Due to the scope and complexity of maintaining audit programs to meet SOX compliance requirements, the Institute of Internal Auditors recommends that management start testing SOX controls early each year and consider the program an ongoing, year-round process. This article will discuss how to lay a foundation for an effective SOX testing program by discussing best practices for: defining your scope, determining materiality and risks, and identifying SOX controls.
SOX Compliance Checklist
1) Defining the SOX Audit Scope Using a Risk Assessment Approach
PCAOB AS 2201 recommends “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”
This step in a SOX compliance audit should not result in a list of compliance procedures, but should instead help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls qualify as SOX controls — i.e. whether they will provide reasonable assurance that a material error will be avoided, prevented, or detected.
2) Determining Materiality in SOX – Accounts, Statements, Locations, Processes, and Major Transactions
Step 1 – Determine what is considered material to the P&L and balance sheet
How: Financial statement items are considered “material” if they can influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.
Step 2 – Determine all locations with material account balances
How: Analyze the financials for all the locations where you do business. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX testing in the coming year.
Step 3 – Identify transactions populating material account balances
How: Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.
Step 4 – Identify financial reporting risks for material accounts
How: Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.
3) Identifying SOX Controls – Non-Key & Key Controls, ITGCs, and Other Entity-Level Controls
During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately. Often material accounts need multiple controls in place to prevent a material misstatement from occurring. However, audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts.
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.
Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated controls. For the automated controls identified, you should evaluate whether the underlying system is in-scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of control testing needed to be performed.
Once you have defined your scope and identified your SOX controls using these best practices, you will be on track to developing a well-rounded SOX testing program. Learn more about how to build upon this foundation in How to Build a Well-Rounded SOX Testing Program. Implementing SOX compliance software such as AuditBoard’s SOXHUB can help you eliminate version control issues in your SOX documentation process, as well as streamline your SOX program from end to end. Request a personalized demo by filling out the form below.