A Decade of Sarbanes-Oxley:
The recent 10-year anniversary of the Sarbanes-Oxley (SOX) Act warrants a look back at the impact this legislation has had on publicly traded companies. A more valuable endeavor, however, might be to look ahead. While SOX was introduced as a regulatory response to fraudulent accounting practices, the evolving business and regulatory environment has allowed SOX to evolve as well—or, rather, allowed organizations to evolve in how they leverage SOX to manage expanding compliance and risk issues.
What might the next decade of SOX hold? And how might organizations use a “SOX lens” as they examine the quickly changing business and regulatory landscape, dig deeper into controls and processes, draw greater value from compliance initiatives and better integrate risk management into their operations?
As many organizations have become more comfortable with SOX requirements, they have taken a deeper look at their existing internal control structures. They are moving beyond a baseline “check-the-box” approach (that is, simply having controls in place to fulfill a compliance requirement) and are taking the opportunity to reevaluate and leverage controls to improve their governance framework.
SOX compliance provides opportunities for organizations to more effectively integrate risk into their processes and to drive better business operations. Linking internal controls to an overall Enterprise Risk Management (ERM) program may help organizations prioritize and improve upon how they manage risk. In fact, we have seen organizations make the journey from baseline SOX compliance to integrated governance, risk and compliance (GRC) model since the legislation was enacted.
Risk management is certainly not a new concept, but many companies are refreshing their thinking with regard to risk oversight and governance. Boards of directors and executives alike have come to realize that many threats may be anticipated and mitigated—or even avoided—by putting more effective risk management processes and more transparent reporting measures in place. As an organization matures alongside SOX, it is a worthwhile investment to consider how to extract more value from efforts tied to compliance.