Once Internal Audit has identified the SOX controls that will be in scope for testing, the next step is planning the year’s testing process. In this article we will discuss how to build upon your risk assessment to build out a quality SOX testing program to help you meet your SOX compliance requirements.
SOX Compliance Checklist: Building a SOX Testing Program
1. Performing a Fraud Risk Assessment
An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing the instances of fraud in an organization. Below are examples of anti-fraud internal controls and practices organizations can implement to strengthen the outcomes of SOX testing:
- Segregation of duties, wherein the work of one individual should be either independent of, or serves to check on, the work of another. Examples:
- Custody of Assets
- Authorization/Approval of related transactions affecting those assets
- Recording and reporting of related transactions
- Policies and procedures surrounding employee reimbursements.
- Having an internal whistleblower mechanism within the organization.
- Periodic reconciliation of bank accounts to identify unexpected differences and prevent future occurrences, such as: accounting delays, restricting auto-debits to vendors, etc.
2. Managing Process and SOX Controls Documentation
Details of the operation of key controls, such as control descriptions, frequency, SOX test procedures, associated risk, population, and evidence are established within the control narrative and documentation. Often, risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include: risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls. As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers hours and hours of cleanup.
The solution is to leverage an underlying relationship database to act as a central repository and as the foundation of the audit program. SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database, and have those results cascade throughout the entire SOX program instantly.
Benefits of Purpose-Built SOX Software:
- SOX documentation becomes simple and doesn’t require making edits across several standalone spreadsheet files.
- Speed, accuracy, and scalability of a database solution will exceed the benefits of “spreadsheet familiarity.”*
- Saves time spent reconciling version control issues
*For annual audit results to be used year over year, a spreadsheet cannot handle the large volumes of data.
3. Testing Key Controls
The overall objective to SOX testing is threefold:
1) Ensure the process or test procedures as outlined are an effective method for testing the control.
2) Ensure the control is being performed throughout the entire period and by the assigned process owner.
3) Ensure the control has been successful in preventing or detecting any material misstatements. In short, control testing validates design and operating effectiveness.
SOX tests may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, walkthrough of the transaction, inspection of the documentation, and/or a re-performance of the process.
4. Assessing Deficiencies in SOX
Ongoing investment into a SOX testing program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.
During the SOX testing process and analysis, the auditor may identify an exemption, deficiency or gap in the tested sample. If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or process needs to be adjusted. Lastly, management and the audit team asses whether or not it is a material weakness (as described above, typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials or it was only a significant weakness.
5. Delivering Management’s Report on Controls
The end product of SOX testing is management’s report on controls over financial reporting that is delivered to the audit committee. While a substantial amount of documentation and data is collected during the process, the SOX report should include:
- Summary of management’s opinion and support for those conclusions.
- Review of the framework used, evidence collected, and summary of results.
- Results from each of the tests - entity-level, IT, key controls.
- Identification of the control failures, gaps, and corresponding root causes.
- Assessment made by the company’s independent, external auditor.
As mentioned above, purpose-built SOX software such as AuditBoard can help you streamline SOX documentation, save time, and gain efficiencies in SOX testing year over year. Learn how by filling out the form below.