SOX compliance is important, but so is managing a business. An inefficient and ineffective SOX compliance program can monopolize management’s time, diverting precious time and resources away from critical operational and strategic tasks.

Within this CFGInsights, we will be discussing tried and true ways to improve your SOX compliance program.

#1: Promote strong tone at the top

A successful SOX compliance program begins with buy-in from management and the Audit Committee. It is imperative that buy-in and support from management outside of the Finance department is obtained. It is a common misconception that SOX is solely a Finance responsibility, when in reality, SOX impacts groups outside of Finance as well, including Legal, Operations, Human Resources, and Sales. Management must be a champion of SOX, encouraging others within the company to take their SOX compliance responsibilities seriously.

Suggested action items:

  • Lead by example. If management takes the SOX function seriously and can articulate the value it adds to the company, it is more likely than not that others within the company will follow suit.
  • Identify SOX compliance goals (and assess performance against these goals) as part of the company’s Annual Performance Feedback Program.
  • Dedicate sufficient time at Audit Committee and company-wide meetings to discuss the SOX compliance function and solicit feedback.
  • Create an advisory board consisting of management across different divisions (e.g., Finance, Legal, Human Resources, etc.) to facilitate the exchange of information related to SOX and internal control-related matters.
  • Promote an open environment where issues or concerns with the SOX function or internal control-related matters can be raised without repercussions or backlash.
  • Promote the SOX compliance function via brochures, newsletters, posters or publications.


#2: Perform a SOX diagnostic

Many SOX compliance programs do not adequately evolve with changing audit requirements and industry trends.

Having an outside party review the current SOX compliance program can provide valuable insight to management. A new perspective can detect control redundancies, unmitigated risks, and operational inefficiencies. Further, an outside party can provide feedback and offer unbiased commentary on audit requirements and industry trends.

Suggested action items:

  • Obtain a SOX diagnostic. The diagnostic should apprise management of control redundancies, unmitigated risks, operational inefficiencies, and opportunities for process improvements.


#3: Select the right person to oversee the SOX compliance program

SOX compliance programs often fail due to poor project management and oversight. When selecting a SOX compliance champion (someone from the company who serves as the main SOX point person), it is imperative that he/she possess strong project management skills and has sufficient time to devote to this responsibility. Project management training and mentoring is important and should not be taken for granted.

Suggested action items:

  • Ensure the SOX compliance champion has sufficient time and resources to devote to the SOX compliance program. Reallocate, reprioritize or postpone less critical projects on his/her plate, as necessary.
  • Ensure that project management training and people development costs are appropriately considered in the annual budget.
  • Identify individuals within the company who possess strong communication and leadership skills, have a solid understanding of the business as a whole, and have an ability to establish and foster relationships across the company.


#4: Align all stakeholders

It is not unusual for multiple audits to be performed at the same time (for example, by both internal and external auditors). Further, it is not uncommon, unfortunately, for different groups to operate in silos, executing audits autonomously, with minimal communication and coordination with others. It is imperative that all parties communicate and coordinate throughout the year (most importantly during the planning stages of an audit) to align on the project plan, timeline, etc. This will ensure that duplicative work is not being performed and that audits are being executed as efficiently as possible.

Suggested action items:

  • Ensure sufficient time is devoted to planning the SOX audits for the upcoming year. In general, planning for the upcoming year should commence shortly after the 10-K is filed.
  • Ensure all key stakeholders align on the project plan, project objectives, timeline, and resources early in the process.
  • Establish scheduled, recurring meetings with all key stakeholders to ensure that everyone remains aligned with the project plan throughout the year. Use these meetings to highlight findings, identify redundancies in any audits being performed, and share any documents, evidence or information received to date.
  • If the external auditor is relying on internal audit or management’s SOX testing, ensure that the control test plan is reviewed and approved by the external auditor prior to execution. In some cases, utilizing the external auditor’s control testing templates may minimize any re-work later in the year.


#5: Reassess risks

A control environment that does not evolve with changes to the business, processes or personnel can lead to control inefficiencies or, even worse, control deficiencies. Risk assessments establish a SOX compliance program’s scope and focus. Performing robust risk assessments is time well spent as they can recalibrate management on new and emerging risks and the key controls needed to mitigate such risks. On the flip side, in cases where risk rankings are demoted (for example, from “significant” to “low” or “non-existent”), reassessing the need or criticality of the controls related to those risks is also suggested. Focusing extensive time and resources on areas of low risk may not be appropriate.

Suggested action items:

  • Ensure there is a mechanism in place (whether formal or informal) to identify, assess, respond to and monitor risks. Risk assessment should be an ongoing process, not one which is performed just once a year.
  • Reassess risks any time there is a significant change to the business, process or personnel (for example, as a result of acquisitions or divestitures, new system implementations, turnover, restructurings, etc.)


#6: Educate control owners

The SOX compliance programs of today are a lot different than the SOX compliance programs of the early 2000’s. A lot has changed since the Sarbanes-Oxley Act was passed in 2002. External auditors are expecting more of control owners: more documentation and more evidence. Proactively educating control owners on what is (and is not) acceptable documentation and evidence is an absolute must. Providing concrete examples of “good” versus “bad” documentation or “sufficient” versus “insufficient” evidence can go a long way.

Suggested action items:

  • Establish periodic trainings with control owners to educate them on internal control best practices. It is recommended that trainings provide participants with practical, real-world examples.
  • Provide control owners with a forum to discuss documentation and evidence expectations.
  • Ensure there is a mechanism to identify and monitor the latest trends in the internal control space (for example, by reviewing the results of recent PCAOB inspection reports, publications from the Institute of Internal Auditors, etc.).


#7: Utilize technology

The world is changing and so is the way companies are managing and monitoring their SOX compliance programs. For smaller, less complicated companies, the use of spreadsheets and word files to document, test and report on controls may be appropriate. However, for large, international companies with complicated operations, simple tools like these may be ineffective. There are a variety of governance, risk and control (GRC) solutions available in the market which can assist companies in improving, streamlining and monitoring their SOX compliance programs. GRC solutions not only reduce the administrative burden of managing a SOX compliance program, but also provide real-time, dynamic reporting to assist management in assessing the efficiency and effectiveness of the company’s system of internal control.

Suggested action items:

  • Consider implementing a GRC solution to streamline and help manage the SOX compliance program.


#8: Actively monitor control deficiencies and remediation plans

Waiting until the end of the year to commence remediation efforts is a recipe for disaster. Proactively assessing the root cause of control deficiencies and audit adjustments and implementing remediation plans to address such deficiencies is a must.

Suggested action items:

  • Do not delay addressing control findings or issues, whether identified internally by management, the internal audit group, or the external auditors. In many cases, in order to conclude that a control has been successfully remediated, multiple instances of the control operating effectively over a period of time must be observed.


#9: Establish ownership and accountability

SOX compliance programs succeed only when people own and are held accountable for their assigned areas and responsibilities. In general, control owners who are given the opportunity to provide commentary on, and suggest enhancements to, the design and execution of their controls are more likely to own their assigned areas than control owners who receive no such opportunity.

Suggested action items:

  • Implement control self-assessments (CSA). CSA’s, which refer to a variety of assessment techniques (for example, facilitated workshops or surveys), enable individuals from the company to participate in the assessment of internal control, evaluate risk, and identify potential control deficiencies and process weaknesses.

#10: Create flowcharts

When control owners do not truly understand the flow of a transaction through a process and how they fit into the bigger picture, SOX compliance programs can fail. When control owners can visualize a process, they are better able to understand the down-flow impact of their actions. Consider, for example, when a sales representative enters into a revenue transaction with non-standard terms; he or she may not be aware that those non-standard terms can impact revenue recognition or establish certain legal obligations for the company. When there is a clear understanding of the flow of a transaction and the various parties involved in a process, a stronger control environment will exist. Plotting out the flow of transactions in a flowchart is highly recommended since flowcharts are easy to comprehend and digest.

Suggested action items:

  • Create flowcharts for all key business processes. While creating the flowcharts, look for operational inefficiencies or opportunities for process improvements (for example, by identifying manual processes which could be automated).

Conclusion

Inefficiently-run SOX compliance programs can be a drain on resources, time, money and morale. Implementing all, or a sub-set, of the recommendations discussed above can have a significant, positive impact on a company’s control environment. CFGI is well-positioned to assist companies with all of their governance, risk and internal control needs.