SOX Testing: How to Build a Well-Rounded Testing Program

For publicly traded companies, SOX compliance testing represents a major activity every year — but just what is SOX compliance testing? If SOX is related to financial reporting, then what are SOX IT controls? This article provides an overview of the SOX compliance testing process and a five-step checklist to build a SOX compliance testing program. 

What Is SOX Compliance Testing?

SOX compliance testing is an assessment of the company’s internal control processes related to financial reporting. SOX compliance testing helps a public company show investors, employees, and other stakeholders that it has procedures in place to prevent fraud and that the financial reports the company produces are accurate and reliable. 

The initial SOX controls testing is often performed by management as a self-assessment, or by a dedicated SOX team, followed by an assessment performed by independent auditors. When the testing is done by management, they are testing their own processes. In this form of testing, there is very little independence since management is involved in both the control operation and in the SOX testing process. Sometimes, the test is facilitated by the internal audit team who publishes a self-assessment to managers who respond with their documentation for the internal auditors to validate. Other companies have set up a dedicated SOX team. The SOX team is still part of management as a compliance group and therefore not fully independent. SOX teams are removed from the control and better able to provide unbiased test results. After the testing is completed, an internal audit team may perform independent testing. Since internal audit is independent, others may be able to rely on the SOX controls testing they perform. 

A Brief History of SOX Testing

Management and audit teams need to remember why SOX testing exists so we never forget the importance of internal controls. In the early 2000s, a series of corporate scandals came to light that destroyed the companies, wiped out stakeholders, and shook confidence in the US market. Companies like Enron, Worldcom, and Tycowere creating fraudulent financial reporting, and in some cases, they were enabled by their external audit teams at Arthur Andersen. Enron was shifting assets in and out of its books to appear more profitable, Worldcom reclassified operating expenses as capital expenses to inflate revenues by $3 billion to hide their losses, and executives at Tyco were stealing millions from the company. 

The US government stepped in by drafting legislation called the Sarbanes-Oxley Act of 2002, named after the two senators who drafted the act. If you’ve wondered “what is SOX 404 testing”, this refers to Section 404 - Management Assessment of Internal Controls that requires companies to implement and test “an adequate internal control structure.” Today, audit teams often use “SOX controls testing” and “SOX 404 testing” interchangeably. 

Another major part of the SOX Act is Section 302. Section 302 - Corporate Responsibility for Financial Reports is the part of the act that requires the CEO and CFO to take full responsibility for the company’s internal controls over financial reporting. Both Section 302 and 404 are included in the SOX Act to require companies to maintain strong internal controls related to financial reporting.

Now that SOX is firmly established within public companies, SOX controls testing has become routine for most.

What’s the SOX Testing Process?

While there is some variation among companies, most follow a very similar process for SOX controls testing. In the SOX controls testing process, there are four rounds of SOX testing: 

1. Initial Assessment:

In the process of SOX controls testing, the team starts with performing process walkthroughs. The walkthroughs are usually documented in the form of narrative, or flowcharts, or both. Next, the SOX team consolidates evidence that the control activities actually occurred. The documentation is used in assessing the design of the controls and testing the operating effectiveness of the controls. Any deficiencies are documented and action plans are put in place to make corrections.

2. Interim Testing:

Around mid-year, the SOX team performs another round of testing to ensure the deficiencies were addressed, and the SOX controls are still operating as intended. During this round, the team assesses whether or not any additional changes have occurred that might trigger updating documentation and redesigning any controls.

3. Year-end Testing:

Near the end of the year, the last internal round of SOX controls testing takes place for annual controls. At this time, the SOX team also retests any controls that had deficiencies earlier in the year and confirm the remediation efforts were effective. Interim and year-end testing are primarily focused on testing operational effectiveness. 

4. Testing by Independent Auditors:

The final step in the SOX testing process is done by an outside party, the external auditors. For further validation of the operational effectiveness of the SOX controls, companies hire an external audit firm to have independent auditors evaluate the controls. That group has their own SOX testing requirements and will perform their own testing. Any issues they raise will be addressed by management and the SOX team quickly with process changes and explanation of mitigating controls. 

Earlier we mentioned that internal audit may have performed independent testing as well. In that scenario, the external auditors may choose to rely on some of the work done by internal audit. If the test work meets the same level of scrutiny and detail as the work the external auditors would apply to testing, then the work can be relied upon. It is important to set expectations with your external auditor early if you plan to push for reliance. The internal audit team may need to make adjustments to their SOX controls testing approach. The internal audit team may need to adopt the external auditor’s testing templates and sampling methodology.

How to Plan the Year’s SOX Testing Process?

Once internal audit has identified the SOX controls that will be in scope for testing, the next step is planning the year’s testing process. The checklist that follows breaks down how to build upon your risk assessment to develop a quality SOX testing program to help you meet your SOX compliance requirements.

SOX Compliance Checklist: Building a SOX Testing Program

1. Performing a Fraud Risk Assessment

An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing the instances of fraud in an organization. Below are examples of anti-fraud internal controls and practices organizations can implement to strengthen the outcomes of SOX testing: 

4 Examples of Anti-Fraud Internal Controls and Practices Organization Can Implement

1. Segregation of duties, wherein the work of one individual should be either independent of or serve to check on the work of another. 
   • Custody of Assets.
   • Authorization/Approval of related transactions affecting those assets.
   • Recording and reporting of related transactions.
2. Policies and procedures surrounding employee reimbursements. 
3. Having an internal whistleblower mechanism within the organization.
4. Periodic reconciliation of bank accounts to identify unexpected differences and prevent future occurrences, such as: accounting delays, restricting auto-debits to vendors, etc.

2. Managing Process and SOX Controls Documentation

Details of the operation of key controls, such as control descriptions, frequency, SOX test procedures, associated risk, population, and evidence are established within the control narrative and documentation. Often, risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls. As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers hours and hours of cleanup.

The solution is to leverage an underlying relational database to act as a central repository and as the foundation of the SOX audit program. SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database and have those results cascade throughout the entire SOX program instantly. 

Benefits of Purpose-Built SOX Software:

• SOX documentation becomes simple and doesn’t require making edits across several standalone spreadsheet files. 
• The speed, accuracy, and scalability of a database solution will exceed the benefits of “spreadsheet familiarity” — for annual audit results to be used year over year, a spreadsheet cannot handle the large volumes of data. 
• Saves time spent reconciling version control issues.

3. Testing Key Controls

The overall objective to SOX testing is threefold:

1. Ensure the process or test procedures as outlined are an effective method for testing the control.
2. Ensure the control is being performed throughout the entire period and by the assigned process owner.
3. Ensure the control has been successful in preventing or detecting any material misstatements. In short, control testing validates the design and operating effectiveness.

SOX tests may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, walkthrough of the transaction, an inspection of the documentation, and/or a re-performance of the process.

4. Assessing Deficiencies in SOX

Ongoing investment into a SOX testing program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.

During the SOX testing process and analysis, the auditor may identify an exemption, deficiency, or gap in the tested sample. If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or process needs to be adjusted. Lastly, management and the audit team assesses whether it is a material weakness (as described above, typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials, or whether it was only a significant weakness.

5. Delivering Management’s Report on Controls

The end product of SOX testing is the management report on controls over financial reporting that is delivered to the Audit Committee. While a substantial amount of documentation and data is collected during the process, the SOX report should include:

• Summary of management’s opinion and support for those conclusions.
• Review of the framework used, evidence collected, and summary of results.
• Results from each of the tests — entity-level, IT, and key controls.
• Identification of the control failures, gaps, and corresponding root causes.
• The assessment made by the company’s independent, external auditor.

Are You Ready to Streamline Your SOX Testing Program? 

Purpose-built SOX software such as AuditBoard can help you streamline SOX documentation, save time, and gain efficiencies in SOX testing year over year. Get started with SOXHUB today!