Successfully Navigate Your Company to SOX Compliance
It has been nearly 20 years since the likes of Enron and WorldCom altered the trajectory of accounting and finance. In those two decades, almost every accountant-to-be has been learning about these infamous scandals and how they came about. In the process of learning about the fallout of these scandals, many of us were simultaneously introduced to our good friends Senator Paul Sarbanes and Senator Michael Oxley.
The Sarbanes-Oxley Act of 2002, better known as SOX, was created and enacted to prevent similar catastrophic financial failures from occurring again. Clients and financial service institutions alike have been working on ensuring their clients are SOX compliant to this day. But what exactly does SOX compliance entail? What can you be doing to ensure that your organization is compliant without disrupting the flow of your everyday business? We first need to start with the basics.
What is SOX Compliance?
When referring to the term and concept of SOX compliance, you should look at it through two lenses: financial compliance and IT compliance. The financial side of SOX compliance involves implementing, performing, and maintaining internal controls throughout the business in any areas that ultimately affect financial statements and reporting. The IT portion of SOX compliance revolves around securing the critical systems and applications used in executing those aforementioned internal controls and business processes. Financial compliance and IT compliance are essential steps in preparing your organization for SOX audits, a necessary item for companies looking to go public.
What Goes Into a SOX Audit?
SOX audits require testing the design and effectiveness of business process controls, and IT controls. A SOX audit can seem like a daunting undertaking; where do you even begin?
Before diving in and identifying and testing controls, you need to create a plan. This plan is usually based on a risk assessment that helps determine the SOX audit scope, material accounts and processes, and internal controls.
Walkthroughs and Documentation
Once you have a roadmap of your audit plan and have identified the internal controls and critical processes, the next step is to conduct walkthroughs with process owners and document the procedures. Process documentation can be completed in various forms, most commonly in the form of narratives and flowcharts, or even a combination of both.
Test of Designs
So, you’ve met with process owners and documented the processes and controls within the process; now it’s time to test the control. Test of design entails acquiring a sample of one instance of the control and testing it to evaluate if the control was designed appropriately. When you enter the test of design phages, we recommend asking, “is this control doing what it is supposed to be doing to mitigate the risk of material misstatement?”
Test of Operating Effectiveness
This phase takes the testing done during Phase 3 and extrapolates it across multiple samples. The purpose is to evaluate if the control is operating effectively; you know it is designed effectively but is it being performed correctly over a more extended period? The number of samples depends on how often the control operates, from annual to monthly to transactional controls that happen hundreds of times a month.
When performing the testing above, you may identify controls that are not designed appropriately or are not operating effectively. That’s completely normal. The good news you’ve identified the issues. Based on the exceptions or gaps that you may have found, management then creates a remediation plan for the control, which should have the control operating effectively moving forward.
Conclusion and Evaluation
At this point, you get to take a step back and evaluate the audit results. Results are often compared to the assessments conducted during the Planning phase; outstanding issues are documented and logged to ensure they are followed upon for the following year and remediated appropriately. The conclusions on internal controls are included in financial statement reporting.
What Are Some Challenges of SOX Compliance?
One of the challenges and perceived roadblocks with SOX compliance is implementing all the controls necessary to create a SOX compliant environment, especially amongst control owners. Owning a control can often be seen as a nuisance by control owners; it feels like yet another task on what may be a long list of their typical responsibilities. This may feel doubly true during an audit, with testers asking for supporting documentation.
The goal of internal controls is to have them implemented such that they occur in the natural flow of the business’s process. Reviewing reconciliations, approving changes to user roles in applications, and other various tasks shouldn’t be viewed as unnecessary roadblocks but important checkpoints in a process to make sure that your financial statements are correctly presented.
Whether you are an established public company looking for help with testing controls or a private company that wants to be SOX-ready if the time comes to go public or anywhere in-between, it’s important to ensure your organization is SOX Compliant. With numerous rules and regulations to abide by, it can be challenging to confirm you’re on the right track. If you need help with SOX compliance, DLC can navigate the path to reaching SOX compliance. Our internal controls and SOX experts have experience with various industries, client sizes, and control environments that help us cater to your needs. Request a consultation today.