While it has been well over a decade since the Sarbanes-Oxley Act of 2002 was put into law, the ability of companies to ensure their compliance in an efficient and effective manner can still be a challenge.  As is the case with many challenging activities and processes, a significant opportunity exists for Shared Services to assume a leadership role in Sox compliance because of its inherent skill sets in standardization, process improvement, controls & compliance, and technical expertise in both Finance and Operations.

On a recent Peeriosity Peercast^TM, a global consumer products company shared their experiences in transitioning a significant portion of their SOX compliance activities to their Finance Shared Services (FSS) operation.  Starting in 2012, the decision was made to form a SOX center of excellence (COE) in the Shared Services operation in India called Global Quality & Risk.  This new organization reported directly to the Head of Finance Shared Services, with a dotted line reporting relationship to Global Internal Control, which has governance responsibility across the entire company for controls and compliance, including SOX.

Some of the primary reasons the new Global Quality & Risk organization was based in India included the following:

• Independence – Structurally, the SOX team in India does not report to any of the businesses. They report to Global Business Services which reports to the COO of their international region.
• Expertise in Internal Control/SOX Compliance – The team is qualified and already had adequate experience to perform the testing.
• Compliance at Lower Cost – Low-cost location performing other related Finance activities.

Initially, for the period of 2013-15, the responsibilities of this new organization included SOX management testing for Accounting Operations, Accounts Payable, Expense Reporting, Information Systems, and Supply Chain, which was approximately 10% of the testing for the company as a whole.  In 2016, the SOX team was expanded and it ramped up to 30% of the total testing.

Some additional areas that they plan on performing compliance testing for in the near future include Human Resources, Payroll, Sales, Trade, and Logistics, with discussions underway regarding the roles of SOX governance and coordination with external auditors on SOX-related matters.  Overall, the company is very happy with this transition of responsibilities and foresees the role expanding for the Global Quality & Risk organization in Shared Services.

Looking now at the results of a poll related to the same topic of Sarbanes-Oxley compliance administered using Peeriosity’s iPolling^TM technology, the first of two questions looked at how SOX testing is managed at the companies being surveyed.  The most popular response (37%) was that an internal controls team located outside of Shared Services is primarily responsible for this role, with 30% of the companies indicating that individuals in the various process areas throughout the company have this responsibility.  For 22% of the companies, a centralized team in Shared Services has this role as part of their service offering, and the remaining 11% utilize a combination of these design options.

The second poll question then addressed the frequency with that SOX testing is being performed, with annually being the dominant response (44%).  For 22% of the companies participating in the research, the frequency is semi-annual, with the same percentage doing so on a quarterly basis. 

This poll generated a large number of comments from the member companies, including the following:

Manufacturing Member: Our Company generally has a program of “self-testing” where Shared Services performs testing on the controls which are primarily the responsibility of Shared Services, and the plants generally are responsible for testing controls where controls primarily remain local. In some cases where possible, Shared services will also sample and test controls that are at the plants.

Energy & Utilities Member: SOX controls are tiered into multiple levels. Certain tiers are tested in certain quarters by the process owners and documented in the self-assessment application. We have a Financial Controls team which is our Sox team which is part of Audit Services & Controls (not Shared Services) and owns the testing process, self-assessment application, and reporting responsibilities.

Consumer Products & Services Member: Our Company is considering the option of centralizing SOX testing into a Shared Services location and we wanted to understand how this activity is managed at other companies.

Manufacturing Member: We have an independent team within Shared Services that performs self-testing throughout the year for any processes already handed over. Activities not handled by Shared Services are covered by individuals in the process areas. Corporate Internal Audit and our external audit firm perform independent testing once a year from October to November.

Media & Entertainment Member: All SOX-related testing is performed by Internal Audit to maximize our external auditors’ reliance on our work. All in-scope areas are tested annually, with more financial material testing being done in Q4 to minimize roll-forward testing.

Healthcare, Pharmaceuticals, Biotech Member: We have a centralized services team performing two-thirds of our SOX testing. The remaining testing is performed locally by dedicated controls and compliance employees. We test each SOX control once annually in Q2/Q3 with limited update testing in Q4.

Consumer Products & Services Member: We have a mixed approach – individuals in the various process areas throughout the company are responsible for testing for SOX compliance annually and a large percentage of this is within our Shared Services operations because we are responsible for most of the SOX-relevant processes. But we also have an internal controls team (outside of Shared Services) that audits the testing. Within our Shared Services groups, we usually have the “SOX” internal audits about every other year.

Manufacturing Member: Our Company uses a small team for SOX testing that is comprised of Shared Services individuals, corporate individuals, and the 3rd party for certain controls.

Manufacturing Member: We have a SOX team, so testing is mainly done by them. And normally one interim testing and one final testing in a calendar year.

How is Sarbanes-Oxley testing managed at your company?  What is the testing frequency and what role does Shared Services play to ensure compliance?

Who are your peers and how are you collaborating with them?

“Peercasts^TM” are private, professionally facilitated webcasts that feature leading member company experiences on specific topics as a catalyst for broader discussion.  Access is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from attending or accessing discussion content.  Members can see who is registered to attend in advance, with discussion recordings, supporting polls, and presentation materials online and available whenever convenient for the member.  Using Peeriosity’s integrated email system, Peer Mail^TM, attendees can easily communicate at any time with other attending peers by selecting them from the list of registered attendees. 

 “iPolling^TM” is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from participating or accessing content. Members have full visibility to all respondents and their comments. Using Peeriosity’s integrated email system, Peer Mail^TM, members can easily communicate at any time with others who participated in iPolling.