10 Steps to SOX Efficiency
The Institute of Internal Auditor Magazine (October 2008), has an excellent article written by Norman Marks, CPA, VP Governance at Business Objects (an SAP company). It contains practical information about what questions companies should be asking, and reviews that they should be doing to ensure that their SOX processes are as efficient and effective as possible.
Some highlights and excerpts are as follows:
1. Has operating management taken ownership of its processes and documentation, rather than leaving that job to the SOX or finance team?
2. Does operating management update all processes and control documentation promptly throughout the year, not just when testing starts? Is there an effective change management process in place?
3. Is operating management committed to assessing and remediating all control deficiencies promptly?
4. Has a top-down, risk-based approach been used to identify financial reporting risks and related key controls? Is management confident that all identified key controls are truly “key”?
a. Key Controls – defined as a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis. In other words, a key control is one that is required to provide reasonable assurance that material errors will be prevented or timely detected.
b. Entity-Level Controls – management should consider adding direct entity-level controls such as account fluctuation or trend analysis at corporate, divisional, or regional levels that would provide sufficient assurance that a material error would be detected. Installing a higher-level control may enable management to eliminate from scope a number of activity-level controls.
c. Fraud controls – many companies needlessly test controls related to fraud schemes or thefts that would never result in a material error in the financial statements.
d. Redundant controls – companies should ensure that redundant controls are not included in testing. An example would be having strong automated and manual controls in place over a particular process, and then testing both. This often occurs because IT General controls and Business Process controls are designed and tested separately, and the inherent lack of coordination.
e. IT General controls – the Institute of Internal Auditors has published the Guide to the Assessment of IT Risk (GAIT) to assist with the scoping of IT general controls. If management is not using GAIT to define the scope of IT general controls, the scope is not likely to be efficient. 80% percent of those surveyed using GAIT indicated a reduction in key controls of 10%, and some as high as 20%.
f. Monitoring controls – efficiencies may be realized by implementing monitoring controls that ensure other controls are operating effectively. Management can use a checklist during the period-close to confirm that all major account reconciliations have been completed, rather than performing a detailed testing of each reconciliation to check for timely completion.
5. Are SOX managers at a high enough level in the organization to perform their responsibilities effectively?
6. Is the use of internal resources optimized, including the use of internal auditors to perform testing or to validate testing performed by management staff?
7. Has overall staffing been optimized, reducing reliance on more expensive external consultants and testers?
8. Has external auditor’s reliance on management testing been optimized effectively? This is a big one, and includes assessing if management has done the following:
a. Take appropriate steps to ensure competency and objectivity of SOX testing.
b. Understands the external auditor’s assessment of the risks related to the controls where the external auditor is not relying on management testing.
c. Negotiated with the external auditor to maximize reliance.
9. Does the external auditor follow a top-down, risk-based approach?
10. Is the SOX program itself assessed for effectiveness on a continual basis, to ensure it is improved as the organization learns from experience and benefit from changes in regulations or their interpretation?
Hope this helps. Please don’t hesistate to contact me at 905-630-1607 if you need further information.
Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.
All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.