SOX Walkthrough Preparation Questions & Challenges

The weather is getting cooler, the trees are changing, and the holidays are just around the corner. This all means one thing: walkthrough season is coming to a close.

Whether it is your organization’s first time going through SOX walkthroughs since becoming a public company or you are seasoned veterans when it comes to SOX compliance, it is always important to take a step back and prepare.

What is a SOX walkthrough?

A SOX walkthrough is conducted by an auditor and aims to evaluate the effectiveness of internal controls and control design alongside gathering an understanding of transaction process flows.

To this point, you have likely (re: definitely should have) gone through the planning stages. For more on the various phases, check out our article on Navigating the Path to SOX Compliance.

From here, you can start preparing for walkthrough meetings by asking the following questions:

1. Why am I having a SOX walkthrough?
2. What is being discussed in each SOX meeting?
3. When are the SOX meetings going to take place?
4. Who is involved in the SOX walkthrough?
5. How will the SOX walkthroughs be conducted?
6. How do I prepare up-to-date information for SOX walkthroughs?
7. What are the challenges of navigating SOX walkthroughs?

5 Questions to Ask to Best Prepare for SOX Walkthroughs

1. Why am I having a SOX walkthrough?

The main reason you are having walkthroughs is to document the design of internal controls within a business process.

You will be talking through whether they are designed to prevent or detect errors, whether the control addresses the relevant attributes, is there a completeness and accuracy component, and other questions to ascertain if the control is designed effectively.

Also, consider if this is a new walkthrough or you have gone through these processes and controls before; this helps you understand how to approach the conversations.

If you are doing walkthroughs for the first time or you recently changed audit firms, the level of detail will be far greater than having gone through several walkthroughs where there is already previous documentation of the processes.

Understanding the purpose and approach will increase the efficiency of the conversation.

https://bridgepointconsulting.com/internal-controls-how-to-use-them-and-why-private-companies-should-adopt-them/

2. What is being discussed in each SOX meeting?

It may be simple, but staying on top of what processes are discussed in which walkthrough meeting is a small but crucial key to success.

It’s also vital to be prepared with whatever evidence is needed for the controls to document a sample of one.

Typically, auditors will request a specific sample that you should bring; if not, it is still prudent to have a sample of each control to talk through and any supporting documentation, like a flowchart.

Understanding the scope of the conversation and establishing the needed support ahead of time will make things run smoothly with fewer clarifying questions.

3. When are the SOX meetings going to take place?

You need to be mindful of your team’s schedules and when the control and process owners can participate.

Sometimes there may be an ideal order as far as following a process flow, but if the key personnel cannot join the walkthroughs at specific times, it may make more sense to plan the meetings around them to minimize how often they have to meet.

Consider the timing of any potential changes as well; if you are likely to change the process, controls, or control owners in the near future then it would be wise to perform the associated walkthrough after those changes are in place.

No use documenting something that will change, having another meeting, and documenting it again!

4. Who is involved in the SOX walkthrough?

Perhaps the most important component is who will be participating.

Know what personnel from your organization will be in what meetings and make sure that all the relevant people are participating (to avoid unnecessary meetings or follow-up after the fact).

This includes making sure the preparer and reviewer of the relevant controls are in the appropriate walkthroughs.

Additionally, who from outside the organization will be participating? This usually includes at least your external auditors but can include consultants you bring in to help with the SOX documentation and testing process.

5. How will the SOX walkthroughs be conducted?

Are they entirely in person? Will they be virtual? Or a combination of both?

Whatever you choose, make sure you have rooms blocked off so you are not getting kicked out halfway through meetings and that any video conference links are working when they are sent out.

Consider what the flow of the meeting looks like as well. Typically, you will be talking through a process end-to-end and stopping to elaborate on controls within the process and how they are performed.

You will discuss the operation of the control and auditors will likely ask for specifics on where data is coming from or specific review procedures by whom.

It is often helpful to have one person present while the other discusses the process to maintain an efficient flow during walkthroughs.

Preparing Up-to-date Information for SOX Walkthroughs

With those five factors in mind, what tangible things can you prepare for these meetings and what tasks should you focus on?

One of the biggest contributors to successful walkthroughs is ensuring that all the documentation is up to date prior to having the meetings.

Potential items that need to be reviewed for updates & key questions to ask:

1. Risk control matrix:

• Do you have new controls?
• Are certain controls no longer applicable/in scope?
• Should control wording be updated to reflect changes or clarify the purpose of the control?
• Are control owners up to date?

2. Flowcharts:

• Are there significant changes to the process (systems, service providers, data flow, etc.)?
• Are there personnel changes or other specifics that need to be updated?

3. Additional supporting documentation:

• Workbooks, control support
• Identifying and updating a listing of key reports used
• Support related to current matters significantly impacting processes (e.g. COVID-19 impact on business processes)

When you take the time to make sure documentation is updated upfront, it will increase the efficiency of the walkthrough meetings as there won’t be as many questions about who owns a process or what a new IT application is.

It is all about being proactive on the front end to minimize the pain points during walkthroughs!

Navigating SOX Walkthrough Challenges

Speaking of pain points: when looking ahead to prepare, it can be beneficial to look back, too.

Take the time to work through the pain points from the prior year’s audit. Use those issues to help inform the updates and changes you are making for this year.

Maybe that consists of adding more detail to narratives, revising controls, or prepping the control owners beforehand.

Before your walkthroughs start, take the time to talk through changes from the prior year with the auditors so that you are not stopping after every update or change to clarify them.

Don’t remember what were the major issues last year (or it’s your first walkthrough)? That’s okay!

One of the things you can do this time around is take stock of these pain points as they come up and record them; that way for next year, you can reflect and adjust accordingly.

Final Thoughts on Preparing for SOX Walkthroughs

Walkthroughs are a necessary part of the SOX process, and preparing for them ahead of time sets you up for success.