Most auditors who work for public companies walk into a well established SOX program. From their perspective, others already documented narratives and controls, and quarterly testing may be fairly routine. Alan Maran and the Internal Audit team at Chewy had a very different experience. Chewy is an e-commerce company specializing in pet food and pet-related products, and the company just went public in July 2019. As a newly minted public company, Chewy was now subject to SOX compliance.
Six months before the company went public, Chewy tasked Alan Maran and his team with documenting processes and identifying controls that would become its SOX program. As Alan explains, creating the SOX environment was a journey that included more than documentation. Starting from scratch meant educating those in the business on what it takes to implement a well-controlled, forward-looking business environment that includes financial, technical, and operational risks. As an example of the education efforts, internal audit helped design a SOX 101 learning program for control owners on documentation standards and keeping their documentation updated. After going through the education session, control owners could better understand their controls to reevaluate their processes and suggest changes to their key control listing. As a result, audit and the control owners have a strong partnership, with management assuming full ownership of their controls and audit providing guidance.
At the start of the journey, the team was just three people tasked with documenting all the processes, risks, and controls. Alan credits building the audit team and implementing AuditBoard as a technology enablement solution to get through the journey. A successful SOX program manages repetitive exercises like reminding control owners to update documents, sending out PBC lists (documentation requests), and signing off controls. Embracing technology freed up the team’s limited time so they could focus on more critical tasks.
Internal Audit was also able to gain the audit committee’s trust by proving the value of their function by reviewing the areas that mattered most to the company, like cybersecurity and business continuity plans during the COVID pandemic. From that point on, internal audit had a seat at the table. Now they were able to advise management by discussing the use of automation and data analytics as part of their controls and thinking ahead to continuous monitoring to make the company more proactive than reactive.
Establishing the SOX program at Chewy was a great learning experience for Alan. He shared a few best practices that can help anyone who has SOX testing responsibilities. Alan advises us to be objective when designing controls to mitigate risk without making your controls too specific. If the control descriptions are too specific, you end up with large numbers of controls. When deciding where to spend your effort, focus on the key processes and controls that are the most important to the company and not on trying to control everything. Finally, he recommends validating your understanding of risks and your controls with your external audit partners early in the process and partner with them when planning for the future.
Since the beginning of their journey, the audit department at Chewy has more than tripled. The company continued to invest in its growth because of the value brought by the department’s proactive mindset. As a final takeaway, Alan says one of their next goals is to provide an even better risk assessment, one that includes strategic risks and looks at risk from all angles to help management continue to stay ahead of the curve.
Stay tuned for more AuditTalk video interviews with audit community leaders about industry issues, insights, and experiences!