This post discusses what business analysts can learn from the Sarbanes Oxley Act requirements for the purposes of establishing an effective internal control system within the enterprise.

Meeting the financial auditing and reporting requirements of SOX is a challenge for publicly traded companies. While SOX mostly applies to the companies in the US, the European Union also works in this direction. Lessons learned from application of SOX in mid-market and large enterprises show that a consistent “control” system is required to satisfy the SOX requirements. Let’s have a closer look at what it means for an enterprise.

Internal Controls

The senior management is concerned with finding better ways to control enterprises that they run. Multiple internal controls are put in place to keep the enterprise on the right track towards the  business objectives and its mission with the imperative to minimise risks along the way. These controls allow to proactively react to the changing market conditions and to re-structure the strategy and tactics for future growth. Good internal controls support continuous improvement of business processes, reduce risks of unexpected losses and ensure compliance with market regulations and laws.

Summarising all of the above, internal controls provide management with the assurance of achieving the following key business objectives:

  • Efficiency of core business processes
  • Reliable and timely operational and financial reporting
  • Compliance with applicable regulations and laws with no breaches.

Structure of the Control System

For the controls to be effective, they should reside in the control environment that determines the type of an enterprise. This environment is a platform for all components of internal controls supporting the defined organisational structure and internal discipline. The platform is based on the following key pillars:

  • Policies
  • Segregation of duties & financial authority
  • Operational control thresholds
  • Financial control thresholds
  • Security and access permissions
  • Risk assessment & management
  • Competencies matrix
  • Control points (within business processes)
  • Monitoring means (reports & KPIs)

The control system has to be supported by an integrated information system enabling timely recording of all transactions and dissemination of the captured information to the designated users with well-defined duties.

To ensure that the controls are adequate and to maintain their efficiency over time, certain standards of internal compliance should be put in place. An internal audit should be performed on a regular basis.

An overview of the proposed structure is illustrated below:

An appropriate internal controls system can greatly reduce the burden of external compliance and audits (click on the image for a larger view)

The proposed system allows to ensure that the external audits undertaken by market bodies will be painless for the enterprise because the internal audits will uncover what should be fixed well in advance. The external compliance will be a light song as long as your internal compliance aligns with the external requirements.

The benefits for the enterprise from having such a control system are:

  • clear internal governance (policies and procedures)
  • clear business objectives and metrics of performance
  • clear value-chain within the enterprise
  • effective business processes
  • well-defined control points within the business processes
  • captured, tracked and communicated business information in near real time
  • consistent and reliable business data within the enterprise (financial data is supported by operational transactions)
  • competent and motivated staff
  • early warnings about events that might impact the enterprise in a negative way
  • well maintained relationships with the enterprise’s environment (customers, vendors and governing bodies).


Having an established and maintained control system helps the enterprise achieve its strategic business objectives, prevent losses of valuable resources and retain qualified staff. It ensures sound and reliable operational and financial reporting for the top management. Such a system also prevents penalties for breaching laws and regulations, and thus protects the image and reputation of the enterprise in the long run.