How COVID-19 is Transforming the Internal Audit
Everything You Need to Know About SOX Compliance Testing
It would be nice if the SEC could just use the honor system for compliance. But we all know that outside of the Boy Scouts and maybe elementary school classrooms – emphasis on the maybe – there's a very good reason for rules and regulations. SOX testing is a perfect example of that notion, a mandatory system of checks and balances that ensures everyone is playing by the rules.
For newly public companies or those driving down the pre-IPO path, however, testing for SOX compliance is sometimes overwhelming, often perplexing new territory. So to clear up any ambiguity or downright confusion, we're going to take a look at SOX testing, what it involves, and provide some handy best practices as we go. As you'll see, the highway to SOX compliance isn't nearly as daunting as you might think as long as you're following the right regulatory road signs.
What Is SOX Compliance Testing?
Before we begin, we want to make sure that everyone's on the same page. We're zooming in on SOX testing with this missive, and not so much a higher-level discussion on Sarbanes-Oxley or implementing SOX compliance. But as the hyperlinks indicate, those are both subjects we've covered in the past, so, if necessary, review those previous insights if you need a refresher course on SOX. We'll wait for you.
Now that we've cleared up that up, let's take a look at SOX testing. Just as you might've thought, when we say SOX compliance testing, we're referring to the processes your company uses for the assessment of internal controls related to your financial reporting. This testing is mandatory for all public companies according to the Sarbanes-Oxley Act of 2002 and required by the Public Company Accounting Oversight Board (PCAOB) for your audit.
A Brief History of SOX Testing
Enron. Arthur Andersen. Tyco. Worldcom. You've heard the names before, so you're probably familiar with their special brand of blatant financial skulduggery – yeah, we said it. While those scandals might've been the trigger point for SOX, what led to the sweeping regulations was actually decades of assorted accounting debacles that repeatedly eroded the public's trust in the financial markets and systems. Something had to finally give.
And that's where internal controls over financial reporting enter the fray. As spelled out in the SOX testing requirements, companies must now have built-in safeguards to prevent accounting & reporting fraud, using guidelines like the COSO framework – the gold standard in internal control assessment – and other tools to help their efforts.
Walk Before You Run: Designing Your Controls
Remember, the whole point of SOX testing is to ensure the adequacy of your reporting internal controls. Therefore, the entire exercise is a moot point if your controls aren't well-designed in the first place. Because if they're not, the resulting gaps will inevitably turn your testing procedures – and your audit as well – into an exhausting, humbling, and frustrating experience.
When designing your controls, it's often best to ask yourself a few simple questions from a risk management perspective:
- What could go wrong?
- What are the risks inherent to this particular process?
- Where are we exposed to risk?
Naturally, you want to design controls that mitigate those risks. In a broader sense, narrowing your focus on risk assessment allows you to spend your time, energy, and resources most efficiently.
Start by identifying the accounts and transactions that have the most impact on your financials. This could be time-consuming since the people in your company that best understand your sources of risk don't necessarily work in the same office or eat lunch together. But it's worth it to root out all the different sources of risk to save you more than a few headaches down the regulatory line.
Process Narratives are Your Friends
As you hunker down in your control design, we suggest becoming well acquainted with your process narratives, understanding who and what is involved with each of your processes and controls. A flowchart can be very beneficial to help you visualize the different moving parts, whether simply on a piece of paper, a spreadsheet, or dedicated software. Whatever route you choose, just performing the exercise will help you see the process from beginning to end or, in the case of SOX compliance requirements, from inception to the financial statements.
For example, if you were to make a list of all the different tasks involved with creating and maintaining your financials, designate those tasks that carry elevated risk with a red dot, asterisk, bold and/or italicized font, or whichever direction your artistic prowess takes you.
After you're done, look at all those designated risks and line them up with an associated control. If there isn't one, then you obviously have some work to do. However, this deliberate approach will help ensure there are no gaps and that you address every financial statement assertion.
As you go, keep in mind that there is a distinct difference between your processes and your controls. A process is independent of any control activity, meaning, a process may exist without associated controls. We say this simply because we've seen companies label something a “control” when they're in fact processes, not controls. Like it or not, it’s not just a matter of semantics, so you must make sure you identify, label, and test the right things.
Also, as an important side note, don't think that every source of risk needs to have an elaborate control. Sometimes, merely assigning a manager review is more than adequate. With very high-risk areas, though, you're going to want to have a pretty robust control over that task.
Likewise, to keep everything manageable, consider giving each process its own risk assessment and control matrix. In other words, there's no reason to squeeze your financial reporting and acquisitions into the same control matrix. Try to keep everything as clear, concise, and understandable as possible. Your auditors will thank you for it.
Partner With Your External Auditors
Our final point before getting into the nitty-gritty of SOX testing concerns your external auditors. They are not the enemy and want nothing more than to see your business flourish, albeit in a compliant way.
Keep your auditors in the loop as you design your controls so they can give you feedback on how they view the most critical processes and key controls. This will prevent you from getting too far down the path before finding out that your auditors don't necessarily agree with what you're doing.
As you wrap up your control design with insights from your external auditors, it's also a good idea to sit down with your management team and take a close look at your control environment. Try to spot any gaps, deficiencies, or inaccuracies. Afterward, do the same thing with your audit team, also sending them your control matrices at some point so they can look over your control documentation.
PCAOB auditing standards and areas of focus can and do change, so working in unison with your audit team will ensure you've covered all the bases. Your walk-throughs provide an excellent opportunity to break open the toolbox and get to work fixing your internal control structure and environment.
Think of walk-through as batting practice, an essential component to your ultimate success. If you don’t get that practice in and perfect your swing – at least as best you can – you’re never going to catch-up to a high-and-tight two-seamer once you’re under the bright lights. And trust us when we say that you don’t want to strike out on your SOX compliance. Put in the preparation and effort during your walk-through to prevent such calamities.
So to summarize what we've said about risk assessment and control design before moving on:
- Identify key sources of risk
- Map out your processes and identify the related risks
- Make sure those designated risks have corresponding controls
- Speak with your external auditors early & often about your control environment
- Perform a final review with your management team and key control owners
- Let your audit team review your control matrices
SOX Internal Control Testing
So with all of that said, what exactly does SOX testing mean in a practical sense? Well, quite a bit for a company's SOX compliance team. Actually, for the entire organization. SOX compliance involves everyone from HR to IT, so it's in no way relegated to your accounting function.
In fact, given the scope of SOX compliance testing, it's always a good idea to have a kick-off meeting with all of the SOX-oriented control owners throughout the company. Such a meeting is an effective way to communicate everything that people should be thinking about.
When it comes to the actual testing, however, you'll definitely want to take a deliberate, organized approach that follows a sequence of events.
- Develop your test plans – Your testing procedures should give you the framework you need to evaluate the effectiveness of the key controls for each process. This is essential to provide reasonable assurance that you will achieve your control objectives for the relevant financial statement assertions.
- Complete the SOX testing procedures – Once your test plans are ready, you then conduct the actual control tests, making sure to identify, analyze, and document everything needed to demonstrate the successful completion of your testing objectives. Ultimately, this is where you're trying to provide adequate evidence to form an opinion concerning your critical controls and if they are operating effectively.
- Document the results of your test procedures – The SEC states that you "must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over reporting." That's a long-winded way of saying that you must be able to prove the operating effectiveness of your controls. Make sure your documentation meets the expectations of the SEC and PCAOB.
- Address any control deficiencies – As you were completing your testing, you should have been able to identify any control deficiencies that indicate a key control is not functioning properly. You should document your remediation steps for auditor review to avoid any deficiencies or material weaknesses going forward.
Further, because SOX testing is an ongoing process, you'll want to conduct your testing throughout the year, as follows:
- Initial – Your initial round involves a start-to-finish walk-through of all key processes and controls. During this time, you’ll assess the design of relevant controls and verify that the actual process is consistent with that detailed in your process narratives or flow charts.
- Interim – In this round, you start testing to be sure the controls are operating as designed. Test the controls from the initial round to make sure they're still operating correctly, documenting and testing any changes to the controls. Also, you should update non-routine controls and those with a high degree of judgment or subjectivity with additional samples. Your team will send out evidence requests to the different control owners and track the responses, approvals, and any other supporting documentation. Starting early will give you plenty of time to address any deficiencies you discover along the way.
- Year-end – This final round involves testing controls that only require annual testing, as well as those that failed during the initial or interim rounds. Also, you should update non-routine controls and those with a high degree of judgment or subjectivity with additional samples. If you have any deficient controls, this is when you document those all-important remediation steps for your auditor.
After that third round of testing – and ideally throughout all three rounds – your independent auditors will either test your controls or perform procedures so they can rely on the work of your SOX & internal audit team’s testing. The external auditors must also review your documentation and determine if they agree with management's assessment of your internal control environment before they can sign off.
A Brief Word on Information Provided by the Entity (IPE)
Remember how we started off by talking about the honor system? Well, the PCAOB is taking a much closer look at how audit procedures cover IPE. This means external auditors are feeling the heat, which, of course, means you are as well. Simply put, you need to be able to show that you understand where the financial data feeding into your spreadsheets and reports comes from and, just as importantly, that it's accurate and reliable. Like it or not, there is no honor system when it comes to your SOX audit – if you can't prove it, it might as well not exist.
What does this mean for your controls and testing? You need to identify your data inventory and map it to the appropriate controls. Once again, if you're missing a control, then it's time to roll-up your sleeves and design one. Afterward, you test them just like any other control. The reason we're explicitly targeting IPE, however, is the increased scrutiny. Every control under the SOX microscope is important, but those relating to IPE are under an especially bright light.
Other Considerations: Your SOX Audit Requirements
Although we've devoted most of our attention thus far to the management side of your SOX testing requirements, there are plenty of other considerations to keep in mind..
As we said before, your control environment for SOX compliance really does span across your enterprise. For example, on the HR side of the equation, your SOX audit might include interviewing staff to ensure the company has SOX-required ethics policies and training.
SOX IT Testing & Audit Requirements
SOX, of course, also wields a mighty IT sword, requiring you to monitor, log, and audit certain parameters and conditions, including:
- Internal controls
- Network activity
- Database activity
- Login activity (including failed login attempts)
- Account activity
- User activity
- Information Access
When it comes to your SOX IT audit, using a control framework like COBIT – think of it as a focused version of COSO specifically for IT processes – gives your auditor the mandated framework they need to audit your IT-related controls effectively.
As the previous list indicates, the IT portion of your SOX compliance audit takes a pretty deep dive into the internal controls for all of your IT assets, including computers, network hardware, and any other electronic/digital equipment that financial data passes through. Specifically, your SOX IT audit will focus on four internal control categories:
- IT security – The fraudsters are out in full force and would love to get their hands on your sensitive data, or even just wreak havoc on your systems. You need the proper controls in place to prevent breaches as well as the tools and procedures to effectively address incidents if they occur. This means that you should invest in equipment and services that will help keep your financial data and systems out of harm's way.
- Access controls – It goes without saying that limiting access – both physical and digital – to sensitive financial information is absolutely crucial for integrity in your data and systems. This portion of the audit includes everything from filing cabinet keys to data center locations and your password controls. When it comes to such sensitive information, everyone is on a need-to-know basis – if they don't need to know, then they don't need access. Keep that circle of trust as tight as possible.
- Data backup – When systems glitch, digital bedlam reigns supreme for some time. But if you maintain adequate backup systems, then your financial data stays secure, even in the mightiest of glitches. Just remember that any data centers you use for this purpose, including off-site facilities and third-parties, are subject to the same SOX requirements as your onsite backups.
- Change management – Companies are getting more dynamic by the day, having people change positions, departments, and employers all the time. Your IT team must have proper controls in place when adding new users and equipment, installing or updating new software, and changing your databases or data infrastructure. Always keep detailed records of what you changed along with who changed it and when it occurred.
Don't look at these admittedly thorough auditing procedures as a pain, though. Aside from keeping everything as secure as possible, testing these IT controls also helps you identify unneeded redundancies and other areas of inefficiency. In other words, while managing your risks and improving response times to data breaches, testing these controls can also increase productivity and drive down costs.
Technology Is Your SOX Testing Best Friend
Looking over the testing procedures, there's an awful lot of people and tasks involved. From your accounting and finance functions to HR, IT, and beyond, it takes a village to tackle SOX compliance, at least if you want to go about it properly.
That said, technology should play a central role in your SOX compliance, automating many tasks that would otherwise absorb hundreds of hours of time, effort, and resources that you could otherwise devote elsewhere. Don't forget that you still have a business to run and, outside of internal auditors and maybe a few specialists like a Director of Compliance if you have such a position, everyone still has their own jobs to perform.
We usually look to Workiva's Wdesk solution for tools that can automate many of the record-to-report functions as well as certain features that naturally lend themselves to streamlined SOX compliance and testing. But Wdesk certainly isn’t the only game in town so, no matter what platform you choose, we recommend it provides particular benefits:
- Efficient data collection and testing – This function lets managers easily communicate with control owners, allowing them to quickly send testing documents and other relevant materials. This also makes annotating and reviewing documents much more convenient and efficient.
- Collaboration with internal & external audit – Effective SOX compliance & testing means one hand always knows what the other is up to. Creating a single environment to generate, edit, and store documents related to your compliance and testing creates far greater transparency and communication between you, your internal audit team, and external auditors.
- Automated certifications – Streamlining this function will help you meet tight deadlines, enhance compliance, and view the status of information requests from a centralized location.
- Single source of truth – While there's never a good time for a collapse in version control, this is especially true for your SOX compliance testing. When you make changes to documents like a control matrix, flowchart, process narrative, or any testing document, your SOX compliance solution should make the changes from a single source of truth to ensure all versions automatically update for the change.
So that was a lot of information. The good news, however, is that you don't have to perfect your SOX compliance and testing procedures overnight. It's a process, just like any initiative within your organization. But that doesn't mean there's time to dilly-dally, either. Our advice is to familiarize yourself with the essential acronyms – PCAOB, COSO, COBIT, etc. – and start your risk assessment as soon as possible because, as we said, it can take a while. And as always, Embark is here to lend a regulatory hand should you need one. It's what we do.