Completing your SOX compliance in a COVID-19 environment
We are now in August 2020, and for calendar year-end organizations, two fiscal quarters have been completed under remote working conditions due to COVID-19. What we thought was a temporary pivot is now undoubtedly the reality for the remainder of 2020.
Finance and accounting teams, among other departments, have had to innovate and adapt quickly to transition to executing their day-to-day processes in a dispersed fashion — the execution of the virtual monthly close, which was initially thought to be challenging, has been performed successfully since the end of March.
As we look ahead to the remaining four months of 2020, SOX professionals will be focused on ensuring successful completion of their SOX compliance program, which is fundamentally the execution of all testing required, identifying any control deficiencies, and reporting to management to facilitate the attestation by the CEO and CFO of effective internal control over financial reporting. Critical to a successful 2020 SOX compliance program, SOX professionals should ensure the following two areas are buttoned up:
1. Is my 2020 SOX scope comprehensive?
In a previous article, I discussed scope from the perspective of refreshing materiality to reflect the anticipated volatility in 2020 by using Q1 results to forecast year-end results. I’ll raise the same beacon call again. With two quarters complete, SOX teams can better forecast year-end numbers and revise materiality as needed.
Revisions to the materiality may require the inclusion or removal of financial statement line items (FSLI) from your scope. However, materiality is only half of the scoping picture — layering in the risk assessment provides for a qualitative dynamic to the scope. SOX professionals need to continually layer in these qualitative assessments to ensure a comprehensive scope.
Top of mind are risk assessments for process areas requiring estimation and judgment; process areas impacted by resource attrition; supply chain issues and third-party dependent areas. The scope is the blueprint of the SOX compliance program — a wrong scope has disastrous implications, hence the need for balances and processes that have a significant risk of material misstatement are included in your scope is crucial.
2. Can I test all my SOX key controls on time?
Pursuant to refreshing the SOX scope using Q2 period-end numbers, SOX teams may encounter additional in-scope FSLI, and hence incremental SOX key controls to test. July through September is typically the interim test period for SOX teams — the period in which a majority of the control samples are tested. A smaller sample size is tested in the subsequent roll-forward test period, which runs from November to January of the following year. Adding the newly scoped-in controls to the test volume in the interim period is more advantageous as the SOX team can better accommodate the volume.
It is preferable to ensure that all SOX key controls, except those that are executed annually, at year-end, have been tested at the conclusion of interim testing. This testing of all in-scope controls where possible during the interim test period allows for identification of control deficiencies early enough for management to remediate, or identify, compensating controls for failing controls. If the number of in-scope SOX key controls increases, SOX teams need to ensure they can execute testing of all the controls, not only before the fiscal year-end, but in a timely fashion prior to the year-end to allow for post-testing assessments. During this interim test period, SOX teams should ensure the following:
- All in-scope SOX controls, where possible, are tested by the close of the interim testing period. Prior to the conclusion of the interim testing period, SOX teams should forecast the level of effort required in terms of man-hours to complete the annual SOX control testing factoring in a marginal increase based on any Q3 scope refresh. SOX teams should continue, wherever possible, to automate control testing, including newly scoped-in controls. This full, or partial, testing automation should be deployed to reduce the manual level of effort required in SOX testing.
- Communicate the additional testing resources required based on the projected man-hours to management. Given that SOX teams often are part of an internal audit function, additional resources may be tapped from that function. However, if additional testing resources are pooled from business operation teams, SOX teams should factor in a training period for these resources.
The COVID-19 pandemic has increased the spotlight on risk management. Critical to the successful transition through this crisis will be maintaining trust in the economy, which will be reinforced through accurate financial reporting. Key to accurate financial reporting are the internal controls that augment the reporting process and mitigate against the risk of material misstatement. The role of SOX professionals in assessing the effectiveness of these internal controls will be heightened in this period and going forward.
The fluidity of 2020 in regards to scoping and emerging risk areas calls for SOX agility, and an ability for SOX teams to quickly pivot as the risk to financial reporting changes.
For the latest news and information, visit the Workiva Newsroom.