Does Your SOX Process Need to be Optimized?

Sarbanes-Oxley (SOX) is a compliance requirement that’s been around for more than 20 years, but there’s still huge potential for companies to reduce risks and create efficiencies.

All organizations should regularly evaluate the current state of their people, processes and technologies to determine the degree of value (or disruption) created by SOX. Deploying more structure and skilled resources can enhance efficiency and time management. Here’s a checklist to help measure and improve your SOX program:

1. SOX Planning – Schedule SOX planning meetings soon after the lessons learned meeting with internal audit, external audit and the SOX coordinators. Plan to discuss scope, schedule, timeline, sampling strategy and your reliance plan. The timeline and reliance plan should be re-evaluated annually.

2. Coordinate – Can the relationship between control owners, IT SOX liaisons, internal audit and external audit be improved? Continue to communicate with these groups throughout the year. Look for ways to improve relationships. Internal audit should request feedback from the external auditors on how they can better rely on each other.

3. Design Assessment – Companies should refresh controls, flowcharts and SOX supporting documentation on a yearly basis prior to the auditors starting their testing.

4. Scope – Scope should be clearly documented and communicated. All parties should understand the total scope for the year. The same documents should be shared across functions to limit misunderstanding.

5. Travel – Evaluate the travel requirements for the year during the annual budget process.

6. Roles and Responsibilities – Roles and responsibilities should be clearly documented and communicated. All parties should understand what is expected from them, including internal audit, control owners and IT liaisons. Controls owners should be assigned by control and by application.

7. Schedule and Timeline – Based on the scope, auditors/SOX coordinators should plan out the schedule and timeline for the year ahead.

8. Skills – Are your auditors and control performers skilled enough to test and perform controls considering your control environment? Resources and hours should be evaluated annually. If resource limitations are present, consider a co-source arrangement with a third-party audit firm.

9. Outstanding Deficiencies – Are you having the same exceptions year after year? You may need to train your audit team or re-evaluate your controls and/or control frequency. Internal audit has the responsibility to test and report issues, and to effectively provide feedback on management action plans to ensure deficiencies are remediated. Include auditor focus areas or common deficiency mistakes in training and communication to the control owners throughout the year.

10. Technology – Companies should evaluate their internal audit workpapers, request lists and location where control owners are saving completed controls periodically.

11. Officer Communication – Schedule monthly calls with the CIO, VP Internal Audit and Controller/CFO to provide direct SOX updates to key personnel.

12. Status Calls – Schedule weekly calls with the SOX coordinators, internal audit and external auditors throughout the testing process.

13. Reporting – Ensure you’re centrally tracking SOX deficiencies and reporting to key personnel on a set cadence.

14. Training – Provide your internal auditors, SOX coordinators and control owners regular training.

15. Lessons Learned Meeting – Schedule a lessons learned meeting with SOX coordinators, internal audit and external audit at the conclusion of the year. Provide positive feedback and suggest areas in which to improve for all groups involved. Create a tracker to monitor the actions.

16. Celebrate – Celebrate with your team after completing key milestones and thank everyone who helped complete another successful SOX year!

How Can Schneider Downs Help?

If you have questions about refining your SOX approach or want to discuss how to strengthen your internal processes, reach out to the Schneider Downs team at [email protected].

About Schneider Downs Risk Advisory

Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

Explore our full Risk Advisory Service offerings or contact the team at [email protected].