4 Focus Areas to Meet the Demands Of 2018 SOX Compliance
In a certain sense, Sarbanes-Oxley (SOX compliance) is an annual rite of passage, akin to the arrival of spring or the fall television season. The exact experience changes from year to year, but it always happens. The current regulatory environment has rigorous demands. While the cost of compliance is high, the cost of noncompliance is even much higher. But what does this mean for you?
Whether your company is subject to full SOX compliance through integrated audit, management assessment as an emerging growth company or contemplating SOX readiness for upcoming business strategies, knowing what to expect and how to prepare is critical.
Here are four key focus areas to help you meet new demands on SOX compliance and controls.
- ENTITY-LEVEL CONTROLS
Entity-level controls are generally less complex in nature to operate and assess as compared to other key controls. However, they are critical in providing coverage of COSO framework principles and enabling a risk-based approach within the overall SOX program. Deficiencies in entity-level control activities could signal other issues within the control environment, including lack of appropriate “tone at the top”, control ownership accountability and elevated risk of fraud. Multiple deficiencies in aggregate could result in material weakness disclosures.
How to address this:
- Appropriate Board and Audit Committee awareness and involvement is a critical success factor to drive tone at top. Management and front-line control owners should focus on consistent discipline in the performance and evidencing of key entity-level controls as a part of achieving a sustainable, effective SOX program.
- SEGREGATION OF DUTIES
Emphasis has increased on segregation of duties within systems and processes. Audit Committees, rightly so, are making more inquiries of management about the soundness of organizational structure and segregation of duties. External auditors expect management to provide documented analysis of segregation of duties as a part of SOX controls design assessment, especially for companies’ subject to integrated audit. Management may have challenges given limited resources, budget constraints and possible system limitations. Segregation of duties is a focus area specific to system access and roles in today’s regulatory environment and emphasis on cybersecurity risk coverage.
How to address this:
- A best practice is to perform, formally document and update ongoing as needed a segregation of duties analysis to demonstrate appropriate segregation within processes and systems. Such analysis should include identification of exposures/gaps and mapping to compensating controls, especially in situations where there are simply not enough current resources to adequately segregate duties.
- Attention should also be focused on effectively evidencing the operation of compensating controls.
- KEY REPORTS AND SPREADSHEETS
The rigorous focus by external auditors is not subsiding related to key reports and spreadsheets used to support key control activities.
Deficiencies in control activities that result in lack of completeness and accuracy increase the risk of material weaknesses. Control owners must thoroughly understand and document the source of data producing key reports or downloaded into key spreadsheets to demonstrate understanding and validation of completeness and accuracy. This typically requires an acceptance of joint accountability on the part of assigned “owners” within IT and the business.
How to address this:
- One of the best ways to manage this is to have management develop and maintain inventory of key reports and spreadsheets that sets forth information such as IT and business owners, controls supported, source system and type of report (e.g., canned, custom, query), frequency produced, and documentation to be retained to evidence completeness and accuracy. This master list supports control owners’ responsibilities and enables management to prioritize the assessment of key reports and spreadsheets within their SOX program activities.
- MANAGEMENT REVIEW CONTROLS
“Review” controls represent activities in which the reviewer is independently validating a preparer’s work such as account analysis, reconciliations, reserve calculations or scrutinizing business performance (e.g., budget and/or forecast to actual) variances. A simple sign off by the reviewer no longer provides sufficient evidence of control operation. The reviewer is accountable as the control owner to define, document and retain evidence:
- Criteria/thresholds used (e.g., volumes, dollars, percentages) with an appropriate level of precision to detect potential material errors
- Reconciling items and variances that meet or exceed defined criteria and thresholds are investigated, explained and/or adjusted and corrected
- Timeliness of review based on control frequency
How Can We Help You?
Whether improving internal controls, addressing Sarbanes Oxley readiness and compliance, developing and executing an internal audit plan or identifying ways to securely leverage IT and systems, our team of Risk and Compliance professionals are highly experienced in helping companies of all sizes achieve regulatory compliance. Get in touch today to learn how we can help you navigate through these rigorous expectations to achieve a successful, sustainable SOX program.