In 2002, the Sarbanes-Oxley (SOX) Act was passed by Congress in response to the fallout and uncertainty following frauds at WorldCom and Enron. The Act introduced major reforms to the regulation of financial disclosure and corporate governance, with the goal of restoring the public’s confidence in auditing and financial reporting. The SOX Act, also known as the “Public Company Accounting Reform and Investor Protection Act” and the “Corporate and Auditing Accountability and Responsibility Act,” was named after its main architects Senator Paul Sarbanes and Representative Michael Oxley.
The new or expanded compliance requirements apply to all US public company boards, management and accounting firms. Among other provisions, the SOX Act mandates:
- All financial reports include an Internal Controls report
- Accurate financial data and controls in place to safeguard financial data
- The issuance of year-end financial disclosure reports
- Disclosure of corporate fraud by protecting whistleblower employees
Key Sarbanes-Oxley Requirements
Sarbanes-Oxley consists of 11 titles, but there are two key provisions when it comes to compliance requirements: Sections 302 and 404.
Section 302: Corporate Responsibility for Financial Reports
Section 302 states that the CEO and CFO are directly responsible for the accuracy of financial reports. Signing officers must review and certify the accuracy of financial statements, establish and maintain internal controls, and disclose all significant deficiencies, fraud and significant changes in internal controls.
Section 404: Management Assessment of Internal Controls
Section 404 states that all annual financial reports must include an Internal Control report stating that management is responsible for an adequate internal control structure, an assessment of the effectiveness of the internal control structure and any shortcomings in the controls. Independent external auditors must also attest to the accuracy of the company’s statement that internal controls are in place and effective.
The Benefits of SOX 404 Compliance
One of the key outcomes of Sarbanes Oxley was the end of self-regulation and the establishment of an independent oversight of the auditing process through the Public Company Accounting Oversight Board (PCAOB). The PCAOB has the power to establish industry standards, investigate fraud allegations and regulate audit firms.
As much as companies struggled initially with the cost and resource burden of compliance, over time, they are seeing the investment in SOX compliance pay off in many ways:
1. Improved corporate governance - SOX compliance improved corporate governance through the greater regulation of audit committees. Before SOX, just 51% of public companies had audit committees that were completely independent of management. SOX mandated that all listed companies have an audit committee whose members are independent of management as well as contain at least one financial expert. As a result, audit committees today are better equipped to provide accurate and truthful financial reports.
2. Increased accountability - SOX compliance makes executives more accountable and protects investors. Executives are required to personally certify financial reports, with significant penalties in place for fraudulent activities.
3. Auditor independence - SOX compliance enhances auditor independence by prohibiting audit firms from providing bookkeeping, actuarial or management functions to the companies they audit.
4. Fewer financial restatements – Post-SOX, the number of financial restatements continues to decline year-over-year, decreasing from 1,851 in 2006 to just 737 in 2015.
The SOX Audit Process
SOX Audits can be broken down into any number of steps from performing risk assessments to what to include in an audit committee report. We’ve narrowed our outline to the following eight steps:
- Defining the Scope Using a Risk Assessment Approach
- Determining Materiality and Risks - Accounts, Statements, Locations, Processes, and Major Transactions
- Identifying SOX Controls - Non-Key & Key, ITGCs, and other Entity-Level Controls
- Performing a Fraud Risk Assessment
- Managing Process and Control Documentation
- Testing Key Controls
- Assessing Deficiencies
- Delivering Management’s Report on Controls
1) Defining the SOX Audit Scope Using a Risk Assessment Approach
For performing a risk assessment, PCAOB Accounting Standard No. 5 recommends, “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”
This step in a SOX compliance audit should not result in a list of compliance procedures but should help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls will provide reasonable assurance that a material error will be avoided, prevented, or detected.
2) Determining Materiality in SOX - Accounts, Statements, Locations, Processes, and Major Transactions
Step 1 - Determine what is considered material to the P&L and balance sheet
How: Financial statement items are considered “material” if they could influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.
Step 2 – Determine all locations with material account balances
How: Analyze the financials for all the locations you do business in. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX in the coming year.
Step 3 – Identify transactions populating material account balances
How: Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.
Step 4 – Identify financial reporting risks for material accounts
How: Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.
3) Identifying SOX Controls - Non-Key & Key Controls, ITGCs, and other Entity-Level Controls
During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately. Some examples of preventative or detective SOX controls include:
- segregating conflicting duties (e.g. the ability to post and approve invoices),
- reviews of individual or multiple transactions recorded in the period, and
- account reconciliations.
Next, often material accounts need multiple controls in place to prevent a material misstatement from occurring. You’ll have to analyze all the controls to determine which ones best provide that assurance, keeping in mind the people, process, and technology in place.
Audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts and “scope creep.”
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.
Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated controls. For the automated controls identified, you should evaluate whether the underlying system is in-scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of control testing needed to be performed.
4) Performing a Fraud Risk Assessment
An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing the instances of fraud in an organization. Internal controls play a key role in reducing the opportunities available to commit fraud and what the material impact would be if fraud occurred, including a manual override of internal controls.
Below are examples of anti-fraud internal controls and practices organizations can implement to considerably lower losses due to fraud.
Segregation of Duties: The Institute of Internal Auditors (IIA) describes the basic idea underlying segregation of duties as “no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties.” That is, the work of one individual should be either independent of, or serves to check on, the work of another. Examples:
- Custody of Assets
- Authorization/Approval of related transactions affecting those assets
- Recording and reporting of related transactions
Expense Reimbursements: As per ACFE’s 2014 report, a significant portion of asset misappropriation schemes involve situations in which an employee makes a claim for reimbursement of fictitious or inflated business expenses. In order to prevent such schemes, management should ensure that the relevant policies and procedures surrounding employee reimbursements are communicated to employees and make updates whenever deemed necessary. Moreover, the approval flow for such reimbursements should include, along with the direct supervisor, other key stakeholders, such as affected business team members, payroll, or internal audit.
Whistleblower Hotline: In spite of federal regulations, the ultimate responsibility of implementing a strong whistleblower program lies with management. Historically, internal employee tip-offs have provided the best means of fraud detection. Hence, Management cannot afford to neglect having an internal whistleblower mechanism within their organization.
Periodic Reconciliation of Bank Accounts: Bank reconciliations highlight the differences between the cash per balance sheet and bank statement, while also confirming accuracy of the data recorded in the organization’s cash ledger. The core duty of performing a bank reconciliation is not just to identify unexpected differences, but also entails preventing future occurrences, such as: accounting delays, restricting auto-debits to vendors, etc. Depending on the size of the organization, bank reconciliations should be performed on a daily, weekly, or monthly basis to monitor and detect fraudulent activity.
It is management’s proactive approach towards fraud detection and prevention, coupled with strong internal controls, which will ultimately decrease the opportunities to commit fraud and instill an ethical culture within an organization.
5) Managing Process and SOX Controls Documentation
Details of the operation of key controls, such as control descriptions, frequency, test procedures, associated risk, population, and evidence are established within the control narrative and documentation. Often risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include: risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls. As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers hours and hours of cleanup.
The solution is to leverage an underlying relationship database to act as a central repository and as the foundation of the audit program. SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database, and have those results cascade throughout the entire SOX program instantly. Controls documentation is simple and doesn’t require making edits across several standalone spreadsheet files. In addition, for annual audit results to be used year over year, a spreadsheet cannot handle the large volumes of data. Speed, accuracy, and scalability of a database solution will exceed the benefits of “spreadsheet familiarity.”
6) Testing Key Controls
The overall objective to SOX control testing is threefold - 1) ensure the process or test procedures as outlined are an effective method for testing the control, 2) the control is being performed throughout the entire period and by the assigned process owner, and 3) the control has been successful in preventing or detecting any material misstatements. In short, control testing validates design and operating effectiveness.
The actual SOX controls testing process may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, walkthrough of the transaction, inspection of the documentation, and/or a re-performance of the process.
7) Assessing Deficiencies in SOX
Ongoing investment into a SOX program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.
During the SOX control testing process and analysis, the auditor may identify an exemption, deficiency or gap in the tested sample. If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or process needs to be adjusted. Lastly, management and the audit team asses whether or not it is a material weakness (as described above is typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials or it was only a significant weakness.
8) Delivering Management’s Report on Controls
The end product of the SOX control testing is the management’s report on controls over financial reporting that is delivered to the audit committee. While a substantial amount of documentation and data is collected during the process, the report should include:
- Summary of management’s opinion and support for those conclusions.
- Review of the framework used, evidence collected, and summary of results.
- Results from each of the tests - entity-level, IT, key controls.
- Identification of the control failures, gaps, and corresponding root causes.
- Assessment made by the company’s independent, external auditor.
Common SOX Compliance Challenges
Spreadsheet and End-User Issues
The lowly spreadsheet has evolved to be more than just a bookkeeping tool. Over time the simple spreadsheet has morphed into a SOX workflow staple, due in part to its ability to link data across different documents and automate basic tasks. At the same time, modern audit projects now require more attributes and details about a control. Whether it’s documenting the completeness and accuracy of evidence, or validating the integrity of a key report, testing procedures have evolved beyond simple attribute ticking and tying. The modern spreadsheet can handle this robust testing process, but it lacks speed, efficiency, and consistency.
In addition to what’s mentioned above, there are certain risks related to using spreadsheets for your SOX program including, but not limited to:
- Version control — an out-of-date download
- Partial or incomplete download
- Miskey by a user or deleted data
- Analysis of inconsistent data set — i.e., population is incorrect
- Process owners left in the dark
Process owners who own the day-to-day control activities are often left in the dark when it comes to their own controls. Internal Audit teams rely on spreadsheets and shared folders to manage their controls, so documentation often remains on the desktop of internal audit teams — far away from process owners.
When control documentation lives with Internal Audit, process owners only get visibility into their controls once a quarter and thus create their own day-to-day activities driven by their own version of tasks, and not necessarily within the context of their own controls.
Rising Costs & Resources
While SOX has clearly had a positive impact on financial reporting, concerns remain over the increasing cost of SOX compliance and heavy resource burdens. SOX costs continue to rise year-over-year for many companies, according to Protivit’s 2017 Sarbanes Oxley Survey. Reasons include the introduction of new frameworks such as COSO and evolving external auditor requirements for Section 404 compliance. Companies today spend an average of one million to two million dollars and up to 10,000 hours on SOX programs annually.
SOX Compliance Tools & Software
One key to decreasing the high cost of SOX compliance and maximizing SOX resources lies in leveraging technology to automate processes. Forward-thinking SOX teams are leveraging SOX automation tools to reduce the administrative hours and efforts spent on SOX. SOX compliance software enables internal audit teams to free up time to perform more value add audits, increase the quality of internal controls, increase visibility into SOX environments, improve external auditor collaboration and ultimately reduce the number of financial restatements.