For companies with SOX programs, your investment in planning pays a major role in determining your team’s success throughout the year. As the Global Head of SOX Compliance and Controls at BNY Mellon, my focus during planning is scoping SOX needs against the backdrop of a continually changing work environment. While much remains standard SOX planning protocol, the following are five key items of focus that help jump start our SOX planning process.
1. Review the year over year change in financials.
Compare your year-end financials to the previous year to see where, and if, there have been any notable changes in the balances on the face of your P&L and your balance sheet. In addition, look at the proportion of line items in relation to one another; barring any substantial acquisition, divestiture, or notable change in your business, there generally may not be too many significant changes at this level. Communicate with your external auditors to ensure you’re aligned on assessing materiality. Finally, consider your critical report lines: what is most critical to your business model, and what do your investors care the most about? Asking these questions in pre-planning will help you focus your SOX program.
2. Focus on current and prior-year issues.
Take a holistic look at your issues data from last year, and work to understand how each issue ties back into your financials. Note any issue-prone areas in the business that need to be addressed and require deeper focus. For example, if there were deficiencies from year-end 2019 that were remediated in 2020, it may be a good idea to maintain focus on those areas in 2021 to ensure the sustainability of the remediation efforts. One of the fields we implemented in AuditBoard, the platform we use for our SOX program, is a linkage of each SOX deficiency to a report line on our financials, which allows us to assess the quantitative impact of our issues both individually and in aggregate. The presence or absence of issues may determine the depth of our focus in specific areas.
3. Assess current and prior year trends in the overall financial and regulatory environment.
Identify any in-scope areas that may require extra focus in accordance with trends in the overall business, financial, and regulatory environment. If you are part of a SOX function that is separate from audit, pay attention to areas that your internal audit function and external auditors are focusing on. For example, in recent years, auditors in the financial services industry have increased focus on areas affected by the implementation of CECL requirements and the LIBOR transition. This year, ongoing changes in the overall interest rate environment may have a notable impact on the financial statements for companies both in financial services as well as other industries.
4. Evaluate current and upcoming changes to your business environment.
Evaluate current and upcoming changes to your business environment and consider how they will impact the scope of your SOX assessments for the current year. One notable example that can impact many companies is the implementation of new systems. These changes might require changes to your SOX controls, as well as the breadth and depth of your focus. Consider how to get ahead of these changes by incorporating them into your planning and scoping process.
5. Work closely with your internal audit partners.
If you are a SOX function in a company with a separate internal audit function, work closely with your internal auditors to understand the scope of their audit plan, and where it might make sense for internal audit to work with the SOX group to maximize collective resources. Even if you are early in the journey of relying on one another’s work, focus on building coordination. My team has developed an emerging and increasingly successful partnership with our internal auditors in coordinating audits with SOX testing. As part of the scoping process, we will naturally look at internal audit’s key points of focus; even if it doesn’t mean we will dial back our focus, we’ll at least align with internal audit on timing to avoid tripping over each other and causing unnecessary pain for the business. Especially during these times, when auditors and regulators alike have increased expectations on internal controls, learning how to be savvy and efficient in resource allocation is key to maximizing the benefit of your team.
As we anticipate the next shift to a hybrid-remote working model, speed bumps that occurred during last year’s SOX planning process, such as tracking down physical evidence, may ease up. Though it is hard to predict exactly how a year will unfold, a positive take away for my team has been our ability to leverage learnings from last year again this year. Having spent a considerable amount of time understanding the changes to our control environment from a changing risk environment, my team has continued to apply the resulting knowledge and adjustments to our SOX focus.