While the Sarbanes-Oxley Act (SOX) is a familiar topic, organizations continue to search for the best practice to approach SOX attestation. Furthermore, the drastic changes in technology over the last ten years, and legislation updates, along with the impetus of the COSO 2013 framework, drive the need to establish a holistic SOX compliance management program.
Many assume SOX compliance to be a herculean task. However when done in a systematic manner compliance can be simple and easy to achieve.
Here are 3 Super Easy Steps that help you take necessary actions proactively.
Incorporate a Continuous Assessment Process
Identify and assess controls to ensure it evolves according to the changes in regulations. Businesses go through changes in systems, people, processes, or technology and without proper evaluations, the internal control design can prove to be no longer effective in achieving business objectives. The Sarbanes-Oxley process has to be continuous, with high emphasis on the fraud risk areas that can occur due to these changes.
SOX Section 404 Compliance Checklist
- Accounting Risk Assessments:
Define the priority accounts to be reviewed.
Identify significant accounts or disclosures and relevant assertions.
- Document Process
Document transaction flows that materially impact financial statement elements
- Source Risks
Identify what the risks are.
Use financial reporting assertions to source “what can go wrong” within the process.
- Document Controls
Define what the controls are.
Establish owners for each control.
Document controls at source of risk (preventive) or downstream in the process (detective).
- Assess Design
Assess the effectiveness of the controls design.
- Validate Operation
Test the effectiveness of controls operations.
The reporting step should loop back to accounting risk assessments, making sure that this is a continuous process
Risk Assessment should be Top-Down
A top-down risk assessments will enable you to identify significant accounts that are relevant for specific assertions, considering qualitative and quantitative risk factors. The auditing standard legislations emphasizes on this and usually organizations do not focus on this as much as they should.
The PCAOB asserted in the AS 2 and then AS 5 that care should be taken to look for the susceptibility in misstatements due to errors of fraud.
Another area of assessment is the volume of activity, how complex it is, and the nature of the accounts and disclosures. COSO 2013 highlights the importance of assessing accounting reporting and complexities, including aspects that make the accounting process more difficult, such as estimates and judgments. Exposures to losses in the accounts, the possibility of significant contingent liabilities, and related party transactions which change periodically also require due scrutiny.
SOX Section 302 Compliance Checklist
- Review the SOX Section 302 certification process periodically.
- Ensure that the process is not a series of sign-offs but rather an open-ended process where changes in the control structure can be identified and evaluated, and proper controls put in place.
- Management needs to understand that they are attesting to the adequacy of ongoing internal controls.
- Establish appropriate system controls and streamline documentation requirements
- Understand and promote COSO 2013 and its intent before auditor or PCAOB intervention
Consider COSO principle 8 and focus on potential fraud and relevant controls
Organizations should re-evaluate their transition and attestation processes
- Gain benefits from technology to automate control management, documentation and testing
- Eliminate duplication of efforts
- Look for continual improvement opportunities
- Focus on required general and application controls
Make Technology Imperative
For an effective SOX Compliance Program technology is a key driver to simplify and streamline compliance processes. Technology ensures automation of workflows and centralized libraries thereby providing a BIG VALUE. Integrated library of risks and controls can be mapped to processes, policies and risks which helps in standardized data collection and documentation.
Another element of a successful SOX Compliance Program is to ensure operational efficiency in organizing, managing and assessing internal controls, performing tests from a regulation and risk standpoint, and reviewing key controls frequently. Advanced solutions support integrated, closed-looped issue remediation which assign exceptions or issues for follow up and mitigation and track it to closure. They provide effective, real-time reporting capabilities for the board and executives, highlighting risk exposures and control effectiveness.
Complying with the Sarbanes-Oxley Act is not a one-time process. One of the imperatives of SOX and COSO 2013 is that organizations need to re-evaluate their internal controls regularly and perform continuous accounting risk assessments. An integrated GRC approach can link internal controls with the organization’s risk and business process to align them with the five COSO components thereby improving overall corporate governance. This helps understanding the impacts of control failure on the organization, business environment and products.
SOX Compliance is not focused solely on financial reporting but also extends to operations including technology, considering that an organization’s business revenue stems from operations and that’s where potential frauds lie. The focus on implementing COSO’s framework of internal controls should be operationalized all the way down, using a risk-based approach throughout the process.