What Are SOX Controls? Best Practices for Defining Your Scope

What Are SOX Controls? Best Practices for Defining Your Scope

The Sarbanes-Oxley Act of 2002 (SOX) is a federal law that has been in place for over 20 years, but many people still have difficulty explaining in simple terms what we mean by SOX controls. How do you identify SOX versus non-SOX controls? What about key controls? How should SOX internal controls be applied to cybersecurity and information security matters? Is SOX compliance mandatory? Get answers to these and many more SOX controls questions below.

Kim Pham gives an overview of what SOX controls are, how to test them, and how SOXHUB can help.

SOX Compliance Requirements

Broadly speaking, the SOX requirements for public companies include having internal controls in place for processes and systems impacting financial reporting. The objective of SOX regulations is to ensure accurate and reliable financial reporting, and to build trust with investors and the public after a series of fraud scandals rocked the markets including Enron and WorldCom. The confusion is mostly a matter of scoping — understanding where SOX ends and regular management internal controls start.

The Sarbanes-Oxley Act of 2002 has eleven titles, with three, in particular, having a major impact on financial reporting and the responsibilities of the CEO and CFO of a company: Section 302, Section 404, and Section 906

  • Section 302 mandates that CEOs and CFOs must certify the financial records of their companies, indicating that 1) Reports are accurate, 2) Reports are fairly presented in all material aspects, 3) Acknowledgment of responsibility for disclosure controls, procedures, and internal controls over financial reporting, and 4) Reports are risk-based. Essentially, this holds CEOs and CFOs accountable for their organization’s financial statements — this may seem like a no-brainer today, but wasn’t codified until SOX was passed. 
  • Section 404 requires publicly-traded companies and companies pursuing an IPO to engage accounting firms to independently assess and sign off on management’s assessment of internal controls. 
  • Section 902 explicitly opens the way for criminal penalties to be issued in the event of non-compliance.

The Sarbanes-Oxley Act also facilitated the creation of the Public Company Accounting Oversight Board (PCAOB) who watch the watchmen — that is, the PCAOB is responsible for auditing the auditors and accounting firms who sign off on organizations’ financial statements and internal control reports.

Image: Section 302, Section 404, and Section 906 Summary from Deloitte

Source: Deloite SOX Compliance

SOX Controls Defined 

SOX controls are those controls that are relevant to SOX. What does that mean, exactly? Well, the Sarbanes-Oxley Act has a very specific jurisdiction — that is, it governs requirements about how internal controls structures should support accurate, honest, and trustworthy financial information reporting. So, SOX controls are those controls that address, mitigate, or otherwise manage risks to the accuracy and integrity of financial reporting.

Not all controls in an organization’s environment will be in-scope for SOX, but many will. The best way to determine if a control should be considered relevant for SOX purposes is to ask: 

  1. Does this control relate to or input into the financial information used for financial disclosures?
  2. Does this control affect financially material accounts or financial statement reporting in any way?
  3. Does this control affect any systems or processes that feed into financial statement reporting?

If the answer is yes to any of these questions, an organization may want to include that control in the scope of their SOX procedures and internal controls reporting.

Is SOX Compliance Mandatory?

Becoming and remaining SOX compliant is a requirement for publicly traded companies and is in the best interest for companies that may soon be pursuing an IPO. However, SOX compliance is not required for nonprofit organizations and private companies.

Though they may not be subject to SOX, nonprofits and private companies may still want to leverage some of the internal controls frameworks available, such as COSO’s Internal Control – Integrated Framework (ICIF) and COBIT, to apply risk management and internal controls best practices to their organizations.

How Many SOX Controls Are There?

There’s no set number of SOX controls that an organization is required to implement. Taking a risk-based approach to internal controls (which is recommended) means that each business will have a different palette of risks and controls that address them. The number of SOX controls a company operates can vary greatly, and does not directly correlate to the success or effectiveness of a SOX program — a higher number of controls is not always the best risk-mitigation strategy. That said, there are many controls that companies will have in common with SOX. Some of these common controls include access controls, segregation of duties, change management, various business processes, data backup, and even corporate governance controls.

The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates

SOX 404 Controls

SOX 404 refers to a section of the SOX Act (Section 404) that spells out the SOX requirement for management to implement internal controls over financial reporting. Specifically, SOX Section 404 mandates: 

(Sec. 404) Directs the SEC to require by rule that annual reports include an internal control report which: (1) avers management responsibility for maintaining adequate internal control mechanisms for financial reporting; and (2) evaluates the efficacy of such mechanisms. Requires the public accounting firm responsible for the audit report to attest to and report on the assessment made by the issuer.

Section 404 is the section that explicitly requires a public accounting audit on the assessments made by a company’s management and leadership team. When used as shorthand, SOX 404 controls can refer to those controls that will be audited by a public accounting firm for compliance with the Act.

SOX IT Controls and Cybersecurity

In general, SOX requirements include both business process controls and SOX IT controls. On the business side, the controls in-scope are those around the accuracy of the data feeding into financial reporting, along with reconciliations, and financial data processing. From the IT perspective, there are IT general controls (ITGCs) and application controls. The goals for SOX IT controls are to ensure the systems are well-controlled, accurate, complete, and free of errors that could potentially impact financial reporting. 

The key to defining your scope for SOX is to understand which processes and systems actually impact financial reporting. Where most get confused is in differentiating between critical IT systems versus SOX IT systems. You may have a system holding all of your customers’ information, a critical component to the success of your organization, but if that system does not capture financial data feeding into your financial reporting, it is not a SOX application. It should still be well-controlled, but it is not in scope for SOX testing. In contrast, a data center hosting SOX-sensitive (i.e. financial) systems, data, or information would be considered in-scope, and might even require a physical audit.

When it was originally issued, the Sarbanes-Oxley Act did not account for the emerging cybersecurity threat landscape. Still, the implementation and maintenance of a strong internal controls program typically calls for strong security controls as well, especially around sensitive data that may impact financial reporting. Controls under SOX that also impact a company’s cybersecurity posture include incident response and remediation, business continuity planning, and data security (in relation to financial data).

SOX controls can help an organization recover from data breaches and security breaches by encouraging a healthy and effective internal control environment. To this end, automation of controls has become increasingly important, especially in the arena of information technology, as automated controls reduce the amount of manual, human effort needed to mitigate risks, and also address the potential for user error when executing controls.

Even though SOX is not explicitly framed to encourage cybersecurity best practices, stakeholders should keep security in mind as cyber threats can now cost companies and organizations massively in dollars and reputation.

Key SOX Controls

Within the SOX controls, we designate the primary controls for mitigating risk as key controls. Considerable reliance is put on the key controls, so these should be monitored and tested more frequently. Organizations may also want to set up compensating controls to support key controls should they ever fail to operate. Compensating controls can provide additional assurance that financial information is being accurately reported. Since controls identified as “key” can have a massive impact on internal controls related to financial reporting, SOX teams should stay on top of these processes and understand their ins and outs.

SOX Controls Testing

SOX control testing is a function performed by either management or internal audit or both, as well as by external auditors from a public accounting firm. SOX control testing is performed to find out if the controls are working as intended or if there are any gaps in the internal control process.

External auditors will perform tests of controls to vet management’s assertions and validate that controls are operating as designed and intended. An organization’s internal audit teams and their external auditors can test SOX controls by first understanding the control and what risks the control is designed to mitigate, then designing a test around the control’s key attributes or gates, and finally obtaining the evidence and reasonable assurance they need to determine if the control is working as intended, or if there are any findings. 

SOX Reporting

SOX reporting is usually done both internally and externally. Internal SOX reporting includes SOX testing status updates created by management with any issues they have found and remediation plans to address any gaps. External SOX reporting is the output from the external auditor’s independent testing. Their reporting culminates in the opinion they express in the financial statements about management’s internal controls over financial reporting. 

Start Testing SOX Controls Today

Due to the scope and complexity of maintaining audit programs to meet SOX requirements, The Institute of Internal Auditors (IIA) recommends that management start testing SOX controls early each year and consider the program an ongoing, year-round internal control testing process. 

SOX Compliance Checklist

1) Define the SOX Audit Scope Using a Risk Assessment Approach

PCAOB AS 2201 states, “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”

This step in a SOX compliance audit should not result in a list of compliance procedures, but should instead help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls qualify as SOX controls — i.e. whether they will provide reasonable assurance that a material error will be avoided, prevented, or detected.

2) Determine Materiality in SOX – Accounts, Statements, Locations, Processes, and Major Transactions

  • Step 1. Determine what items are considered material to P&L and the balance sheet. Financial statement items are considered “material” if they can influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.

  • Step 2 – Determine all locations holding material account balances. Analyze the financials for all the locations where you do business. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX testing in the coming year.

  • Step 3 – Identify transactions populating material account balances. Meet with your Controller and the specific process owners to determine the transactions (both debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they are recorded should be documented in a narrative, flowchart, or both.
  • Step 4 – Identify financial reporting risks for material accounts. Seek to understand what could prevent the transaction from being correctly recorded, or the specific risk event. Then, document the effect the risk event could have on the account balance being incorrectly recorded, or the breakdown of the financial statement assertion.

3) Identify SOX Controls – Non-Key & Key Controls, ITGCs, and Other Entity-Level Controls

During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately.

Often material accounts need multiple controls in place to prevent a material misstatement from occurring. However, audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts.

To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.

Finalizing an Effective System of Internal Controls Plan

Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated SOX IT controls. For the automated controls identified, you should evaluate whether the underlying system is in scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of SOX IT control testing needed to be performed.

Once you have defined your scope and identified your SOX controls using these best practices, you will be on track to developing a well-rounded SOX testing program. Learn more about how to build upon this foundation in How to Build a Well-Rounded SOX Testing Program

Meeting SOX requirements does not need to be overly complicated. Implementing SOX compliance software such as AuditBoard’s SOXHUB can help you eliminate version control issues in your SOX documentation process, centralize SOX control testing, facilitate SOX reporting, as well as streamline your SOX program from end to end. 

Vice

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.