5 best practices for meeting new demands on SOX compliance and controls
This past quarter we had many opportunities to sit down and meet with SOX, internal controls, and audit professionals to discuss the reality of compliance and enforcement in the field. We hosted workshops around the country and found that many of you are feeling the same pressures and challenges, have similar questions and concerns, and realize that changes are needed to meet these new demands.
Through these workshops, we reiterated that the PCAOB and SEC remain focused on inspections to alleviate audit deficiencies, specifically on processes that involve difficult or subjective opinions—like revenue recognition, accounting estimates, and complex accounts or one-time transactions. Executives are becoming concerned as pressure increases on operational managers as well as accounting personnel, and the concept of personal liability becomes more applicable. But what does this mean for you? Below are five best practices for stepping up to meet new demands on SOX compliance and controls.
- Focus on risk
- Reduce the number of moving parts
- Prevention is key
- Detect red flags
- Document, document, document
The risk environment that your company operates in is rapidly changing—with risks and threats evolving daily. To mitigate the risks in your company's changing environment, risk assessments need to be an integrated process, not just a check-the-box exercise done once a year.
Mapping and flowcharts are a good way for the company and auditors to fully understand the processes they are auditing and the risks associated with those processes.
Companies experiencing problems with obtaining sufficient, appropriate audit evidence have a common theme. Many believe they have the necessary evidence, but it is too disorganized and scattered to use effectively.
Companies often have far too many moving parts in their processes: disconnected files, inconsistencies in key facts, and manual steps to manage. By integrating the documentation, testing, and even performance of controls into a single source of truth, reporting teams reduce the number of moving parts, save time, gain control, and improve the quality of the information presented to auditors and managers.
Prevention can be as simple as reminding employees of their obligations, but it must begin with effective education. It has been shown that the more often you remind employees of what the risks are or that fraud is unacceptable, the less likely they are to do it.
You must also have control and process owners periodically confirm or certify that they have performed their duties in a truthful matter. Provide opportunities where they can attach specific evidence and give their signatures. This will provide protection to the company if fraud is later discovered.
To increase your ability to detect fraud or material misstatements in your organization, make sure controls are appropriately designed. You should periodically perform risk assessments for each key process to identify the weak links in the process where breaches could happen. And when designing controls, consider red flags and precision present in your organization. An example of this is threshold amounts for flagging.
Finally, if you notice something, don't wait—take action immediately to address any exceptions. Technology can help flag these exceptions in a more transparent manner.
Without documentation, your control efforts don't exist—even if they do.Document everything, and make sure information provided is understood by all employees.
In the past, when management reviewed a control or piece of a process, a signature was used to prove it was reviewed. The PCAOB is cracking down hard here and wants evidence on what the manager actually reviewed. A signature alone is not sufficient anymore. You need convincing, concurrent evidence in order to meet rising expectations.
The good news is that these steps are feasible for nearly any organization, especially when marked down into smaller areas for improvement. The bad news is that there's no single solution that will act sufficiently for every organization and process—you must review your process and decide what actionable steps are most reasonable. The reality is that scrutiny and personal liability show no signs of trajectory change.
To learn more on this topic at one of our upcoming traveling roadshows, visit our events page and register for a workshop near you.
About the Author
Joseph Howell is the former Vice President, Strategic Initiatives at Workiva. Prior to cofounding Workiva, he served as Chief Financial Officer for a number of public and private companies. He also served as the cofounder, organizer, and community moderator for the SEC Professionals Group.