breaking

Wednesday, April 15, 2009

Reducing the Cost of China SOX Implementation

Implementing tools to comply with China’s Basic Standard for Enterprise Internal Control (C-SOX) may seem like an expensive and resource-intensive project, but there are several ways to cut down on the most obvious expenses.

Use hosted IT solutions if possible. If your IT vendors or systems integrators can offer software-as-a-service (SaaS) tools, this can reduce your internal hosting and IT support costs by up to 30 percent. SaaS means that the vendor takes care of hosting and maintaining your systems, and provides them as a “service” to you over the Internet. The benefit to you is that you don’t have to invest in hardware (servers) or software (databases, operating systems) to roll out the project – your vendor already has that taken care of. Furthermore, you need less internal IT support because the vendor looks after the hosting environment (usually 24 hours a day, 7 days a week) and manages the system for you. An added benefit of SaaS systems is that you always get the most up-to-date version of the software because the vendor is frequently upgrading the system.

While external hosting may sound risky, in fact it is very secure and the hardware and software used are constantly improving. Look for vendors that have had their hosting centers and processes certified (in SAS 70 or similar) to know you are in good hands. Many people initially think that only small companies opt for externally hosted systems, but research shows that an increasing number of large companies are moving in this direction. This is true in China and elsewhere.

Another way to reduce the cost of your C-SOX implementation is to adopt a phased approach to your project. This means starting small and building on your experience over time. This will help to keep personnel and resource costs down, and will also make it easier for your company to absorb the learning from the project as you go along. Since one of the key challenges of adhering to the Basic Standard for Enterprise Internal Control is creating a culture of risk awareness and responsibility you will want to take a measured pace to ensure that the fundamentals are being adopted across the enterprise.

Operationally, this means starting with “low hanging fruit” like employee training, organizational mapping and reviewing the current policies, processes and procedures that you have. These tasks can create a baseline that you can build on (i.e. implement new procedures, introduce IT controls) at a later stage.

Finally, a good way to get value while implementing C-SOX is to turn to experts who have done this sort of thing before. Of course, the Basic Standard for Enterprise Internal Control is a new regulation so there is no direct experience in the market. However, many companies have experience in implementing other controls and regulations such as Sarbanes Oxley, J-SOX (Japan’s version), ISO and others. Consulting and advisory companies can be useful guides for setting your strategy, plan and key metrics associated with your C-SOX project. Many of them have rich international experience that can benefit listed Chinese companies.

Hiring an outside consulting firm or advisor may seem expensive, but it is likely to save you considerable trouble and money in the long term. Look for a professional organization with proven international experience to help you get started and the result will be that you are able to accelerate you project. As with the Sarbanes Oxley regulation, the Basic Standard for Enterprise Internal Control says that consulting and advisory companies cannot do internal control audits for those same clients.