As publicly traded companies work to optimize their Sarbanes-Oxley (SOX) compliance, increasing the efficiency and effectiveness of those efforts requires management to better understand organizational risks, align management and the audit committee, train process owners, increase automation, and centralize the monitoring of risk exposures and control performance.
Conduct a Risk Assessment
The optimization process starts with an effective risk assessment that helps the company understand its exposures and map the various controls that help it mitigate those risks. The types and number of needed controls will depend on a specific company and its risks.
It’s also important to avoid imposing more controls than the company needs to mitigate risks effectively because each control bears costs for design, documentation, testing, evaluation, and reporting. Understanding the company’s risks, and ensuring you have the correct number of controls, is key to effectiveness and efficiency. This can be further enhanced through a control rationalization, with a deeper review of key risks and the alignment of mitigating control activities.
Management and the Audit Committee
Management and the audit commitment play important roles in SOX compliance by setting the appropriate “tone at the top” by actively asking about and understanding the company’s key risks, and allocating resources to the implementation and evaluation of the appropriate controls. By demonstrating that they believe in and understand risk management and compliance, they set a tone that the rest of the company will generally follow.
Maximize External Auditor Reliance
A valuable way to increase efficiency and potentially reduce the cost of a SOX review is making it as easy as possible for external auditors to rely on the company’s testing and documentation. Under SOX, external auditors are required to sign off on the company’s internal controls, give an opinion about the effectiveness of those controls, and identify any deficiencies.
To make these determinations, the auditors will either rely on the company’s control testing and documentation, or will have to perform that testing themselves. While a company won’t be able to reach a point where the auditors rely exclusively on the company’s testing, expanding the percentage of company-tested controls increases efficiency. It does this by reducing the volume (and cost) of auditor testing, as well as avoiding controls being tested twice by the company as well as by the auditors.
Increase Process Owner Training
Another important step in optimizing SOX compliance is providing training for financial reporting process owners—the managers with oversight responsibilities for specific processes. In addition to setting the tone at the top with messaging from a SOX sponsor (e.g., the CFO), managers need to understand the nature of transactional flows and data involved with significant processes—and be enabled to identify gaps in the performance or documentation of those steps. They should also understand the risks that could affect material accounts.
As part of this training, process owners need to understand the value of testing and documentation outside of preparing for an audit. These steps need to be part of ongoing, year-round risk management activities.
While the role of automation in financial reporting is early and evolving in many organizations, the advantages of streamlining the financial processes that underlie the controls being evaluated will pay dividends in SOX compliance. A large portion of the SOX effort and control performance are steps that are repeated through the fiscal year and across fiscal years. Where tasks are repeated and involve systems or applications, there are opportunities to automate.
For instance, the vast majority of the information needed for SOX compliance is produced during the accounting period close. Critical activities that occur during closes include journal entries, analyses, reconciliations, approvals, and more—all of which need to be documented and are subject to auditor review.
Tools such as BlackLine increase process accuracy and SOX compliance by importing data from feeds and matching transactions to reconcile accounts automatically, posting journal entries, and coordinating task completion and approval using real-time dashboards. This reduces reliance on manual tools and the risk of data existing in disparate spreadsheets.
To the extent various activities can be automated, the company and its auditor benefit. Manual processes, documentation, and testing are more expensive and typically have higher rates of deficiencies. Where companies have more automation, auditors see fewer deficiencies and smoother, more efficient testing that is conducted with less work and a lower resulting cost.
Create a Project Management Office
Companies can increase the efficiency and effectiveness of their SOX compliance efforts by creating a project management office to coordinate their compliance efforts. Depending on the size and scope of the company, that oversight could come from one person, a team, or someone using a combination of internal and outsourced resources.
Without regard to how the role is structured, it’s important for the team member to have an appropriate level of knowledge and experience to coordinate its SOX compliance efforts year-round to ensure controls are performing as designed, and that emerging issues are addressed as quickly as possible.
If your company needs assistance with implementing effective SOX internal controls, reach out to our team of audit professionals who can support you throughout the process.