For many of us, SOX risk assessments combine quantitative and qualitative information such as financial materiality, past issues, process complexity, and control owner maturity. The midpoint of the year is an ideal time to revisit in-scope SOX processes to capture changes throughout the year. The business may have updated a process, implemented a new system, or made changes to management personnel that could impact the SOX controls. This article will provide answers to three key questions that will influence your mid-year SOX assessment.
How Can We Reduce the SOX Impact on Management?
A typical point of concern with SOX is audit fatigue. We can reduce this concern by keeping the risk assessment as simple as possible. SOX is often seen as an afterthought, and control owners may feel like SOX is a distraction from their “real” jobs. We can take steps to help relieve this perceived burden. The key to reducing the impact on management is balancing requirements versus expectations. For example, just because you could include many data points in your assessment, does not mean you should. For a mid-year reassessment, the risk assessment needs to be completed within a reasonable time frame, with minimal impact on management.
How Can SOX Teams Collect Better Information from Management?
Many of the most effective and efficient SOX departments use risk and control self-assessments (RCSAs). The RCSA pushes the data entry for the assessment down to the first line of defense, who are closer to the processes. They give you a starting point and their perspective. From there, we can apply our professional judgment to decide who should be interviewed and which areas are likely low risk and therefore can be quickly eliminated from the plan.
Suppose you choose to employ a form of self-assessment. In that case, SOX software can automate the data collection portion of the assessment. Investing in solid risk assessment technology can help you crunch the data and prioritize your SOX program efforts. Risk assessments are a starting point, and should not be so complex that we dread the exercise itself and overwhelm management.
How Can We Make the Best Use of Management’s Time?
Since management’s time is limited, it is crucial to make the best use of any time we’re able to schedule. One way to ensure the time is productive is to scope risk assessment efforts using a pre-assessment survey. Sending a survey before the assessment will help determine if there are any prior or upcoming changes to discuss or if we should carry prior risk ratings forward.
Example questions include:
- Were there any changes in key positions in the past six months?
- Were there any process, policy, or procedure changes that impacted your SOX controls?
- Were there any external events that impacted your SOX controls?
- Were there any system implementations, upgrades, outages, or data migrations made to applications in scope for SOX?
Remember the Point of SOX
Always remember that SOX is a moving target. The point of the SOX Act is to help prevent and detect fraudulent financial statements through a comprehensive control environment. Since the risk landscape changes, the control environment is also subject to changes. By approaching the mid-year SOX risk assessment through a series of activities meant to capture meaningful information while reducing the burden to management, we can make the most of the assessment.