In its decade-long life, the Sarbanes-Oxley Act has triggered many emotional arguments. One that continues to persist, even all these years later, is whether management testing can be done in-house or should be done solely by independent consultants. Like any logical argument in life, both sides to the equation have valid points, including the ones below:
The case for independent consultants
- Consultants provide independence: This is an area companies quickly embrace whenever someone looks at their past in-house testing with skepticism. I saw it firsthand at an established retail giant, where the company’s SOX project manager took great pride in asserting, “In the last five years, we have had no significant deficiency.” The applause that followed matched the kind you hear after an Olympic Gold performance. But another fine day, that same declaration didn’t get the same reaction. This time, the PMO said it to the brand-new controller, a former Big 4 partner, who wasn’t pleased. “But that means you have not been independent enough in your evaluation,” the controller said. Ouch! Silence all around. It’s hard to debate one of the strongest arguments for taking testing to external consultants — independence.
- They bring a wider perspective: Independent finance pros step out a lot more than entrenched employees. They see different companies, distinct SOX departments, and a variety of mindsets. All of this makes them a valuable resource for SOX best practices, not just for uncovering flaws but finding ways to improve processes and figuring out the balance between tight controls and overwrought ones. They know what works well in certain types of companies and what doesn’t. Plus, they can anticipate what the auditors will likely expect down the line and prepare the company for those expectations (life is much easier when you can be proactive with your external accounting firm rather than scrambling when the auditors find something amiss). Employees, as an intrinsic part of the organization, usually can’t bring such up-to-date and diverse experience to the table.
- They can reduce costs: It’s generally more cost-effective to outsource SOX testing to highly skilled, knowledgeable professionals, on a project basis, than taking on full-time employees. And these professionals may also help lower the total cost of SOX as external auditors will rely on the work of objective and competent third parties. The less time auditors spend scrutinizing what a company’s internal staff has done, the less the company has to pay in auditor hours.
The case for in-house testers
- They may be able to extract more information from their colleagues. In-house testers, by working among their business and IT partners all year long, have the opportunity to build strong relationships and rapport over time. While such rapport can fuel the argument for independence, the fact is they could make more inroads in gathering information if their colleagues tend to be more helpful to those they already know and trust.
- They know the business inside and out and have a vested interest in its future. Testers working from the inside can at times provide meaningful suggestions for process improvements — a strong and beneficial byproduct of the testing process. With a desire to keep their jobs and see their company thrive, they have a personal interest in uncovering inefficiencies. At other times, however, these in-house testers may hold back their ideas, not wanting to rock the boat with any of their fellow employees who may be affected by their suggestions.
What about a combo approach?
A trend, which appears to be gaining traction in Silicon Valley, is a mix-and-match approach, whereby the external consultants work in tandem with a select few from the in-house team. While it might appear that this is the “best of both worlds” scenario, it doesn’t play out that way in practice. The decision-making still tends to be made in-house, with all the pros and cons the in-house model entails.
The verdict: What makes sense for your company
Management needs and wants confidence in what the testers find and report to them (and so do investors and other stakeholders). The top executives put their name on the line to whatever is or isn’t uncovered during the testing process. Only you can decide, after weighing the pros and cons and the factors that go into the work involved, which method of SOX testing makes the most sense for your business and provides you with the right level of certainty.
Vivek Kumar is a member of the RoseRyan dream team. He has been working in SOX since the time it became law and from both sides, in-house and as an external consultant. When not doing SOX, Vivek keeps himself busy playing tennis and making feature films, the first of which hits theaters this summer.