4 Easy Ways to Automate the SOX Testing Process
No one likes getting called out in front of the class, but it's even worse when you're unprepared. Unfortunately, SOX teams might relate to that same feeling periodically, based on the number of PCAOB cases where an audit firm “failed to obtain sufficient appropriate evidence to support its opinion on the effectiveness of internal control."
The pressure has caused many companies to change their expectations. It has also caused more extensive and costly approaches to not only evidence, but the entire testing process. Audit changes have even brought many delays in issuing financial statements and have increased audit work and fees.
History of SOX and internal controls
The Foreign Corrupt Practices Act (FCPA) was passed in 1977 as the result of the SEC and Watergate investigations. The FCPA has two main provisions:
- Accounting transparency requirements—companies whose securities are listed in the United States must meet certain accounting provisions, as identified by the U.S. Code
- Bribery of public officials—prohibits persons from making payments to foreign officials in order to influence or secure business advantage
After the FCPA was created, the National Commission on Fraudulent Financial Reporting—also known as the Treadway Commission—was established in 1985. It was formed to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.
The Treadway Commission is jointly sponsored and funded by five professional accounting associations and institutes that have since formed the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO released the Internal Control-Integrated Framework in 1992, which gave a definition of internal controls and provided a framework for assessing and improving those systems. This report is just one thing that U.S. companies use to evaluate their compliance with FCPA.
A decade later, the Sarbanes-Oxley (SOX) Act of 2002 was implemented. SOX requires all public companies to establish internal controls, as well as procedures to document and test the design and effectiveness of them. Private companies have also chosen to follow the provisions of SOX because it has become the benchmark in which every company's financial reporting and corporate governance practices are measured.
The SOX testing process
Over the course of a calendar year, SOX compliance teams typically have to go through three rounds of testing. Having to collect evidence has often been a manual and lengthy process. Along with this, each phase of the process usually comes with its own challenges for SOX and internal audit teams. They struggle with version control issues when trying to collaborate on controls, risk assessments, samples, and testing documents. They also struggle with tracking down status updates and having to babysit the collection process.
Three rounds of SOX testing:
- Initial—this is where the process begins. Many companies test their controls after the walkthrough period to give themselves enough time to fix any deficiencies that come up. Teams send evidence requests out via email to control owners. This then forces teams to babysit the process because they have to track all responses, evidence attachments, and approvals.
- Interim—SOX compliance teams make sure that controls tested earlier in the year are still operating effectively. They must also check that changes made to controls have been correctly documented and tested, and nonroutine and highly subjective controls are updated with additional samples.
- Year-end—controls that are only tested annually and any that failed during the initial or interim testing. If there happens to be any deficient controls, the SOX compliance or internal controls team will work to stop further deficiencies by documenting remediation for auditor review.
Once the year-end testing is complete, independent auditors then need to test controls, review documentation, and determine if they agree with management's assessment of internal controls prior to sign-off. This is important to the process because it helps prepare them for steering audit committee meetings on control performance.
Although testing may take place at three different times, the SOX testing process should still be ongoing. Once the testing of controls has taken place, teams are then working to remediate controls that had failed during interim testing.
While the process reads fairly straightforward, the execution of SOX testing can be exhausting and burdensome. In the 2019 State of the SOX/Internal Controls Market, 31 percent of respondents reported that internal audit spends more than half their time on SOX.
Many additional complexities arise when teams use different platforms, including making multiple updates to documents across systems. This results in internal auditors having to spend more time reviewing and verifying control information before testing even begins.
Automating the SOX control testing process
Teams need to be more fluid to changing risk due to external and internal factors, such as new emerging technologies and/or socioeconomic changes.
As business processes are maturing with increasing regulations, the need to scale across multiple users and departments also increases. This is where organizations need to leverage new technology and approaches specifically made to support, automate, and drive internal control process efficiencies. New technology can be used at all phases of the internal control process—however, it is especially beneficial during SOX control testing.
New, cloud-based technology can enable SOX compliance teams to:
- Streamline evidence collection and testing: This allows managers to send requests to control owners and attach samples directly to testing documents. Annotation and review is simplified, easily accessible, and protected.
- Seamlessly collaborate with internal and external audit: This happens in a single environment to create and edit documents. A central repository of all control and testing information increases transparency.
- Automate certifications: Meet deadlines, improve compliance, and view statuses of evidence requests from a real-time dashboard.
- Easily update all testing and control information with a single source of truth: Changes are made at the source and that change is instantly reflected across all documents, including risk control matrices, flowcharts, process narratives, testing documents, dashboards, and audit committee presentations.
Editor's note: This blog post was originally published December 1, 2016, and has been updated.