New KPMG Report: 4 Quick SOX Process Modifications
In light of COVID-19, SOX compliance teams are scrambling to stay agile and react.
This is an opportunity for the SOX function to be a controls advisor, providing practical, real-time input on the ways to modify controls to address a rapidly changing environment.
Be proactive in your involvement in redesigning and modifying control activities to be reactive to the fluid business situations and to focus on the financial reporting risks.
Make these four modifications to your SOX process, and download the full KPMG report for more detail and suggestions on each.
Be mindful of documentation formats
Though many processes and reviews can be completed electronically, there are some that still require manual review. When offices are closed and teams are scattered, those manual processes and reviews become increasingly challenging.
Determine how the evidence of review will be captured. Not all employees have printers and scanners at home, so some reviews may need to be altered to adapt.
This also reinforces the enormous benefit of electronic review. If your organization hasn't made the switch to a consolidated compliance platform, now's the time to change.
Retain evidence and file appropriately
Some time in the future, your team will be back in the office. Going off the previous point, it's likely they have the aforementioned manual controls evidence in their possession—PDF scans, emails, or hard copies.
Just as it was before COVID-19, proper documentation, retention, and organization are critical. Those manual documents must be filed to stay consistent with the historical processes your organization uses, or you need to note that the way in which the control is designed and executed has changed.
Untangle segregation of duties
Because of COVID-19, we're all juggling parental duties, taking care of loved ones, and more critical non-work activities. Accordingly, as organizations are dealing with individuals or groups with limited ability to perform tasks, ownership of activities and controls may be reallocated.
Consider segregation of duties implications and whether additional review processes need to be added to compensate for the conflicts that may be created. Ideally, these reviews would take place in real time, but reviews after the fact are also valuable.
When in doubt, document it
The more SOX process modifications that exist, the more abrupt the wake-up call is going to be when we return to the office.
But it's important that those changes are monitored, approved, and inventoried, so the changes can be evaluated. In situations where extensive changes are expected, a governance process could be created to review and approve all changes.
Read the full report for more
This article just skims the surface of the full scope of SOX control alterations that teams should make to remain agile to the evolving global situation.
Get your copy of the full report here, and learn more about:
- Critical SOX control areas teams that warrant additional scrutiny
- How COVID-19 should influence your SOX 404 program
- Opportunities for internal controls to be shortcut or circumvented
About the Author
Sue is KPMG's National SOX Advisory Solutions lead, overseeing the development of thought leadership and best practices to be delivered to clients. She is a partner in KPMG's Advisory, Risk Assurance practice with more than 25 years of experience, and leads KPMG's Pacific Southwest internal audit and SOX practice. She has a strong background across the full spectrum of internal audit services, including SOX 404 implementations, enhancement and delivery, risk-based internal audit project delivery, and enterprise risk management (ERM). Sue's experience spans many industries including retail, manufacturing, technology, and healthcare.