While the Sarbanes-Oxley Act (SOX) is a familiar topic, organizations continue to search for the best practice to approach SOX attestation. Furthermore, the drastic changes in technology over the last ten years, and legislation updates, along with the impetus of the COSO 2013 framework, drive the need to establish a holistic SOX compliance management program.
Many assume SOX compliance to be a herculean task. However when done in a systematic manner compliance can be simple and easy to achieve.
Here are 3 Super Easy Steps that help you take necessary actions proactively.
Incorporate a Continuous Assessment Process
Identify and assess controls to ensure it evolves according to the changes in regulations. Businesses go through changes in systems, people, processes, or technology and without proper evaluations, the internal control design can prove to be no longer effective in achieving business objectives. The Sarbanes-Oxley process has to be continuous, with high emphasis on the fraud risk areas that can occur due to these changes.
SOX Section 404 Compliance Checklist
Risk Assessment should be Top-Down
A top-down risk assessments will enable you to identify significant accounts that are relevant for specific assertions, considering qualitative and quantitative risk factors. The auditing standard legislations emphasizes on this and usually organizations do not focus on this as much as they should.
The PCAOB asserted in the AS 2 and then AS 5 that care should be taken to look for the susceptibility in misstatements due to errors of fraud.
Another area of assessment is the volume of activity, how complex it is, and the nature of the accounts and disclosures. COSO 2013 highlights the importance of assessing accounting reporting and complexities, including aspects that make the accounting process more difficult, such as estimates and judgments. Exposures to losses in the accounts, the possibility of significant contingent liabilities, and related party transactions which change periodically also require due scrutiny.
SOX Section 302 Compliance Checklist
Make Technology Imperative
For an effective SOX Compliance Program technology is a key driver to simplify and streamline compliance processes. Technology ensures automation of workflows and centralized libraries thereby providing a BIG VALUE. Integrated library of risks and controls can be mapped to processes, policies and risks which helps in standardized data collection and documentation.
Another element of a successful SOX Compliance Program is to ensure operational efficiency in organizing, managing and assessing internal controls, performing tests from a regulation and risk standpoint, and reviewing key controls frequently. Advanced solutions support integrated, closed-looped issue remediation which assign exceptions or issues for follow up and mitigation and track it to closure. They provide effective, real-time reporting capabilities for the board and executives, highlighting risk exposures and control effectiveness.
Complying with the Sarbanes-Oxley Act is not a one-time process. One of the imperatives of SOX and COSO 2013 is that organizations need to re-evaluate their internal controls regularly and perform continuous accounting risk assessments. An integrated GRC approach can link internal controls with the organization’s risk and business process to align them with the five COSO components thereby improving overall corporate governance. This helps understanding the impacts of control failure on the organization, business environment and products.
SOX Compliance is not focused solely on financial reporting but also extends to operations including technology, considering that an organization’s business revenue stems from operations and that’s where potential frauds lie. The focus on implementing COSO’s framework of internal controls should be operationalized all the way down, using a risk-based approach throughout the process.