A growing number of public companies with complacent SOX programs are facing restatement and penalties from improper disclosures, improper revenue recognition and improper expense recognition. A fear of non-compliance with SOX and COSO 2013 has increased the risk that companies will adopt narrowly focused programs that attempt to mitigate the immediate regulatory compliance risks while failing to address the true intent of these regulations. It is a classic case of complying with the “letter of the law” and not its intent. The solution is for internal audit to lead through risk management assurance.
SOX compliance is now a routine process for most companies. How can we then explain the rapidly growing number of restatements and recognition complaints when companies certify they are in compliance?
I agree with Norman Marks, who believes that “complacency and denial” is being perpetuated by routine and checklist-like reviews. Norman recently wrote about his favorite role that internal audit (IA) plays in an organization. He describes that role as a fighter against “complacency and denial” that can be perpetuated by routine and checklist-like COSO [and SOX] reviews where it easy to utter “we have completed our quarterly review of the top risks and believe they are effectively managed.” He compares this delusional form of risk management to an “ostrich sticking his head in the sand while the battle rages around him and saying I looked up an hour ago.” Read Norman’s Blog on CAE Risk Intelligence.