As much as companies struggled initially with the cost and resource burden of compliance, over time, they are seeing the investment in SOX compliance pay off in many ways:
1. Improved corporate governance - SOX compliance improved corporate governance through the greater regulation of audit committees. Before SOX, just 51% of public companies had audit committees that were completely independent of management. SOX mandated that all listed companies have an audit committee whose members are independent of management as well as contain at least one financial expert. As a result, audit committees today are better equipped to provide accurate and truthful financial reports.
2. Increased accountability - SOX compliance makes executives more accountable and protects investors. Executives are required to personally certify financial reports, with significant penalties in place for fraudulent activities.
3. Auditor independence - SOX compliance enhances auditor independence by prohibiting audit firms from providing bookkeeping, actuarial or management functions to the companies they audit.
4. Fewer financial restatements – Post-SOX, the number of financial restatements continues to decline year-over-year, decreasing from 1,851 in 2006 to just 737 in 2015.
SOX Audits can be broken down into any number of steps from performing risk assessments to what to include in an audit committee report. We’ve narrowed our outline to the following eight steps:
1) Defining the SOX Audit Scope Using a Risk Assessment Approach
For performing a risk assessment, PCAOB Accounting Standard No. 5 recommends, “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”
This step in a SOX compliance audit should not result in a list of compliance procedures but should help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls will provide reasonable assurance that a material error will be avoided, prevented, or detected.
2) Determining Materiality in SOX - Accounts, Statements, Locations, Processes, and Major Transactions
Step 1 - Determine what is considered material to the P&L and balance sheet
How: Financial statement items are considered “material” if they could influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.
Step 2 – Determine all locations with material account balances
How: Analyze the financials for all the locations you do business in. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX in the coming year.
Step 3 – Identify transactions populating material account balances
How: Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.
Step 4 – Identify financial reporting risks for material accounts
How: Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.
3) Identifying SOX Controls - Non-Key & Key Controls, ITGCs, and other Entity-Level Controls
During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately. Some examples of preventative or detective SOX controls include:
Next, often material accounts need multiple controls in place to prevent a material misstatement from occurring. You’ll have to analyze all the controls to determine which ones best provide that assurance, keeping in mind the people, process, and technology in place.
Audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts and “scope creep.”
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.
Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated controls. For the automated controls identified, you should evaluate whether the underlying system is in-scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of control testing needed to be performed.
4) Performing a Fraud Risk Assessment
An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing the instances of fraud in an organization. Internal controls play a key role in reducing the opportunities available to commit fraud and what the material impact would be if fraud occurred, including a manual override of internal controls.
Below are examples of anti-fraud internal controls and practices organizations can implement to considerably lower losses due to fraud.
Segregation of Duties
The Institute of Internal Auditors (IIA) describes the basic idea underlying segregation of duties as “no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties.” That is, the work of one individual should be either independent of, or serves to check on, the work of another. Examples:
As per ACFE’s 2014 report, a significant portion of asset misappropriation schemes involve situations in which an employee makes a claim for reimbursement of fictitious or inflated business expenses. In order to prevent such schemes, management should ensure that the relevant policies and procedures surrounding employee reimbursements are communicated to employees and make updates whenever deemed necessary. Moreover, the approval flow for such reimbursements should include, along with the direct supervisor, other key stakeholders, such as affected business team members, payroll, or internal audit.
In spite of federal regulations, the ultimate responsibility of implementing a strong whistleblower program lies with management. Historically, internal employee tip-offs have provided the best means of fraud detection. Hence, Management cannot afford to neglect having an internal whistleblower mechanism within their organization.
Periodic Reconciliation of Bank Accounts
Bank reconciliations highlight the differences between the cash per balance sheet and bank statement, while also confirming accuracy of the data recorded in the organization’s cash ledger. The core duty of performing a bank reconciliation is not just to identify unexpected differences, but also entails preventing future occurrences, such as: accounting delays, restricting auto-debits to vendors, etc. Depending on the size of the organization, bank reconciliations should be performed on a daily, weekly, or monthly basis to monitor and detect fraudulent activity.
It is management’s proactive approach towards fraud detection and prevention, coupled with strong internal controls, which will ultimately decrease the opportunities to commit fraud and instill an ethical culture within an organization.
5) Managing Process and SOX Controls Documentation
Details of the operation of key controls, such as control descriptions, frequency, test procedures, associated risk, population, and evidence are established within the control narrative and documentation. Often risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include: risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls. As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers hours and hours of cleanup.
The solution is to leverage an underlying relationship database to act as a central repository and as the foundation of the audit program. SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database, and have those results cascade throughout the entire SOX program instantly. Controls documentation is simple and doesn’t require making edits across several standalone spreadsheet files. In addition, for annual audit results to be used year over year, a spreadsheet cannot handle the large volumes of data. Speed, accuracy, and scalability of a database solution will exceed the benefits of “spreadsheet familiarity.”
6) Testing Key Controls
The overall objective to SOX control testing is threefold - 1) ensure the process or test procedures as outlined are an effective method for testing the control, 2) the control is being performed throughout the entire period and by the assigned process owner, and 3) the control has been successful in preventing or detecting any material misstatements. In short, control testing validates design and operating effectiveness.
The actual SOX controls testing process may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, walkthrough of the transaction, inspection of the documentation, and/or a re-performance of the process.
7) Assessing Deficiencies in SOX
Ongoing investment into a SOX program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.
During the SOX control testing process and analysis, the auditor may identify an exemption, deficiency or gap in the tested sample. If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or process needs to be adjusted. Lastly, management and the audit team asses whether or not it is a material weakness (as described above is typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials or it was only a significant weakness.
8) Delivering Management’s Report on Controls
The end product of the SOX control testing is the management’s report on controls over financial reporting that is delivered to the audit committee. While a substantial amount of documentation and data is collected during the process, the report should include:
Spreadsheet and End-User Issues
The lowly spreadsheet has evolved to be more than just a bookkeeping tool. Over time the simple spreadsheet has morphed into a SOX workflow staple, due in part to its ability to link data across different documents and automate basic tasks. At the same time, modern audit projects now require more attributes and details about a control. Whether it’s documenting the completeness and accuracy of evidence, or validating the integrity of a key report, testing procedures have evolved beyond simple attribute ticking and tying. The modern spreadsheet can handle this robust testing process, but it lacks speed, efficiency, and consistency.
In addition to what’s mentioned above, there are certain risks related to using spreadsheets for your SOX program including, but not limited to:
Process owners who own the day-to-day control activities are often left in the dark when it comes to their own controls. Internal Audit teams rely on spreadsheets and shared folders to manage their controls, so documentation often remains on the desktop of Internal Audit teams – far away from process owners.
When control documentation lives with Internal Audit, process owners only get visibility into their controls once a quarter and thus create their own day-to-day activities driven by their own version of tasks, and not necessarily within the context of their own controls.
Rising Costs & Resources
While SOX has clearly had a positive impact on financial reporting, concerns remain over the increasing cost of SOX compliance and heavy resource burdens. SOX costs continue to rise year-over-year for many companies, according to Protivit’s 2017 Sarbanes Oxley Survey. Reasons include the introduction of new frameworks such as COSO and evolving external auditor requirements for Section 404 compliance. Companies today spend an average of one million to two million dollars and up to 10,000 hours on SOX programs annually.
One key to decreasing the high cost of SOX compliance and maximizing SOX resources lies in leveraging technology to automate processes. Forward-thinking SOX teams are leveraging SOX automation tools to reduce the administrative hours and efforts spent on SOX. SOX compliance software enables internal audit teams to free up time to perform more value add audits, increase the quality of internal controls, increase visibility into SOX environments, improve external auditor collaboration and ultimately reduce the number of financial restatements.