Eliminate, Advocate, and Increase Reliance: Uplevel Your SOX Program in 2024

Many internal audit teams may not be the first to be called by the Board or Executive Management to help them navigate these new business risks because of their traditional approach to SOX. Responding to new business risks may sometimes require organizational change, and those who will be asked for help in these areas will have exhibited leadership and ownership, not just the ability to carry out compliance responsibilities. To do this, internal audit teams must uplevel their organization’s approach to SOX through six core tenets: educate, automate, delegate, eliminate, advocate, and increase reliance.

This is the second part of a two-part series. The first article can be found here.

Eliminate

Assessing your SOX program for work to be eliminated should be a task formally completed once or twice a year. As an informal process, eliminating excess work is a continuous process.

To identify opportunities to eliminate work performed from SOX compliance, the most important tool is performing the SOX Risk Assessment with a focus on rationalizing the control environment. An outcome of the SOX Risk Assessment should be an understanding of the number of key controls needed for SOX Compliance. The robustness of performing the SOX risk assessment can sometimes be correlated to changes in an organization’s financial reporting results.

For example, if there have not been dramatic changes to your organization’s financial reporting results in the past few years, it could mean that financial reporting risks and key controls have not been scrutinized thoroughly to determine if key controls could be removed.

Does the SOX Risk Assessment suggest in-scope controls based on the transactions that are populating financial statement line items, or are all related controls in scope and high risk for the in-scope line item? For example, if two transactions are populating the financial statement line item that is deemed material, with one transaction representing 90% of the line item amount, then only the control associated with the 90% would need to be in-scope (and not the separate control(s) for the transaction representing 10% of the financial statement line item amount).

Another aspect that can often highlight controls to be rationalized is when an organization has a high number of in-scope entities for SOX compliance. While the entity may be in scope for SOX compliance, being more rigorous in the SOX risk assessment may find that certain processes at that entity do not need to be in scope, or certain controls in that process do not need to be considered key.

The SOX risk assessment is not the only way to identify work to be eliminated. Providing a process for control owners to self-report control issues as they are identified can help internal audit address and fix the issue sooner, saving the need for the external auditor and Accounting and IT leadership to spend time on the same issue as testing is completed.

And finally, those internal audit teams that are writing and issuing audit reports for SOX work should take a long look in the mirror and ask themselves the question – is this report really necessary? Or are there ways to communicate the work done through visual dashboards and other automated reports?

Advocate

Take a moment to yourself right now and think about the best business leader you have had the opportunity to work with. Chances are, this leader exhibited traits to get people excited about the work needed to be done, was an effective communicator, was part cheerleader and counselor, and also displayed compassion and empathy.

Many successful internal audit teams are successful in part because they chose to lead their SOX program similarly. Being a forward-facing and positive advocate for SOX Compliance in your organization will not only drive for better control performance in your organization. But better, it will position yourself and your team as Business Leaders and can improve your team’s reputation.

A great way to create positive awareness for your SOX program is to publicly share positive control performance by the business. Can your internal audit team create a monthly “SOX newsletter” that highlights not only key SOX dates, deliverables, and responsibilities? But also recognizing control performance where control owners went above and beyond, or took ownership to create a new control where needed, or to bring in internal audit for assistance? Publicly acknowledging good performance can help increase the buy-in of control owners and motivate others to be seen doing good work with their SOX-related tasks.

Another way to reduce control deficiencies and get people excited about SOX is to “gamify” SOX work. I’ve personally seen companies effectively publicize on-time and overdue document requests and control deficiencies across departments, and “compete” with other processes, departments, or geographies to have the best control results possible.

Leading a SOX Program is no different than leading other initiatives or departments in an organization. Being a brand ambassador for control performance allows being seen as a leader by your CFO and Audit Committee. Publicly supporting and communicating the benefits of governance, risk management, and controls will likely leave others to believe you are best suited to help in these areas when new needs arise.

To be awarded more opportunities to take on more work or to help with significant change projects, it is not only important to do good work, but also to be seen as a leader and to go all-in on new projects assigned to you.

Increase Reliance

Working with the external auditor to increase their reliance on management’s work may be one of the trickiest, or hardest to accomplish, activities in a SOX program. External Auditors may be reluctant to reduce their workload because of their financial forecasts – reducing work means reducing billable hours.

But because it is hard does not mean it is not worth doing. And there are ways internal audit can help drive External Auditors to rely on management’s work. At a minimum, internal audit will need to establish and prove their competence and independence. The external auditor will not leverage work done by those unqualified to carry out SOX testing, or those that are not deemed to be independent from the teams responsible for performing the controls.

Internal audit’s competency to SOX work will be assessed, either formally or informally, by how well they perform and understand the SOX risk assessment. Is how we assess materiality in line with other organizations in your industry or of similar size? Does the SOX Risk Assessment support why controls are deemed high-risk or not? And how thorough, accurate, and current are SOX documents, such as process narratives, flowcharts, risk and control matrices, and testing results. How can the external auditor put reliance on work that is not reliable?

Independence is also a tricky area to consider because many internal audit departments administratively report to the CFO and changing reporting relationships is not something to be done on a whim. That said, a conversation can be warranted with the External Auditor, CFO, and Audit Committee to determine if more of internal audit’s work can be relied upon if internal audit is reported to another functional leader. The CEO or General Counsel are two leaders that internal audit can report to that continue to provide the stature needed and also deem them more independent to allow the External Audit to leverage their work.

Another influencing factor to external audit’s reliance is how well internal audit partners with them. This is a bit more subjective but there are practices to help promote a healthy relationship between the audit teams.

Does internal audit proactively identify opportunities to make the external auditor’s job easier, such as coordinating process walkthroughs, collaborating on sampling methodologies, and helping with documentation requests? Can internal audit take a leadership role by educating new external audit staff when they join the account, ensuring narratives and RCMs are easy to access, and testing results are easy to understand and supported?

Increasing the external auditor’s reliance on management’s work will likely not result in a reduction of internal audit’s time spent on SOX compliance. It is likely to result in more effort needed. However, effectively collaborating and teaming with the external auditor to increase their reliance on management’s work can help save the company money in an area that represents one of the largest expenditures of many corporate finance teams. And identifying areas to save money can help increase internal audit’s influence and brand.

Upleveling SOX Performance for a Better Internal Audit

There has never been a time when an organization’s need for a more contemporary and modern internal audit team has been greater. Negative risk events occur more frequently, are more complex, and their impacts can be experienced faster. And because of the digitally transforming business landscape, new opportunities for organizations to increase revenue, market share, and customer appreciation can be missed without the assurance and advisory services internal auditors can provide.