SOX Controls Management and Best Practices in Compliance System Implementation
Governance, risk, and compliance (GRC) solutions provide value by helping organizations to manage the complexity of information management, process execution, and stakeholder coordination within complex compliance or risk management operations. However, as highlighted in Blue Hill Research’s July 2015 Benchmark Report Contributors to GRC Implementation Success: Avoiding Worst- Case Scenarios, the value offered by these solutions can often be eroded by the lengthy implementation cycles required to implement these solutions. The speed and effectiveness of implementation thus tie closely to the success of and satisfaction with the investment in a compliance system, or other GRC platform.
To provide organizations with concrete best practices for their own investments, this Case Study reviews the experiences of KBR, Inc. (KBR), a public, global professional services and technology provider, as it installed a new compliance system dedicated to supporting its Sarbanes Oxley (SOX) controls testing and review processes. After determining a new solution was required, the organization began to search for a replacement in September 2015. KBR completed user rollout in time to begin using the solution for its 2016 SOX controls review, a total project period of approximately 7.5 months, with 3.5 months of post-contract implementation work.
AT A GLANCE
KBR, a public, U.S.-based services and technology provider with over $4 billion in revenue and over 27,000 employees
Replacement of a legacy SOX controls management platform with a new system from DoubleCheck Software intended to support core controls management and a peer-review approach to controls test review involving 400 testers and reviewers.
- Total Project Time: 7.5 months
- Deployment & Rollout: 3.5 months
- “Extremely high” end-user satisfaction
- “Very high” satisfaction with business impact
- Precise & comprehensive business requirements
- Project leadership by the Financial Controls Group
- Executive-level support and championship for the project
- Solution delivery options aligned to business priorities
- A “show me” approach to vendor claims
- Formalized project management
By reviewing KBR’s strategic decisions and tactical approach to key aspects of (1) business case and requirements definition, (2) solution evaluation and selection, and (3) deployment and rollout, Blue Hill identifies crucial best practices which will enable organizations to achieve similar results in their own implementations.
Controls Test and Review Business Context and Needs
KBR is a public, U.S.-based global provider of differentiated professional services and technologies across the asset and program life cycle within the hydrocarbons and government services sectors. Its operations extend across over 40 countries and more than 27,000 employees. Annual revenues exceed $4 billion, generated from customers distributed across approximately 80 countries. As with any company with this scope of operations, Sarbanes Oxley (SOX) controls management, assessment, and testing represent a complex and wide-ranging effort.
Management of KBR’s controls development and testing is centralized under its Chief Accounting Officer (CAO) and its Financial Controls Group, a team of five individuals. Controls were established by major business segment and pushed down to the underlying business groups. Although control owners performed self-assessments of control effectiveness, a significant amount of reliance was placed on quality assurance reviews and independent testing performed by an internal audit team.
“Our CFO drove the focus on peer review. It was a major initiative intended to decentralize ownership of the internal control process and reduce overhead costs associated with SOX assessment. We looked at the amount of time the audit department spent on testing and we thought we could cut that back. Peer review was a way to do that, by distributing the man-hours across our business groups.
Perhaps the biggest benefit of the new process has been that it embedded an understanding of SOX controls into the day-today thinking of the business. We’ve made huge gains.”
Project Manager, Financial Controls
Within the past several years, the organization made two changes to embed engagement with controls more deeply within its business operations:
- Adoption of a peer review approach as an added step to evaluate the quality of control tests performed by the control owners themselves, whereby the control tests applied to a particular group would be reviewed by organizational peers independent of control operation
- Assignment of “SOX Champions”, a designated stakeholder within a business group responsible for providing input on tests and controls and managing remediation of identified issues
The inclusion of peer review added a new step to the organization’s controls testing and review operations model, while also adding to the stakeholders involved (Figure 1).
Peer reviewers are generally manager-level and above employees. These stakeholders generally fell within the same business group as the control tester and reviewer, but were not associated with the operation of the controls under the relevant peer review.
The new process involved approximately 400 testers, reviewers and peer reviewers, an increase of approximately 150 stakeholders. While reducing the concentration of labor on Internal Audit, this expansion added to the complexity of the testing and review and raised a need to ensure that a consistent, high-level of audit quality was maintained.
Key Technology Challenges and Investment Drivers
At the time that the organization began to implement its new peer review process, KBR was using a legacy controls management system that was over ten years old and no longer supported. Due to the age of the application and changes in KBR’s processes, the organization had identified several limitations of the legacy platform, including:
- It could not store or manage documents supporting control tests
- It lacked the capability to support the management of deficiencies, requiring the use of external spreadsheets
- It did not possess the functionality needed to support the distributed file and information exchange, and reporting demands of the peer review process
- The vendor no longer supported the platform, so functional expansions and application support were unavailable, while security risks would increase over time
“We’ve used the same system since SOX was introduced, but our approach to assessment had changed. We added a peer review to the controls test and review process. Our system could not handle that second level of review, so we tried to manage it using a file share application. However, data integrity issues are common when sharing files among many users. We were now dealing with multiple copies of the same file that had to be combined into a centrally controlled ‘master’ copy. This was very inefficient and risky from an accuracy standpoint.”
Project Manager, Financial Controls
KBR determined that an investment in a new platform was needed to replace the legacy platform and support its changes in the control test and review process.
KBR identified a need for a new investment in an integrated SOX controls platform that could maintain a master library of risks and associated controls as well as provide a centralized platform to support controls tests, peer review, and reporting across the organization. Ultimately, KBR implemented this solution by partnering with DoubleCheck Software to implement and configure the DoubleCheck Governance, Risk, and Compliance (GRC) platform according to their identified needs. Table 1 identifies the key features and characteristics of this platform, as reported to Blue Hill Research.