The 6 Questions SOX Leaders Must Ask Themselves
If you’ve made new year’s resolutions, chances are one of them was about your personal health: eating better, working out more, or being more mindful in your everyday activities.
But what about the day-to-day health of your Sarbanes-Oxley compliance program? In the same way that you’re investing more time and effort into your personal wellbeing in 2020, it’s likely your SOX program needs a revitalization. After all, we’re nearly 20 years into SOX—the way your organization handled it in 2002 shouldn’t be the way it’s addressed today.
In order to evaluate their current situation and uncover next steps to shaping up their processes, I’ve found that SOX leaders must ask themselves six insightful questions. The answers that lie on the other side can help you trim down bulk and get compliance in shape.
1. Does your executive team see SOX as being valuable?
Most organizations I’ve talked to would say they don’t have a SOX strategy—not because they fail to approach it tactfully, but because it’s viewed as more of a binary, cut-and-dried exercise. It’s either completed or incomplete. But it really should be more than that.
If your executive team sees compliance as a burden or sunk cost, there’s a need for some education. It’s also likely that you and your team may be the best to deliver said education.
However, changing that mindset doesn’t have to be laborious. Tactically, as a SOX leader, hone your focus on the areas that actually have the highest risks, rather than what your external auditor or audit committee wants to see. In doing so, you’ll be in a stronger position to prove substantial value of the work you and your team does.
2. Is your culture’s tone at the top to discover and address issues or to focus on achieving a clean audit?
We may be nearly 20 years into SOX as a regulation, but on the whole, the mindset around the regulation hasn’t shifted dramatically. Executives not fully in the know are still stuck thinking “What’s in scope for SOX?” rather than the broader internal controls, even though there are real benefits.
A Harvard Business Review article explains the situation well. Some executives approach SOX with “something like gratitude,” the authors write. “[Executives] were thinking not only of protecting stakeholders and shielding their companies from lawsuits but of developing better information about company operations in order to avoid making bad decisions.”
In other words, the true benefit of SOX is to develop better information about the underpinning operations in your organization, not just mere regulatory compliance. If executives and your board fail to see that—and if the tone coming from the top is not favorable toward compliance exercises—the impetus is on you and your team to get that point across. For the SOX process to have the most benefit for the entire organization, control deficiencies should be truly addressed and remediated, not just bandaged over for the short-term goal of a clean audit.
3. Do you know what your 10 to 20 most critical controls are?
Not all controls are created equal, and approaching each with identical levels of scrutiny is a recipe for disaster—or, at the very least, overwork. All key controls are important, but some are more pressing than others, and 10 to 20 make the list of the ones most likely to lead to a material weakness.
I’ve found that organizations get the most success by reprioritizing the most critical controls, based on which are most likely to incur a material weakness, and spending more time focused on enhancing the design of those controls.
By analyzing the overall control design for these 10 to 20 controls, dissecting how to enhance them, and finding ways to maximize the potential of each for the overall benefit of the company—rather than churning through a forest of controls—your entire organization will benefit.
Designed properly, your program can continue to evolve and change as business risk changes. But this is contingent on whether or not you carve the bandwidth for your team to do so.
4. Do you have a strong set of direct entity-level controls?
When Sarbanes-Oxley was first released, it was a bottoms-up exercise—the people on the front lines of compliance did the work based on the largest controls that impacted the entire organization, and they were funneled up to executive leaders.
As the guidance around SOX compliance has become more clear and precise on the more niche controls, compliance teams have tended to move away from testing and relying on direct entity-level controls, such as gross margin reviews or budget/actual reviews—even though these controls are key tools used by organizations to manage accurate financial reporting.
I firmly believe that SOX professionals need to return to placing greater reliance and emphasis on direct entity-level controls. After all, if there was a control failure, the company often points to these direct entity-level controls as the rationale for why there could not have been a material error in the financial reporting.
With strong entity-level controls, organizations provide additional safeguards and assurance. By reevaluating these controls and making them more precise, they can truly defend the organization at a deeper level.
5. If you didn't test your controls, would you feel confident they would pass?
Similar to my previous points, it’s up to SOX teams to articulate why they’re pursuing certain controls and not others. It’s critical to pick those 10 to 20 most important controls, but it’s just as vital to educate control owners and process owners on why these control activities are being done.
Testing every single control simply isn’t scalable and doing so is not only stressful, but diminishes the scrutiny you place upfront on each risk.
It is more valuable to spend the time educating control owners why they are executing controls. If controls are not being executed consistently, then the root cause is likely that the control owner either does not understand the rationale for performing the activity (which should be solved through training or education in order to make the control more robust), or that the control is the wrong control (which should be solved by revisiting both the risk and the control activity to ensure they are aligned). These activities are much more valuable than detailed sample testing of controls.
6. Have you identified KPIs that would identify and monitor potential issues in your SOX program?
To accomplish a goal, you must first articulate the goal. And, with SOX, to efficiently accomplish compliance, you must articulate the key performance indicators (KPIs)—what you want to achieve by when—that point you toward success.
KPIs draw a line in the sand between what’s accomplished as compared to what isn’t. More productive yet, they can narrow down areas where the process could be further enhanced.
For example, a KPI monitoring control might look at the number of exceptions identified during a quarterly user access review. If the metric shows an increase in the number of changes required to be made as a result of the periodic review, then that would indicate a need to look at the underlying process to determine why the access for those terminated employees was not being removed on a timely basis, or was not being completed for all relevant applications. Another KPI might look at the level of employee turnover in key control positions within an area or process. If the metric shows higher turnover, you could proactively provide reminders or training on the control activities that need to be performed by those roles to ensure no control activities were lost during the transition.
Just as a set of well-planned new year’s resolutions can provide guidance to the actions you’ll take in the months to come, the ongoing health of your SOX program can be kept in check by asking these six questions.
In doing so, you can help steer your compliance program toward greater effectiveness and further affirm that SOX can drive substantial business growth—today, tomorrow, and in the months to come.
For more detail on how to reinvigorate value, efficiency, and effectiveness around SOX compliance, check out my recent podcast.
This article represents the views of the author(s) only, and does not necessarily represent the views or professional advice of KPMG LLP. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.
About the Author
Sue is KPMG's National SOX Advisory Solutions lead, overseeing the development of thought leadership and best practices to be delivered to clients. She is a partner in KPMG's Advisory, Risk Assurance practice with more than 25 years of experience, and leads KPMG's Pacific Southwest internal audit and SOX practice. She has a strong background across the full spectrum of internal audit services, including SOX 404 implementations, enhancement and delivery, risk-based internal audit project delivery, and enterprise risk management (ERM). Sue's experience spans many industries including retail, manufacturing, technology, and healthcare.