In a lean SOX program, processes are streamlined to support the compliance function, controls are continually monitored for possible improvements, and unnecessary steps are identified and eliminated. The lean control optimization process shouldn’t only consider control optimization opportunities but also how SOX programs are organized and whether there are efficiency opportunities to reducing commonly dispersed structures into one consistent structure.
It’s important to note that investing time and effort up front will pay off over time. Relatively simple actions like continual scoping, to eliminate scope-creep and ensure that controls operate effectively and mitigate risk, should minimize costs year after year.
While power and utility companies typically assess their compliance risks annually, many really don’t benefit from this effort since most programs are on auto pilot with users just focused on doing what they did the previous year versus stepping back and taking a fresh look at the process for efficiency and better risk mitigation. In addition, most power and utility companies don’t often link their efficiency programs with the current SOX programs. Kaizen and other lean programs are designed to diagnose a process for efficiency opportunities. These activities provide a great opportunity to re-examine the controls within these processes and really challenge whether they are the right controls that would best mitigate the risk while achieving the company’s efficiency goals.
Another common shortcoming is that SOX program employees often don’t complete their tasks in a timely manner. What’s more, many SOX programs are now dispersed within the organization. A lean SOX program requires that leaders ensure that staffing and performance are aligned with program needs.
Power and utility companies that maintain a low-cost, high-value SOX program over time likely will gain an edge in being viewed as a best practice operating entity as compared to its peers. Among regulators, increased value and efficiency speaks just as loudly as reduced costs.
Coordination of multiple compliance programs is one way to increase the value and efficiency of SOX programs. This is because the coordination of efforts among various programs enhances knowledge sharing, which can enable more intelligent and proactive insights while eliminating redundancies and cutting costs.
Companies that achieve integrated compliance typically see enhanced synergies among functions such as SOX, internal audit, enterprise risk management, and compliance. Indeed, the most successful organizations don’t simply share information or integrate functions. Rather, they gain synergies by aligning and integrating activities such as risk assessments, control monitoring and testing, reporting, and deficiency management. This level of integration requires that companies break down silos of information and technologies across the organization. This remains a significant challenge in the industry.
To begin integration of two or more compliance programs, SOX administrators should identify a single control that meets multiple compliance efforts. For many power and utility companies, the logical starting point lies in the regulatory overlaps between NERC and SOX programs. Applying SOX controls to NERC inputs and reporting can help companies better identify risks and increase confidence in data integrity. This type of integrated compliance also can improve business processes by allowing program administrators