You're Sarbanes-Oxley Compliant. How Do You Stay There?

by Rich Cohen and Nancy Zurell, Deloitte Consulting LLP

Take a deep breath and pat yourself on the back. Your company is compliant with the Sarbanes-Oxley Act of 2002 (SOX). Now, how do you stay there? Sustained SOX compliance is a journey, not a "once-and-done" effort. It takes the right combination of people, processes and technology to make the journey successful.

The first step is to harness the best people in the company to manage the sustainment effort. The goal should be to instill a culture of data quality within your company. Educate anyone who has contact with company data (read: everyone) on how important it is to maintain the data quality standards developed in the SOX compliance process. To this end, develop metrics for measuring data entry accuracy rates, and tie performance to incentives.

Next, evaluate your initial compliance methodology and fine-tune it to enable the sustainment effort. The trials and errors that went into developing your SOX compliance methodology should give you valuable insight into which data quality maintenance processes work best for your company. Examine your initial compliance processes to confirm that they can be reused – and tweaked, if need be – to enable you to monitor and sustain the compliance effort.

To augment the work of your people and processes, it's critical both to implement best-of-breed data management tools and to automate data management processes when possible. Because of time constraints, your initial SOX compliance effort may have entailed using your existing technical architecture. However, now that you are in compliance, it's time to re-evaluate that technical architecture. You need flexible, scalable data management (data quality, extraction, transformation and loading [ETL], etc.) tools that can grow with your company and enable you to automate as much as possible of the data management effort.

The ultimate compliance technology, however, is a SOX compliance portal to monitor the compliance process and put accurate information into the hands of the people who need it – when they need it. A SOX compliance portal gives executives, managers and knowledge workers role-based views, allowing them to monitor multiple processes that occur simultaneously and to consolidate seemingly disparate information into a relevant and usable context for analysis and action. With this technology, data management issues can be identified and rectified long before they become serious, widespread problems.

Sustaining SOX compliance will never be easy. Regulations will change, and problems will almost certainly arise. The goal of compliance sustainment, however, is to gain the ability to identify and correct potential problems before they become endemic. The right combination of your company's best and brightest people, usable and repeatable data management processes, and flexible, powerful technology will go a long way toward helping you sustain SOX compliance.

Bio:

Rich Cohen is a principal in Deloitte Consulting LLP's Information Dynamics practice, where he is responsible for the strategy, development and implementation of data governance, data warehousing, decision support and data mining engagements to support the emergence of world-class business intelligence applications. He can be reached at ricohen@deloitte.com.

Nancy Zurell is a Senior Manager in the practice and can be reached at nzurell@deloitte.com.