In 2002, the Sarbanes-Oxley (SOX) Act was passed by Congress in response to the fallout and uncertainty following frauds at World-Com and Enron. The Act introduced major reforms to the regulation of financial disclosure and corporate governance, with the goal of restoring the public’s confidence in auditing and financial reporting.
The SOX Act 2002, also known as the “Public Company Accounting Reform and Investor Protection Act” and the “Corporate and Auditing Accountability and Responsibility Act”, was named after its main architects Senator Paul Sarbanes and Representative Michael Oxley.
The New or Expanded Compliance Requirements apply to all US Public Company Boards, management and accounting firms. Among other provisions, the SOX Act mandates: –
1-All financial reports include an Internal Controls report.
2-Accurate financial data and controls in place to safeguard financial data.
3-The issuance of year-end financial disclosure reports.
4-Disclosure of Corporate Frauds by protecting Whistle Blower Employees.
Key Sarbanes-Oxley Requirements:-
Sarbanes-Oxley (SOX) Consists of 11 titles, but there are two key provisions when it comes to compliance requirements: – Sections 302 and 404.
- Section 302:- Corporate Responsibility for Financial Reports: -Section 302 states that the CEO and CFO are directly responsible for the accuracy of financial reports. Signing officers must review and certify the accuracy of financial statements, establish and maintain internal controls, and disclose all significant deficiencies, fraud and significant changes in internal controls.
Section 404: Management Assessment of Internal Controls:- Section 404 states that all annual financial reports must include an Internal Control Report stating that management is responsible for an adequate internal control structure, an assessment of the effectiveness of the internal control structure and any shortcomings in the controls. Independent external auditors must also attest to the accuracy of the company’s statement that internal controls are in place and effective.
The Benefits of SOX 404 Compliance:-
One of the key outcomes of Sarbanes Oxley was the end of self-regulation and the establishment of an independent oversight of the auditing process through the Public Company Accounting Oversight Board (PCAOB). The PCAOB has the power to establish industry standards, investigate fraud allegations and regulate audit firms.
As much as companies struggled initially with the cost and resource burden of compliance, Over time, they are seeing the investment in SOX compliance pay off in many ways:-
1. Improved corporate governance – SOX compliance improved corporate governance through the greater regulation of audit committees. Before SOX, Just 51% of public companies had audit committees that were completely independent of management. SOX mandated that all listed companies have an audit committee whose members are independent of management as well as contain at least one financial expert. As a result, audit committees today are better equipped to provide accurate and truthful financial reports.
2. Increased accountability – SOX Compliance makes executives more accountable and protects investors. Executives are required to personally certify financial reports, with significant penalties in place for fraudulent activities.
3. Auditor independence – SOX compliance enhances auditor independence by prohibiting audit firms from providing bookkeeping, actuarial or management functions to the companies they audit.
4. Fewer financial restatements – Post-SOX, the Number of Financial Re-statements continues to decline year-over-year.
The SOX Audit Process:- SOX Audits can be broken down into any number of steps from performing risk assessments to what to include in an audit committee report. These are the following 8 Steps:-
1-Defining the Scope Using a Risk Assessment Approach
2-Determining Materiality and Risks – Accounts, Statements, Locations, Processes, and Major Transactions
3-Identifying SOX Controls – Non-Key & Key, ITGCs, and other Entity-Level Controls
4-Performing a Fraud Risk Assessment
5-Managing Process and Control Documentation
6- Key Testing Controls
8-Delivering Management’s Report on Controls
In Brief :- (All Eight Points)
1) Defining the SOX Audit Scope Using a Risk Assessment Approach:-
For performing a risk assessment, PCAOB Accounting Standard 5 recommends, “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”
This step in a SOX compliance audit should not result in a list of compliance procedures but should help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls will provide reasonable assurance that a material error will be avoided, prevented, or detected.
2) Determining Materiality in SOX (Accounts, Statements, Locations, Processes, and Major Transactions):-
Step 1 – Determine what is considered material to the P&L and Balance Sheet:-
How:- Financial statement items are considered “material” if they could influence the economic decisions of users. Auditors can typically determine what material is by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income or some analysis of multiple key P&L and BS accounts.
Step 2 – Determine all locations with material account balances:-
How: Analyze the financials for all the locations you do business in. If any of the financial statement account balances at these locations exceed what was determined as material, chances are they will be considered material and in-scope for SOX in the coming year.
Step 3 – Identify transactions populating material account balances:-
How: Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.
Step 4 – Identify financial reporting risks for material accounts:-
How: Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.
3) Identifying SOX Controls (Non-Key & Key Controls, ITGCs, and other Entity-Level Controls):-
During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded.
They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately.
Some examples of preventative or detective SOX controls include:-
1-Segregating conflicting duties (e.g. the ability to post and approve invoices),
2-Reviews of individual or multiple transactions recorded in the period, and account reconciliations.
Next, often material accounts need multiple controls in place to prevent a material misstatement from occurring. You’ll have to analyze all the controls to determine which ones best provide that assurance, keeping in mind the people, process, and technology in place.
Audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts and “scope creep.”
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk?
By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.
Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated controls.
For the automated controls identified, you should evaluate whether the underlying system is in-scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of control testing needed to be performed.
4) Performing a Fraud Risk Assessment:-
An effective system for internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing the instances of fraud in an organization. Internal controls play a key role in reducing the opportunities available to commit fraud and what the material impact would be if fraud occurred, including a manual override of internal controls.
Below are examples of anti-fraud internal controls and practices organizations can implement to considerably lower losses due to fraud:-
1-Segregation of Duties:- The Institute of Internal Auditors (IIA) describes the basic idea underlying segregation of duties as “no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties.” That is, the work of one individual should be either independent of, or serves to check on, the work of another.
1-Custody of Assets
2-Authorization/Approval of related transactions affecting those assets
3-Recording and reporting of related transactions
Whistleblower Policy: – In spite of federal regulations, the ultimate responsibility of implementing a strong whistleblower program lies with management. Historically, internal employee tip-offs have provided the best means of fraud detection. Hence, Management cannot afford to neglect having an internal whistleblower mechanism within their organization.
Periodic Reconciliation of Bank Accounts:-Bank reconciliations highlight the differences between the cash per balance sheet and bank statement, while also confirming accuracy of the data recorded in the organization’s cash ledger.
The core duty of performing bank reconciliation is not just to identify unexpected differences, but also entails preventing future occurrences, such as: accounting delays, restricting auto-debits to vendors, etc.
Depending on the size of the organization, bank reconciliations should be performed on a daily, weekly, or monthly basis to monitor and detect fraudulent activity. It is management’s proactive approach towards fraud detection and prevention, coupled with strong internal controls, which will ultimately decrease the opportunities to commit fraud and in still an ethical culture within an organization.
5) Managing Process and SOX Controls Documentation:-
Details of the operation of key controls, such as control descriptions, frequency, test procedures, associated risk, population, and evidence are established within the control narrative and documentation.
Often risk and control mapping has a many-to-many relationship which can make manual documentation difficult. Some examples include:-risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping too many controls.
As any audit manager can attest, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect can cost managers hours and hours of cleanup.
The solution is to leverage an underlying relationship database to act as a central repository and as the foundation of the audit program.
SOX software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database, and have those results cascade throughout the entire SOX program instantly.
Controls documentation is simple and doesn’t require making edits across several standalone spreadsheet files. In addition, for annual audit results to be used year over year, a spreadsheet cannot handle the large volumes of data. Speed, accuracy, and scalability of a database solution will exceed the benefits of “spread sheet familiarity.”
6) Testing Key Controls:-The overall objective to SOX control testing is threefold –
1) Ensure the process or test procedures as outlined are an effective method for testing the control,
2) The control is being performed throughout the entire period and by the assigned process owner, and
3) The control has been successful in preventing or detecting any material misstatements.
In short, Control testing validates design and operating effectiveness.
The actual SOX controls testing process may include a variety or combination of testing procedures including ongoing evaluation, observation, inquiries with process owners, walkthrough of the transaction, inspection of the documentation, and/or a re-performance of the process.
7) Assessing Deficiencies in SOX: –
Ongoing investment into a SOX program should result in an improvement in your actions, policies, and procedures. As the control environment improves, businesses should also see a clear increase in the level of automation and a corresponding decrease in the amount of manual testing required of auditors. Ultimately, this will result in your team spending less time managing fewer issues. Deficiencies should be reduced to an acceptable and predictable level, and there should be few surprises.
During the SOX control testing process and analysis, the auditor may identify an exemption, deficiency or gap in the tested sample. If this happens, an “issue” is created. Besides remediating and correcting the issue, the audit team then assesses if it was a design failure in the control or an operating failure where training, responsibilities, or process needs to be adjusted. Lastly, management and the audit team assesses whether or not it is a material weakness (as described above is typically a percentage of variance and with a high-risk level) and will be reported on the end-of-year financials or it was only a significant weakness.
8) Delivering Management’s Report on Controls:-
The end product of the SOX control testing is the management’s report on controls over financial reporting that is delivered to the audit committee.
While a substantial amount of documentation and data is collected during the process, the report should include:-
1-Summary of management’s opinion and support for those conclusions.
2-Review of the framework used, evidence collected, and summary of results.
3-Results from each of the tests – entity-level, IT, key controls.
4-Identification of the control failures, gaps, and corresponding root causes.
5-Assessment made by the company’s independent, external auditor.