Choosing a SOX program operating model for your business is not a decision you’ll make only once. Businesses mature, circumstances change, and needs ebb and flow. That’s why, over time, most businesses will employ a range of SOX operating models. AuditBoard and Deloitte’s new guide, The Road to SOX Readiness: A Practical Guide to Choosing an Operating Model for Your Organization, explores the four primary SOX operating models and the variables in choosing the right one for your business. Download the full guide here, and read on below for answers to five common questions asked by companies implementing SOX for the first time.
Five Top SOX Readiness Questions
There is no one-size-fits-all SOX operating model. However, each model accommodates a different combination of the same primary variables: Expertise, Bandwidth, Strategy, and Technology.
Primary Variables in Choosing a SOX Operating Model
Whatever your balance of these variables — and whatever SOX operating model you choose — the most critical consideration is that you have the appropriate resources in place, and that those resources have the appropriate skill sets to help you develop and maintain a robust system of internal controls.
Below are five common questions that companies ask when implementing a SOX program. Their answers provide insight into best practices for those just beginning their SOX journey.
What is the appropriate mix of outsourced, internal resource, and center of excellence (COE) resources for a 3-5 year public company?
The appropriate mixture of resources is dependent on the company’s needs and strategies rather than the maturity level of the SOX environment. Considerations such as the availability of resources, whether the company has in-house expertise, and cost often drive what is appropriate from a resource standpoint. Additionally, companies are not locked into one resource mix over their SOX compliance life cycle. Companies should be reevaluating whether they have an appropriate resource mix on a regular basis to ensure they are set up for success.
If outsourced, isn’t management still responsible for the adequacy of controls over financial reporting and must issue an ICFR assertion if publicly traded?
Yes, management still retains the ultimate responsibility for the adequacy of the company’s internal controls over financial reporting. Management must provide assertions related to their controls, which vary based on whether they are required to comply with Section 302, 404(a), and/or 404(b). While it is appropriate to utilize a variety of resources to meet these compliance requirements, management must own the process and take responsibility for the conclusions.
How should we break out responsibilities between internal audit versus ICFR?
There are a variety of acceptable divisions of responsibilities regarding SOX compliance between internal audit and ICFR or management functions. ICFR groups should generally report to senior management and be separate from internal audit. Ideally, this group can help design and maintain controls and act as an intermediary between internal audit and control owners. It can be a challenge to obtain adequate internal audit resources, let alone ICFR resources — especially with new public companies. In more resource-constrained situations, there are ways to have internal audit help management understand and evaluate controls, but it is critical to ensure that internal audit is not designing controls that they will be testing, particularly if the external auditors will be relying on internal audit’s work.
When is the best time to introduce an audit solution for a company that is newly implementing SOX 404(a)?
Remember, SOX 404(a) requires you to start implementing effective internal controls, which are needed to gain investor confidence — why not build stakeholder confidence as well? Implementing an audit management solution early on can help you get in front of common challenges that plague SOX teams by eliminating version control issues and making documentation consistent, accessible, and easier to maintain. Technology enables you to update once; update everywhere — changes flow across workpapers, process documents, RCMs, and issues instantly. Crucially, managing everything in one central location provides continuous visibility into areas of ownership from the start of your SOX program.
How can we leverage digital automation for SOX compliance?
If you are not already using an audit management solution for your SOX program, this should be your first step. It’s important to create a system of record, implement automated workflows, build a solid foundation, and connect your risks before you start looking into more advanced capabilities such as digital automation. When the time is right, digital automation can bring needed efficiencies to SOX compliance through automated testing and continuous monitoring. As you prioritize which technologies to explore and ultimately implement, ask yourself:
- In what ways do your processes need to be more secure and accessible, and less disruptive or labor-intensive?
- In what areas can you use technology to better centralize, control, and drive value from your SOX readiness activities?
- Do you have a “single source of truth” that all resources can rely on? The greater the potential that resources are relying on outdated or disparate sources, the greater the risk that your SOX program will fail to properly assess risk or detect deficiencies.
- How susceptible is your program to impacts from changing market, workforce, and workplace conditions? Enabling technologies can offer standardized, scalable processes and frameworks that remain stable regardless of turnover or other disruptions.
By making thoughtful choices about your SOX operating model and committing to evolving it over time, you unlock the potential to not only improve the productivity, efficiency, quality, and cost-effectiveness of your SOX work, but also elevate the role and value of the internal audit function while more effectively managing risk across the organization.
To learn more about preparing for SOX readiness, download the full guide, The Road to SOX Readiness: A Practical Guide to Choosing an Operating Model for Your Organization.