SOX Testing: How to Build a Well-Rounded Testing Program

For publicly traded companies, SOX compliance testing represents a major activity every year — but just what is SOX compliance testing, and what does it involve? If SOX is related to financial reporting, then what are SOX IT controls? How much testing should an organization perform before their annual SOX compliance audit? This article provides an overview of the SOX compliance testing process and a five-step checklist to build a SOX compliance testing program. 

What Is SOX Compliance Testing?

SOX compliance testing is an assessment of the company’s internal control processes related to financial reporting. SOX compliance testing helps a public company show investors, employees, and other stakeholders that it has procedures in place to prevent fraud and that the financial reports the company produces are accurate and reliable. Testing of controls is a critical and often time-consuming part of an organization’s SOX program, and can be performed several times a year to prepare for the external financial statement and internal controls audit.

The initial SOX controls testing is often performed by management as a self-assessment, or by a dedicated SOX team, followed by an assessment performed by independent auditors. When the testing is done by management, they are testing their own processes. In this form of testing, there is very little independence since management is involved in both the control operation and in the SOX testing process. 

Sometimes, the testing of controls is facilitated by the internal audit team who request documentation from process and control owners based on their understanding of the control workflow. Those managers then respond with their documentation for the internal auditors to inspect and validate. Internal audit teams are removed from the control and better able to provide unbiased test results. Since internal audit is independent, external auditors may be able to rely on the SOX controls testing they perform. 

What does testing actually entail? Let’s take a typical access control as an example. This access control may dictate that only personnel from the accounting and finance departments be given access to the accounts payable (AP) system. To test that this control is designed and operating effectively, an auditor may inspect the list of users with access to the AP system and compare it to a list of accounting and finance department personnel. If anyone in the system does not appear on those department listings, then the control may not have detected inappropriate access, and this may have to be remediated. 

Different controls are tested using different methods. Controls around financial data might be tested through reconciliation with bank statements, while change management controls might be tested using a random sampling approach over a population of change events. Auditors testing controls should be aware of the role the control plays in risk management and whether or not the control has an impact on other regulatory and certification requirements (beyond SOX). Generally, an experienced audit professional should be able to design tests that adequately test the attributes of a control. When in doubt, organizations can contract with qualified third-party providers to supplement internal SOX personnel.

Brief History of SOX Testing

Management and audit teams need to remember why SOX testing exists so we never forget the importance of internal controls. In the early 2000s, a series of corporate scandals came to light that destroyed the companies, wiped out stakeholders, and shook confidence in the US market. Companies like Enron, Worldcom, and Tyco were producing fraudulent financial reporting, and in some cases, they were enabled by their external audit teams at Arthur Andersen. Enron was shifting assets in and out of its books to appear more profitable, Worldcom reclassified operating expenses as capital expenses to inflate revenues by $3 billion to hide their losses, and executives at Tyco were stealing millions from the company. Needless to say, this wreaked havoc on capital markets, retirement funds, and the employees of the company.

The US government stepped in by drafting and passing legislation called the Sarbanes-Oxley Act of 2002, named after the two senators who drafted the act. If you’ve wondered “what is SOX 404 testing,” this refers to SOX Section 404 - Management Assessment of Internal Controls which requires companies to implement and test “an adequate internal control structure.” Today, audit teams often use “SOX controls testing” and “SOX 404 testing” interchangeably. This same section also calls for an audit of management’s assertions by a public accounting firm.

Another major part of the SOX Act is Section 302. Section 302 - Corporate Responsibility for Financial Reports is the part of the act that requires the CEO and CFO to take full responsibility for the company’s internal controls over financial reporting. Both Section 302 and 404 are included in the SOX Act to require companies to maintain strong internal controls related to financial reporting.

Title I of the Sarbanes-Oxley Act, from Section 101 to Section 109, governs the creation of the Public Company Accounting Oversight Board or PCAOB, which is responsible for:

1. Overseeing the audits of public companies.
2. Establishing audit report standards and rules.
3. Inspecting, investigating, and enforcing compliance over registered public accounting firms and certified public accountants.

Essentially, this board is tasked with “watching the watchmen” in the form of public accounting firms. The PCAOB takes a sample of audits performed by public accounting firms each year and inspects the audit from end-to-end, including audit workpapers, to enforce quality, ethics, and regulatory standards. The failure of Arthur Anderssen to provide independent audit opinions and detect (and disclose) fraud in Enron’s financial disclosures was certainly top of mind when this section was written.

Now that SOX is firmly established within public companies, SOX controls testing has become routine for most.

What’s the SOX Testing Process?

While there is some variation among companies, most follow a very similar process for SOX controls testing. In a typical and optimized SOX controls testing process, there are four rounds of SOX testing: initial assessment, interim testing, year-end testing, and testing by independent auditors. While these are broken out into discrete phases, SOX testing and activities occur throughout the year, with many controls needing to be performed daily, weekly, monthly, or quarterly. Some controls are annual or biannual. 

Depending on resource constraints, timelines, and other in-flight projects, SOX teams and internal auditors may want to segment testing activities into different testing phases — for example, testing governance and entity-level controls during the initial assessment, then testing access controls at interim, and change controls at year-end. Some controls may need to be tested more than once, especially if external auditors are relying on that testing for their procedures. “Reliance” in this case, means that the independent auditors performing your SOX audit can take the results and workpapers completed by internal audit and use that documentation to perform their procedures, rather than reinventing the wheel. Having external audit rely on internal audit testing reduces costs and streamlines the audit, while also reducing the burden of compliance on internal personnel.

1. Initial Assessment:

In the process of SOX controls testing, the team starts with performing process walkthroughs. The walkthroughs are usually documented in the form of narratives, or flowcharts, or both. These walkthroughs are meant to give auditors an understanding of the control workflow and context. An auditor who is not familiar with your control environment may conduct an interview to obtain a better understanding of your organization’s controls and processes. 

Next, the SOX team consolidates evidence that the control activities actually occurred. The documentation is used in assessing the design of the controls and testing the operating effectiveness of the controls. Any deficiencies are documented and action plans are put in place to make corrections.

2. Interim Testing:

Around mid-year, the SOX team or internal audit performs another round of testing to ensure the deficiencies were addressed, and the SOX controls are still operating as intended. During this round, the team assesses whether or not any additional changes have occurred that might trigger updating documentation and redesigning any controls.

A subset of testing can be performed at the interim, and in fact, many public accounting firms will want to perform both interim and year-end testing for SOX. This means that you may need to plan and prepare your teams for an interim fieldwork visit from your external audit team. Fieldwork usually means that the audit team is on-site and performing audit activities in real-time, occasionally “shoulder-surfing” to collect the evidence they need from control owners. With the shift to a virtual working style, more fieldwork is being be performed remotely, though companies with a physical presence should still plan for an on-site visit from auditors.

3. Year-end Testing:

Near the end of the year, the last internal round of SOX controls testing takes place for annual controls. At this time, the SOX team also retests any controls that had deficiencies earlier in the year and confirm the remediation efforts were effective. Interim and year-end testing are primarily focused on testing operational effectiveness. 

At year-end, both internal and external auditors will look to confirm if any major changes in the company’s internal controls have occurred. Depending on the extent of changes, retesting of controls for a subset of the fiscal year may need to happen. 

4. Testing by Independent Auditors:

The final step in the SOX testing process is done by an outside party, the external auditors. For further validation of the operational effectiveness of the SOX controls, and to comply with the Sarbanes-Oxley Act requirements, companies hire an external audit firm to have independent auditors evaluate their controls and assertions. Public accounting firms have their own SOX testing requirements and will perform their own testing. Any issues they raise will be addressed by management and the SOX team quickly with process changes and an explanation of mitigating or compensating controls. 

Earlier we mentioned that internal audit may have performed independent testing as well. In that scenario, the external auditors may choose to rely on some of the work done by internal audit. If the test work meets the same level of scrutiny and detail as the work the external auditors would apply to testing, then the work can be relied upon. It is important to set expectations with your external auditor early if you plan to push for reliance. The internal audit team may need to make adjustments to their SOX controls testing approach and adopt the external auditor’s testing templates and sampling methodology.

Independent auditors from public accounting firms perform many of the same activities as internal auditors, including conducting walkthroughs, obtaining and inspecting evidence, and documenting their findings. 

Planning the Year’s SOX Testing Process

Once internal audit and collaborating stakeholders have identified the SOX controls that will be in scope for testing, the next step is planning the year’s testing process. The checklist that follows breaks down how to build upon your risk assessment to develop a quality SOX testing program to help you meet your SOX compliance requirements.

In planning audits and testing, a shared calendar can eliminate a great deal of guesswork and scheduling headaches. Prior to the next fiscal year, consider looking at the next fiscal year and planning out tentative timelines for each phase of SOX testing and each audit on your organization’s compliance docket. Try to space testing and audits out based on the resources available. If possible, stagger other compliance or certification audits (like ISO or SOC 1 or 2) to occur at different times of the year, rather than all at once. With this tentative schedule laid out, you can break down your audit plan for the year by quarter or even month and track activities to completion. Understanding the company’s compliance goals can also equip teams with the rationale for acquiring additional resources, either by seeking out new hires or contracting with third parties.

SOX Compliance Checklist: Building a SOX Testing Program

1. Performing a Fraud Risk Assessment

An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing instances of fraud in an organization. Below are examples of anti-fraud internal controls and practices organizations can implement to strengthen the outcomes of SOX testing: 

Four Examples of Anti-Fraud Internal Controls and Practices Organization Can Implement

Below are four examples of anti-fraud controls that organizations can implement to mitigate the risk of fraud: 

1. Segregation of duties, wherein the work of one individual should be either independent of or serve to check on the work of another; for example, the three functions listed below should be segmented between three employees.: 
   • Custody of Assets.
   • Authorization/Approval of related transactions affecting those assets.
   • Recording and reporting of related transactions.
2. Policies and procedures surrounding employee reimbursements. 
3. Having an internal whistleblower mechanism within the organization.
4. Periodic reconciliation of bank accounts to identify unexpected differences and prevent future occurrences, such as accounting delays, restricting auto-debits to vendors, and other deviations.

2. Managing Process and SOX Controls Documentation

Details of the operation of key controls, such as control descriptions, frequency, SOX test procedures, associated risk(s), population, and evidence are established within the control narrative and documentation. Often, risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls. As any audit manager can attest if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers and staff hours and hours of cleanup.

The solution is to leverage an underlying relational database to act as a central repository and as the foundation of the SOX audit program. SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database and have those results cascade throughout the entire SOX program instantly. 

Benefits of Purpose-Built SOX Software

Purpose-built SOX software enables teams to work more productively in a centralized solution, avoid version-control issues, and access critical documentation easily and simply.

• SOX documentation becomes simple and doesn’t require making edits across several standalone spreadsheet files. 
• The speed, accuracy, and scalability of a database solution will exceed the benefits of “spreadsheet familiarity” — for annual audit results to be used year over year, a spreadsheet cannot handle large volumes of data. 
• Saves time spent reconciling version control issues.
• Provides access to a real-time dashboard with relevant and important issues and data displayed in a digestible format.

3. Testing Key Controls

The overall objective of SOX testing is threefold:

1. Ensure the process or test procedures as outlined are an effective method for testing the control.
2. Ensure the control is being performed throughout the entire period and by the assigned process owner.
3. Ensure the control has been successful in preventing or detecting any material misstatements. In short, control testing validates the design and operating effectiveness of in-scope controls.

SOX tests may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, a walkthrough of the transaction, an inspection of the documentation, and/or a re-performance of the test or process.

Existing documentation and past testing procedures should, to a degree, inform present testing, however, audit teams should be vigilant against over-reliance on prior year documentation and methodology. As subjects like completeness and accuracy gain importance in audits, testing teams will have to adjust their evidence collection, testing, and walkthrough methods to fully meet all regulatory and compliance requirements.

4. Assessing Deficiencies in SOX

Ongoing investment into a SOX testing program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.

During the SOX testing process and analysis, the auditor may identify an exception, deficiency, or gap in the tested sample(s). If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or processes need to be adjusted. Lastly, management and the audit team assess whether it is a material weakness (as described above, typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials, or whether it was only a significant weakness.

Compensating controls that were operating effectively can mitigate the risk of control deficiencies; organizations should evaluate key controls and determine whether a compensating control is needed to cover any potential control execution failures.

5. Delivering Management’s Report on Controls

The end product of SOX testing is the management report on controls over financial reporting that is delivered to the Audit Committee. While a substantial amount of documentation and data is collected during the process, the SOX report should include:

• Summary of management’s opinion and support for those conclusions.
• Review of the framework used, evidence collected, and summary of results.
• Results from each of the tests — entity-level, IT, and key controls.
• Identification of the control failures, gaps, and corresponding root causes.
• The assessment opinion from the company’s independent, external auditor.

Since SOX is an inherently cyclical process, management will want to review their SOX reports in detail and develop a plan for remediating any deficiencies, gaps, or weaknesses in their SOX program. These findings will inform the next year’s planning and strategy. Likewise, it’s important to acknowledge when your team does well — processes that improved from prior years and tests that went better than before should be called out and acknowledged as a positive movement.

Are You Ready to Streamline Your SOX Testing Program? 

Purpose-built SOX software such as AuditBoard can help you streamline SOX documentation, save time, and gain efficiencies in SOX testing year over year. SOX compliance software can centralize coordination between stakeholders to drive high-quality evidence collection and better, faster audits. AuditBoard gets everyone involved with SOX on the same page, providing users with testing dashboards, repositories for documentation, and a view of relevant controls. Reduce administrative overhead and accelerate your SOX testing — get started with SOXHUB today!

Frequently Asked Questions About SOX Testing

What is SOX Compliance Testing?

SOX compliance testing is the combined body of testing a company and its external auditors perform to develop conclusions and opinions about the company’s internal controls and financial statements in accordance with the Sarbanes-Oxley Act of 2002.

What’s the SOX Testing Process?

In a typical and optimized the SOX controls testing process, there are four rounds of SOX testing: initial assessment, interim testing, year-end testing, and testing by independent auditors.