When it comes to SOX, sometimes it is hard to see the forest for the trees. In a control design session related to user access controls, I once heard an auditor recommend excluding senior management access from the review. They felt that it was an unnecessary burden for senior managers to review the appropriateness of system access for their direct reports, and they believed that their access did not require oversight. At the same time, they wanted stricter controls for the lowest levels of access for all other employees. The auditor had entirely missed the point of SOX. The Sarbanes-Oxley Act was passed in response to financial reporting misstatement and fraud perpetrated by senior management.
It was clear that the SOX compliance program was not aligned with the original intent of the SOX Act — it had drifted from its main objective and needed recalibration. This article details 10 steps to assess the effectiveness of your SOX program; and also offers 5 steps to get your SOX program back on track.
How Can You Assess the Effectiveness of Your SOX Program?
The assessment of your SOX program can start with one simple question: “Can my SOX team answer: ‘What’s the point of SOX?’” You may be surprised by your team’s answers, which can be a clear sign that it is time to revamp your SOX program. At its core, the SOX Act is a requirement for public companies to maintain internal controls that mitigate risks of material misstatement related to the organization’s financial statements. Senior Management is responsible for monitoring the control environment and producing accurate financial reporting. Of course, there can be many indicators that point to the need for a SOX overhaul such as your program growing in complexity despite minimal changes to the business, increased automation throughout the organization’s processes, and turnover of senior management changing the tone at the top.
Regardless of how long your SOX program has been in place, taking a holistic view of your SOX compliance effort allows your organization to realign with the true purpose of SOX. The checklist below will help guide you through many aspects of what to review during your SOX assessment and covers the ten most common SOX areas that lose focus over time.
10 Step Checklist to Assess Your SOX Program
- Review key documentation for accuracy:
- Organization charts
- Current RCM
- Application inventory and description of the impact on financial reporting
- Current process walkthroughs
- Challenge your SOX risk assessment for accurate financial materiality and other SOX scoping factors.
- Review your SOX scoping risk assessment by business unit to ensure the correct processes are scoped-in for SOX.
- Determine the scope of coordinated testing efforts with other lines of defense.
- Conduct interviews with key personnel (process/control owners) about SOX.
- Conduct a controls rationalization analysis to identify common, missing, and/or redundant controls.
- Look for automation opportunities within the business to also leverage as SOX controls.
- Look for automation opportunities within your SOX testing program, including implementing technology solutions to create an efficient and effective program.
- Identify the strongest controls in each process and challenge the mix of preventative, detective, and automated controls.
- Challenge “Key” control designation to streamline SOX testing.
How Do You Remedy Your SOX Program?
After you have reviewed the ten items listed above, it is time to develop an action plan. Think of this in audit terms: you have identified issues, and you need to address these with remediation plans. We can complete our remediation plan in 5 steps:
- Develop a summary report of observations, recommendations, and remediation plans.
- Rank your observations, recommendations, and remediation plans to identify what needs immediate attention versus items that can wait.
- Create a realistic timeline for implementing corrective actions.
- Share the SOX program review results, action plans, and timeline with control owners and key SOX stakeholders.
- Monitor progress made to address the issues and update action plans accordingly if necessary.
Consider your timing when you go about this exercise. Ideally, the revised SOX program should kick off at the start of a new fiscal year. If you manage hundreds of controls, the review may take several months to complete. If you feel the program needs recalibration, start the review as soon as possible. It will take time to focus the efforts of everyone involved, but the result will be a stronger, leaner, and more effective SOX program.