For SOX practitioners seeking to create efficiency in their testing programs, control certifications are a prime area for automation. Best practice indicates control owners should be certifying their controls on a quarterly basis. Not doing so can lead to a greater chance of control misalignment, potentially resulting in control failure which requires additional effort in remediating issues. Despite this, many companies only manage to certify their controls on a semi-annual or annual basis.
This is because certifying controls is an extensive effort when performed using spreadsheets and multiple documents. A single change to a control must be manually updated across spreadsheets, narratives, any PBC documentation, and individual test worksheets — and any changes must be reconciled to ensure that all documentation matches. Unreconciled changes can have dire consequences: the wrong control being tested, control gaps, and ultimately even deficiencies. However, this process takes time away from control owners, management, and auditors, many of whom are already experiencing audit fatigue.
Using a SOX technology solution to automate certification workflows can greatly streamline the process of quarterly certifications and return valuable time back to the SOX group and control owners. Automated reminders can reduce time spent on manual communication and follow up, while the linkage of controls data ensures a single update is reflected throughout the system.
In addition to leveraging automation technology, the following pre-certification checklists can help certifying personnel prepare for efficient certifications.
Quarterly Control Certifications Checklist
- Be aware of any changes to controls, such as control description, frequency, type of control, and if it is detective or preventive.
- Be cognizant of any promotions or role changes that have resulted in changes to control ownership.
- Understand if any changes have altered a control’s ability to meet its control objective.
- Understand how any changes to controls might impact audit procedures.
- Determine if any changes to controls result in a control gap that would need to be mitigated.
- Coordinate with your internal audit and compliance teams to surface ICFR-related potential issues from their assessments and testing.
- Leverage the power of an integrated platform to surface risks early to allow for careful evaluation and disclosure.
302 Certifications Checklist
- Understand the underlying control environment and be able to describe and note any changes. A newly-hired certifying person should gain a general understanding from personnel familiar with the control environment and processes.
- Be aware of any major changes in the organization such as changes to IT systems, major personnel changes, and major control changes as a whole.
- Be aware of any immediate risk concerns — i.e. anything that might dramatically impact your control framework for the upcoming quarter or year — that require attention from control owners or management.
- Have an overall perspective as well as a consistent approach to your control strategy.
For SOX and audit practitioners seeking other practical ways to streamline their SOX processes, The SOX Management Playbook explores how to build a more informed, effective, and efficient SOX program using a risk-first approach. Download your free copy of The SOX Management Playbook today!