An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing the instances of fraud in an organization. Below are examples of anti-fraud internal controls and practices organizations can implement to strengthen the outcomes of SOX testing:
Details of the operation of key controls, such as control descriptions, frequency, SOX test procedures, associated risk, population, and evidence are established within the control narrative and documentation. Often, risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls. As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers hours and hours of cleanup.
The solution is to leverage an underlying relational database to act as a central repository and as the foundation of the SOX audit program. SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database and have those results cascade throughout the entire SOX program instantly.
The overall objective to SOX testing is threefold:
SOX tests may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, walkthrough of the transaction, an inspection of the documentation, and/or a re-performance of the process.
Ongoing investment into a SOX testing program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.
During the SOX testing process and analysis, the auditor may identify an exemption, deficiency, or gap in the tested sample. If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or process needs to be adjusted. Lastly, management and the audit team assesses whether it is a material weakness (as described above, typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials, or whether it was only a significant weakness.
The end product of SOX testing is the management report on controls over financial reporting that is delivered to the Audit Committee. While a substantial amount of documentation and data is collected during the process, the SOX report should include:
Purpose-built SOX software such as AuditBoard can help you streamline SOX documentation, save time, and gain efficiencies in SOX testing year over year. Get started with SOXHUB today!