What Are SOX Controls? Best Practices for Defining Your Scope

What Are SOX Controls? Best Practices for Defining Your Scope

The Sarbanes-Oxley Act (SOX) has been in place for 20 years, but many people still have difficulty explaining in simple terms what we mean by SOX controls. What about SOX key controls? Is SOX compliance mandatory? Get answers to these and many more SOX controls questions below.

What Are SOX Controls? 

Without going into too much detail, the SOX requirements for public companies include having internal control in place for processes that impact financial reporting. The objective for these controls is to ensure accurate and reliable financial reporting. The confusion is mostly a matter of scoping —  understanding where SOX ends and regular management internal controls start. 

Is SOX Compliance Mandatory?

The SOX Act put emphasis on financial reporting controls after several corporate fraud cases disputed the US market. This article will discuss many of the common SOX control questions and explain how to lay a foundation for an effective SOX control testing program by discussing best practices for defining your scope, determining materiality and risks, and identifying SOX controls.

The Road to SOX Readiness: A Practical Guide to Choosing an Operating Model for Your Organization

How Many SOX Controls Are There?

Auditors frequently ask if there is guidance on all the possible SOX controls. The simple is “no.” There is no one-size-fits-all approach to SOX, but there are common types of controls. As SOX control examples, when dealing with financial systems there should be controls related to system access, segregation of duties, change management, approvals, and data backup. The challenge is in designing controls specifically for your systems, on your network, to meet your control objectives. 

What Are SOX 404 Controls?

SOX 404 refers to a section on the SOX Act (Section 404) that spells out the SOX requirement for management to implement internal controls over financial reporting. The terms SOX controls and SOX 404 controls are used interchangeably. 

What Are SOX IT Controls? 

In general, SOX requirements include both business controls and SOX IT controls. On the business side, the controls are those around the accuracy of the data that feeds into financial reporting. From the IT perspective, there are IT general controls (ITGCs) and application controls. The goals for SOX IT controls are to ensure the systems are accurate, complete, and free from error since that would impact the financial reporting. 

The key to defining your scope for SOX is to understand which processes and systems actually impact financial reporting. Where most get confused is in differentiating between critical IT systems and SOX IT systems. You may have a system that holds all of your customer information that is critical to the success of your organization, but if that system does not capture financial data that feeds into your financial reporting, then it is not a SOX application. It should still be well controlled, but it is not in scope for SOX testing.

What Are SOX Key Controls?

Within the SOX controls, we designate the primary controls as key controls. So so much reliance is put on the key controls, these are monitored and tested more frequently.

What Is SOX Controls Testing?

SOX control testing is a function performed by either management or internal audit or both, as well as by the external auditors. SOX control testing is performed to find out if the controls are working as intended or if there are any gaps in the internal control process.

What Is SOX Reporting?

SOX reporting is usually done both internally and externally. Internal SOX reporting includes SOX testing status updates created by management with any issues they have found and remediation plans. External SOX reporting is the output from the external auditor’s independent testing. Their reporting culminates in the opinion they express in the financial statements about management’s internal controls over financial reporting.

How Can I Start Testing SOX Controls? 

Due to the scope and complexity of maintaining audit programs to meet SOX requirements, the Institute of Internal Auditors recommends that management start testing SOX controls early each year and consider the program an ongoing, year-round internal control testing process. 

SOX Compliance Checklist

sox compliance checklist diagram

1) Defining the SOX Audit Scope Using a Risk Assessment Approach

PCAOB AS 2201 recommends “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”

This step in a SOX compliance audit should not result in a list of compliance procedures, but should instead help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls qualify as SOX controls — i.e. whether they will provide reasonable assurance that a material error will be avoided, prevented, or detected.

2) Determining Materiality in SOX – Accounts, Statements, Locations, Processes, and Major Transactions

Step 1 – Determine what is considered material to the P&L and balance sheet 

How: Financial statement items are considered “material” if they can influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.

Step 2 – Determine all locations with material account balances 

How: Analyze the financials for all the locations where you do business. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX testing in the coming year.

Step 3 – Identify transactions populating material account balances

How: Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.

Step 4 – Identify financial reporting risks for material accounts

How: Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.

3) Identifying SOX Controls – Non-Key & Key Controls, ITGCs, and Other Entity-Level Controls

During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately. Often material accounts need multiple controls in place to prevent a material misstatement from occurring. However, audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts.

To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.

How to Finalize an Effective System of Internal Controls Plan

Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated SOX IT controls. For the automated controls identified, you should evaluate whether the underlying system is in-scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of SOX IT control testing needed to be performed.

Once you have defined your scope and identified your SOX controls using these best practices, you will be on track to developing a well-rounded SOX testing program. Learn more about how to build upon this foundation in How to Build a Well-Rounded SOX Testing Program. 

Meeting SOX requirements does not need to be overly complicated. Implementing SOX compliance software such as AuditBoard’s SOXHUB can help you eliminate version control issues in your SOX documentation process, centralize SOX control testing, facilitate SOX reporting, as well as streamline your SOX program from end to end. Request a personalized demo by filling out the form below.

Related Articles