Testing is a critical part of maintaining Sarbanes-Oxley compliance, but managing SOX testing procedures and documentation can quickly become frustrating without good organization and centralized data. This article and downloadable PDF will help you design a smooth, efficient process with best practices, useful techniques, and ways to engage with control owners at every step of the way.
Streamline SOX Testing
SOX testing can be cumbersome — but it doesn’t need to be! If you are looking to streamline your SOX testing this year, be proactive in evaluating the architecture supporting your testing efforts. As any SOX practitioner can attest to, managing testing procedures and documentation in spreadsheets, Word documents, emails, and shared drives can quickly become cumbersome. Without a centralized, organized source of data, SOX teams often find themselves swimming in documents and multiple threads of communication. In fact, a recent poll of SOX practitioners found that testing and review workflows ranked as the number one area where a technology solution would be most helpful in alleviating inefficiencies.
Using a SOX management solution to house your data in a single source of truth — ideally one that is cloud-based and purpose-built for streamlining SOX project management — can eliminate version control issues and automate the process of manually following up with control and process owners to complete outstanding tasks.
Technology solutions can help, and so can following best practices to ensure alignment between the internal audit team and control owners, combat audit fatigue, and reduce inefficiencies across the SOX testing process.
Tips for Efficient SOX Testing: Test of Design/Walkthroughs
1. Ensure the control is well-defined prior to testing.
Understand the control definition and ensure it is specific enough to discern who is performing what during what time period. During walkthroughs it is best practice to go over one sample in detail with the control owner so that both parties are in agreement over what was provided. This helps you focus on what to look for when testing the control, as well as how to request complete evidence up front in your PBCs without additional follow up.
Tips for Efficient SOX Testing: Test of Operating Effectiveness
2. When sending out PBC requests, ask for all aspects of evidence upfront.
This helpsto minimize followups or secondary requests, which result in more work for you and the control owner. A PBC request should not always be requesting a report or screenshot; where necessary, it is important to ask for full evidence of a review of the attributes you are looking for. For example, if you are requesting evidence of a key report, clearly state the report name as well as whether you need evidence of sign-off and review.
3. Do not delay the review of the evidence.
While formal documentation might take a while, do not delay the initial review of evidence to ensure what was provided matches what was requested and is sufficient to perform testing. If evidence is not sufficient, you can quickly communicate the issue, allowing for a quick turnaround back to the control owner. More importantly, if issues are identified, you will have a buffer window to remediate them prior to year-end, rather than leaving them for the end of the audit when there may not be enough time for remediation.
4. Reviews should happen soon after testing is complete with minimal delay.
This way, if any items were not picked up by the tester, the reviewer still has the chance to communicate any deviations to control owners, rather than waiting until the year-end. This is also a great teaching opportunity, giving testers the opportunity to learn from their reviewers and sharpen their auditing skills during the process.
Tips for Efficient SOX Testing: Throughout Testing
5. Have consistent status meetings using real-time dashboards and reporting.
Establish a regular meeting cadence upfront that will last throughout the lifecycle of the engagement. This enables managers to keep track of what their staff is performing and to stay on top of exceptions, while also ensuring the team is progressing along the same timeline as defined and can reallocate resources if necessary. A SOX solution with real-time dashboards and reporting is a great way to drive and facilitate these meetings.
6. Coach on a regular basis.
Ideally, coaching should be ongoing throughout the engagement to ensure staff members are honing their auditing skills and learning more about the organization in the process of testing. This can be achieved through weekly internal SOX team status meetings. Coaching goals can include:
- Ensure staff members understand the scope of work to be performed and create a timeline of estimated due dates.
- On a daily to weekly basis, hold check-ins with the team to see how staff members are progressing against the projected timeline. Reviewers should be held accountable for their timelines as well.
- When a learning opportunity arises, seize the real-time example to provide guidance and coaching.
- Discuss any issues identified or delays to the project plan so that the team can manage resources accordingly, as well as manage communication with the C-suite and control owners early on.
For SOX and audit practitioners seeking other practical ways to streamline their SOX processes, The SOX Management Playbook explores how to build a more informed, effective, and efficient SOX program using a risk-first approach — from planning and scoping to testing, reporting, and scaling. Get your free copy today!