Preparing for Walkthroughs
The weather is getting nicer, flowers are blooming, and the birds are singing. This all means one thing: walkthrough season is here!
Whether it is your organization’s first time going through SOX walkthroughs since becoming a public company, or you are seasoned veterans when it comes to SOX compliance, it is always important to take a step back and prepare for walkthroughs. These conversations are the first major step into the SOX year and taking the time to prepare makes things run smoothly for everybody involved.
The Big Picture
To this point, you have likely (read: definitely should have) gone through the planning stages (for more on the various phases, check out my last article on Navigating the Path to SOX Compliance). From here, you can start preparing for walkthrough meetings. The best place to start preparation is understanding a few key questions that look at the big picture:
Why are you having walkthroughs? The main reason you are having walkthroughs is to document the design of internal controls within a business process. You will be talking through whether they are designed to prevent or detect errors, whether the control addresses the relevant attributes, is there a completeness and accuracy component, and other questions to ascertain if the control is designed effectively. Also, consider if this is a new walkthrough or you have gone through these processes and controls before; this helps you understand how to approach the conversations. If you are doing walkthroughs for the first time or you recently changed audit firms, the level of detail will be far greater than having gone through several walkthroughs where there is already previous documentation of the processes. Understanding the purpose and approach will increase the efficiency of the conversation.
What is being discussed in each meeting? It may be simple but staying on top of what processes are discussed in which walkthrough meeting is a small but crucial key to success. It’s also vital to be prepared with whatever evidence is needed for the controls to document a sample of one. Typically, auditors will request a specific sample that you should bring; if not, it is still prudent to have a sample of each control to talk through and any supporting documentation, like a flowchart. Understanding the scope of the conversation and establishing the needed support ahead of time will make things run smoothly with fewer clarifying questions.
When are the meetings? You need to be mindful of your team’s schedules and when the control and process owners can participate. Sometimes there may be an ideal order as far as following a process flow, but if the key personnel cannot join the walkthroughs at specific times, it may make more sense to plan the meetings around them to minimize how often they have to meet. Consider the timing of any potential changes as well; if you are likely to change the process, controls, or control owners in the near future then it would be wise to perform the associated walkthrough after those changes are in place. No use documenting something that will change, having another meeting, and documenting it again!
Who is involved in the walkthrough? Perhaps the most important component is who will be participating. Know what personnel from your organization will be in what meetings and make sure that all the relevant people are participating (to avoid unnecessary meetings or follow-up after the fact). This includes making sure the preparer and reviewer of the relevant controls are in the appropriate walkthroughs. Additionally, who from outside the organization will be participating? This usually includes at least your external auditors but can include consultants you bring in to help with the SOX documentation and testing process (I know a few people who can help!)
How are these walkthroughs going to be conducted? Are they entirely in person? Will they be virtual? Or a combination of both? Whatever you choose, make sure you have rooms blocked off so you are not getting kicked out halfway through meetings and that any video conference links are working when they are sent out. Consider what the flow of the meeting looks like as well. Typically, you will be talking through a process end-to-end and stopping to elaborate on controls within the process and how they are performed. You will discuss the operation of the control and auditors will likely ask for specifics on where data is coming from or specific review procedures by whom. It is often helpful to have one person present while the other discusses the process to maintain an efficient flow during walkthroughs.
Staying Up to Date
With those 5 factors in mind – what tangible things can you prepare for these meetings and what tasks should you focus on? One of the biggest contributors to successful walkthroughs is ensuring that all the documentation is up to date prior to having the meetings. Items that need to be reviewed for updates may include:
Risk Control Matrix
- Do you have new controls?
- Are certain controls no longer applicable/in scope?
- Should control wording be updated to reflect changes or clarify the purpose of the control?
- Are control owners up to date?
- Are there significant changes to the process (systems, service providers, data flow, etc.)?
- Are there personnel changes or other specifics that need to be updated?
Any other supporting documentation
- Flowcharts, workbooks, control support
- Identifying and updating a listing of key reports used
- Support related to current matters significantly impacting processes (e.g. COVID-19 impact on business processes)
When you take the time to make sure documentation is updated upfront, it will increase the efficiency of the walkthrough meetings as there won’t be as many questions about who owns a process or what a new IT application is. It is all about being proactive on the front end to minimize the pain points during walkthroughs!
Speaking of pain points: when looking ahead to prepare, it can be beneficial to look back too. Take the time to work through the pain points from the prior year’s audit. Use those issues to help inform the updates and changes you are making for this year. Maybe that consists of adding more detail to narratives, revising controls, or prepping the control owners beforehand. Before your walkthroughs start, take the time to talk through changes from the prior year with the auditors so that you are not stopping after every update or change to clarify them.
Don’t remember what were the major issues last year (or it’s your first walkthrough)? That’s okay! One of the things you can do this time around is take stock of these pain points as they come up and record them; that way for next year, you can reflect and adjust accordingly.
Walkthroughs are a necessary part of the SOX process and preparing for them ahead of time sets you up for success. Bridgepoint Consulting is here to help your walkthroughs go as smoothly as possible. Whether you need resources dedicated to helping you prepare so your team can focus on their regular responsibilities, or this is your first time going through walkthroughs and you need guidance, our consultants have the experience to get you where you need to be.