Automating the SOX Testing Process
Over the last several years, the number of PCAOB cases where an audit firm “failed to obtain sufficient appropriate evidence to support its opinion on the effectiveness of internal control" has only grown. As a result, regulators have put pressure on audit firms to change the approach to SOX control testing processes to fix the issues.
For many companies, this has meant changing expectations and more extensive and costly approaches to not only evidence collection, but the entire testing process. Audit changes have even brought delays in issuing financial statements and increases in audit work and fees.
History of internal controls
The evolution of internal controls dates back to 1977 when the Foreign Corrupt Practices Act (FCPA) was passed.
FCPA was the result of the SEC and Watergate investigations and has two main provisions: one addressing accounting transparency requirements and the other concerning bribery of public officials. In a broad sense, companies whose securities are listed in the United States must meet certain accounting provisions, as identified by the U.S. Code. In addition, the anti-bribery provisions prohibit persons from making payments to foreign officials in order to influence or secure business advantage.
In 1985, the National Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, was created. Jointly sponsored and funded by five professional accounting associations and institutes, it was formed to inspect, analyse and make recommendations on fraudulent corporate financial reporting.
These five organisations formed the Committee of Sponsoring Organisations of the Treadway Commission (COSO). In 1992, COSO released the "Internal Control-Integrated Framework," which presented a common definition of internal controls and provided a framework against which internal control systems may be assessed and improved. This report is one standard that U.S. companies use to evaluate their compliance with FCPA.
A decade later, the Sarbanes-Oxley (SOX) Act of 2002 was implemented and required all public companies to establish internal controls as well as procedures to document, test the design and effectiveness of them. Private companies have also chosen to adopt various provisions as SOX has become the benchmark in which every company's financial reporting and corporate governance practices are measured.
The SOX testing process
The process for collecting evidence has traditionally been a manual and extensive one. Over the course of the calendar year, SOX compliance teams go through three rounds of testing. Each phase of the process comes with its own challenges as the SOX and internal audit teams struggle with version-control issues when they try to collaborate on controls, risk assessments, samples and testing documents.
The three rounds of SOX testing:
- Initial: The process begins with initial testing. Many companies will test controls after the walkthrough period to give themselves adequate time for remediation if any deficiencies are discovered. During SOX testing, the team sends out evidence requests via email to control owners. Teams are forced to babysit the process as they struggle to track all responses, evidence attachments and approvals.
- Interim: During interim testing, SOX compliance teams need to verify that controls tested earlier in the year are still operating effectively. They also need to check that any changes to controls have been appropriately documented and tested and non-routine controls and controls involving a high degree of subjectivity or judgement are updated with additional samples.
- Year-end: The controls that are tested at year-end include controls that are only tested annually and any controls that failed during initial or interim testing. If there are deficient controls, the SOX compliance or internal controls team will work to avoid further deficiencies and material weaknesses by documenting remediation for auditor review.
After year-end testing, independent auditors need to test controls, review documentation and determine if they agree with management’s assessment of internal controls prior to sign-off. This is especially important to do as they prepare for steering audit committee meetings on control performance.
Teams spend too much time time, effort and money reporting and remediating control deficiencies or worse, material weaknesses. In a recent survey, 2016 State of the SOX/Internal Controls Market, 65% of respondents reported that per control, they spend 5 or more hours on SOX control testing, and 40% noted they spend 11 hours or more on the remediation of control issues.
Additional complexities are added as teams use different platforms, requiring multiple updates to documentation across the systems. This results in additional time spent by internal audit to review and verify control information before it even begins testing.
Even though testing may take place at three different times, the SOX testing process is ongoing. Once testing of controls has taken place, teams are constantly working to remediate any controls that had previously failed during interim testing and then document remediation.
Automating the SOX control testing process
With the adoption of the 2013 COSO Framework, increased requirements from the PCAOB and board focus on risk and compliance processes, many internal control programmes are still undergoing major modifications.
As business processes mature with increasing regulations and the need to scale across multiple users and departments increases, organisations need to leverage new technology and approaches that focus on productivity to support, automate and drive internal control process efficiencies. New technology can be leveraged at all phases of the internal control process, but is especially valuable during SOX control testing.
New, cloud-based technology can allow SOX compliance teams to:
- Streamline evidence collection and testing, allowing managers to send requests to control owners and attach samples directly to testing documents. Annotation and review is simplified, easily accessible and protected.
- Seamlessly collaborate with internal and external audit in a single environment to create and edit documents. A central repository of all control and testing information increases transparency.
- Automate certifications to meet deadlines, improve compliance and view statuses evidence requests from a real-time dashboard.
- Easily update all testing and control information with a single source of the truth. Changes are made at the source and that change is instantly reflected across all documents, including, risk control matrices, flowcharts, process narratives, testing documents, dashboards and audit committee presentations.