Sarbanes-Oxley 302 made easy
This month BWise releases Service Pack 2 for the 4.1 version of our suite. There is some exciting new functionality included as blogged earlier. There is one in particular that I'd like to explain a bit in more detail today which is the Configurable Assessment Workflow. And to do so, I'm going to apply it to the SOX 302 Assessments to explain what exactly it does (knowing up front that a lot more is possible with it but you'll find out soon enough!) and I'd like to start simple using a fictional company as an example ;)
The 302 section of the SOX Act requires that the signing officers (typically the CEO and CFO) have reviewed the corporate financial statement and their internal controls, agree that it is a complete and fair representation of the company's current state of affairs.
But how in practice does the 'officer' knows if is internal control is effective? If all possible Fraud incidents have been properly recorded? And if their processes have not significantly changed in the past period to possible have an impact on the financial statement recordings?
The shortest answer would be: Implement BWise but let's dig a bit deeper....Although the officer is in the end responsible for signing the 302 statement, he delegates a lot of what's going on their organization to other employees. Consider the following example:
To know if everything is 'in control', that the deficiencies listed are complete and accurate and that all possible fraud cases are consolidated to the top mgt. level, the CEO will have to ask the Directors who in turn will have to ask the Process Owners. The typical CEO will want a formal internal statement that provides more assurance than 'just' an email thread.
This is of course a simplified picture since many of our customers have 100+ subsidiaries, different country operations and many more processes which all make the 'roll-up' of the individual attestations very difficult. Every person in the hierarchical tree will want to see an aggregate of the results below that helps him to determine what his statement should contain. The underlying statements serve as a final 'sign-off' and much more information is typically required (supported by other parts of BWise) such as control test results, risk assessments and process design documentation updates.
The new Configurable Assessment Workflow functionalities of Service Pack 2 make this aggregation and roll-up of information even simpler. The organization structure including responsibilities is already documented in BWise. We can now send out a personalized questionnaire in a workflow that allows every person to track and trace the progress of the underlying delegates in signing off. Once everyone is done, it reaches their level automatically and they fill-out whatever needs to be documented as part of their sign-off. This is made easy since for instance the director can directly see the underlying results of all his process owners and these go up, up and up depending on the levels in your organizational structure, processes structure and your personal requirements on what levels sign-offs are required.This can all be done with setting up one assessment!
The features that this updated configurable assessment workflow module offers are quite comprehensive:
- Updated styling on question elements;
- Multi-page questionnaires;
- Roll-up and aggregation in a variable number of level;
- Single assessment creates many sessions (depending on IC framework elements (e.g. Control Owners, Process Owners and the likes));