Your external auditors have finally signed off on the last SOX control, and testing is done for the year. You can breathe a sigh of relief as the weight lifts from your shoulders. Of course, that just means it’s time to start over again. I have found that taking a moment to regroup your team and refresh key materials before you kick off your SOX program sets you on a stronger path. This article will give you four SOX planning best practices to help you have the best SOX year ever.
1. Hold a Retrospective
Before you do anything, hold a retrospective over the year that just ended. In a retrospective, we want to gather all the key stakeholders or at least representatives from the different teams. Consider bringing in several control owners, testers, and reviewers to have different perspectives from all key stakeholders involved in the SOX compliance process.
In the session, we should cover four topics: key trends or insights gained to help business partners improve control effectiveness and overall business resilience, areas of collaboration that worked well, opportunities for improvement, and action plans for improvement opportunities. Having an open, honest discussion will lead to great ideas for improving the overall program. If you want to take this idea even further, you can introduce a continuous improvement element to your SOX program by holding retrospectives at the end of each quarter.
2. Update Risk Assessment Factors
Not all SOX controls are created equally, and a good SOX risk assessment will help determine which controls need the most attention. SOX teams should first perform a control rationalization exercise to re-evaluate the existing control environment and remove duplicate, inefficient, and unnecessary or irrelevant controls.
The next step is to update your risk assessment methodology to ensure the risk factors considered are appropriate for the business. For example, some controls are much more complex than others and may be prone to human error, while others are simple and automated. Including risk factors like complexity and automation will point you toward the controls that require more scrutiny and help you develop an appropriate test plan.
3. Send Surveys Targeting Transformation Areas
You probably already have a survey process in place that’s sent to your control owners to ask if controls need updating, but you may need more. This year, consider expanding the survey audience to include individuals responsible for automation, cybersecurity, and system implementations.
The past few years have focused heavily on business transformation through technology. The transformation projects greatly impact many areas of a company, including SOX controls and in-scope SOX applications. By sending a change survey to a broader audience, we can learn about the upcoming changes early and adjust our testing plans to focus on areas where errors are more likely to occur.
4. Digitize SOX Documentation
SOX teams know that narratives, flowcharts, and RCMs (risk and control matrices) are the trifecta in SOX documentation. However, keeping these updated can be difficult, often because we rely on manual updates managed through email and tracked in spreadsheets. We depend on the control owners to make the updates, and we may not be able to challenge any changes (or the lack of changes) they suggest. Even worse, flowcharting tools generally lack the ability to track changes made to the documentation, so we have to manually compare the versions to look for edits.
Bringing your documentation into a SOX management software solution that simplifies the update process and eliminates version control issues makes everyone’s life easier. Especially when the narratives and flowcharts are tied to your control framework, you get the benefit of only having to make the updates once, and the documentation is updated everywhere.
Ready for Your Best SOX Year Ever?
A strong SOX program starts with effective planning. Even companies with very few SOX issues each year should guard against complacency by challenging their existing processes. Ask your stakeholders for improvement suggestions, update the risk assessment, question transformation areas, and leverage technology for more efficient updates to documentation. Taking these steps can profoundly impact your SOX planning and lead to your company having the best SOX year ever!
Kim Pham, CIA, is a Market Advisor, SOX & Compliance at AuditBoard, with 10 years of experience in external and internal audit. She started her career in at Deloitte & Touche LLP., and continued to grow her experience in internal audit focusing on SOX compliance and operational audits at Quiksilver, the California State University Chancellor’s Office, and CKE Restaurants.