make changes and directly tag each other in comments - eliminating the back and forth confusion of emailing.
A dashboard with detailed overview of controls and testing status, automated workflows, and email notifications, also facilitate collaboration. In AuditBoard, process owners have full visibility into their controls and have the ability to request changes when there are updates to their control environment. They can even request Internal Audit to review those changes and make final approvals before they are committed to the master RCMs.
A controller can receive a notification describing all activities she or he has to perform this particular week for their SOX controls and gain visibility into their entire team’s status, such as who is not performing controls and where the gaps are.
AuditBoard is the leading solution empowering Internal Audit departments to work more efficiently and effectively with process owners. AuditBoard shifts the ownership from Internal Audit back to the process owners - as it was meant to be.