A few months ago, SearchCompliance.com wrote about the difficulties smaller firms sometimes have with SOX compliance. But Abiomed, a Massachusetts medical device manufacturer with approximately 350 employees, says there are reasonably priced GRC systems on the market to help a small company meet requirements — you just have to do your homework.
During a webcast last week, Abiomed CIO Sharon Kaiser suggested using a GRC tool for configuring compliance changes from request, development, testing and approval stages, and right through movement into production. Tools that capture audit reporting information and support your business processes with automated workflows can help too.
Kaiser suggested seven key points to remember when seeking SOX compliance:
- Don’t tolerate energy-sapping manual processes.
- Understand management’s need for GRC data.
- Look for a solution that meets your needs and is manageable for your company.
- Seek to “embed compliance” — automate capture of audit data at the time of execution.
- Enable ad hoc, on-demand audit reporting.
- Look for tools that will streamline routine IT operations.
- Embrace GRC — view it as a tool for innovation.
Kaiser went so far as to say that SOX audits do not have to be quite so time consuming, and deployment for Abiomed was “quick and painless.” However, she added that it is necessary to be prepared and plan the transition, to understand what you are getting, and to determine what functionality you will use and how.
This is all good advice. In a previous article, contributor Adrian Bowles wrote that “it is still too difficult for small shops to deal with separation/segregation of duties, which require that different people have access to applications and data throughout the lifecycle to provide adequate controls against fraud.” Bowles added that in smaller companies, one person may have multiple roles at different times, making compliance “a thorny issue.”
But Abiomed shows that it is possible for a smaller company to achieve compliance by using proper planning and distribution of duties. After the company decided to re-evaluate how it wanted to define and manage SOX compliance, it hired an outside auditing company for an initial SOX assessment. The company then put together a project plan to conduct a business and financial risk assessment, identify key controls for each major risk area, and create a control matrix for only the key controls and develop the associated test plan.
Abiomed decided that business and IT needed to organize and manage to defined policies, new processes needed to be defined to handle things like personnel role changes and impact to authorizations, and training was important for people to understand their role in SOX compliance. Abiomed also identified challenges such as a limited IT staff that has to be knowledgeable of IT SOX controls, and the company reduced the time, expense, and distractions associated with manual audits.
Abiomed’s experience shows that SOX compliance for smaller companies does not have to be time-consuming or expensive — if companies do their homework and adequately prepare.