Learn more about how I provided one client with end-to-end SOX program support.
“If you think that compliance is expensive: try non-compliance.” – US Deputy Attorney General Paul McNulty
Annual revenue in $ millions
%
YoY cost savings
Person Testing Team
TL;DR
A new public healthcare software company approached us to manage its Sarbanes-Oxley (SOX) program. Its current program was expensive, inefficient, lacked subject matter expertise, and was not adequately mitigating financial reporting risk. We implemented a risk-based approach that established simple, repeatable, documented methodologies with clear roles, responsibilities, and accountabilities. The company successfully implemented its upgraded SOX-compliant program. I owned and optimized the program for several years, resulting in clean audit opinions and 33% cost savings.
Introduction
The Sarbanes-Oxley (SOX) Act of 2002 is a federal law that established auditing and financial regulations in response to several accounting scandals in the early-2000s. Among other things, SOX section 404 requires management to develop and maintain adequate financial reporting controls. Often organizations prefer to co-source or outsource the management of their section 404 compliance program due to cost or lack of internal expertise.
Let us take a look at an example of how my team successfully implemented and managed a SOX program.
Scenario
The company just went public and had little SOX experience, as most of its key stakeholders had worked in private companies. They needed help becoming SOX compliant. External Audit was actively getting more involved as the company was subject to SOX Section 404(b). Management wanted to avoid any material weaknesses. Given the increased focus on EBIDTA, they asked for help developing a sustainable, efficient, cost-effective compliance program.
Implementing the Program Framework
Planning
We planned for the upgraded SOX-compliant program by collaborating with company leadership to define roles, responsibilities, and timelines. We needed to nail this down straight away to establish accountability. This step also brought a sense of excitement and anticipation to the project.
Communication
We then established effective communication channels throughout the organization so that all business areas knew their roles and responsibilities concerning SOX compliance. These channels included a group email, group chats, and SharePoint, to name a few.
Policies and Standards
The next step in implementing the upgraded SOX-compliant program was creating policies and standards tailored to the company’s specific needs and goals. This included assessing the existing risk management processes to determine where improvements could be made to eliminate waste and reduce costs.
We used the 2013 Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) SOX Compliance framework. Most, if not all, SOX compliance programs use this framework. COSO develops recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. Their mission is to
“help organizations improve performance by developing thought leadership that enhances internal control, risk management, governance and fraud deterrence”.
Program Tracker
In addition to creating policies and procedures tailored to the company’s needs, our team also developed a comprehensive Tracker and Implementation Plan which was used by management daily. Until a SOX compliance software solution was installed, this workbook ensured that all areas of the business had access to up-to-date information about their performance against key implementation metrics such as walkthrough results or compliance reviews. The workbook also enabled us to identify any potential risks or audit findings early on, allowing us to take corrective action long before they became bigger issues down the line.
Training
Finally, we provided training materials for employees so they could stay informed on any changes or updates made to SOX compliance regulations over time.
Book Review: Agile Audit Transformation by Toby DeRoche
Dive into “Agile Audit Transformation” for insights on modernizing audits with agility. A must-read for auditors seeking innovation.
%
Percentage of SOX costs spent on outsourced resources
Source: Protiviti SOX Compliance Survey
%
Percentage of organization relying on third-party service providers for SOX testing efforts
Source: Protiviti SOX Compliance Survey
Managing the Program
Now that the program’s foundation was built, it was time to begin executing the requirements outlined in the policy for the first time. Here I will walk you through our approach to each of these requirements.
Scoping & Risk Assessment
This step is critical to prevent creating unnecessary work for the team. We started by obtaining financial statements and general ledgers for all entities and locations. Our team developed a materiality threshold based on many factors such as total revenue dollars, company culture, company maturity, and already known gaps. The materiality threshold and qualitive considerations resulted in identifying the company’s entities, processes, accounts, systems, and tools considered in-scope for the SOX program.
Process Documentation
For us SOX nerds, few things excite us more than beautiful and clear process flowcharts. These were created after conducting many walkthrough meetings with the company’s process and control owners. Once these were finished, they made the following step much easier.
Identify Risks and Key Controls
Risks were now jumping off the flowcharts. Our team inventoried the risks and categorized them by process, sub-process, and severity. Existing controls were identified and then mapped to the company’s risks, resulting in the company’s first risk and control matrix (RACM).
Assess Gaps
At first, there were some risks not yet addressed by internal controls. These were identified as gaps and analyzed for ways to mitigate the risk to acceptable levels. The final assessment was formalized in a report and provided to management to drive remediation efforts.
Test of Design
We obtained evidence for one instance of every control (well… most controls), regardless of control frequency. The purpose was to evaluate whether the control was even designed appropriately before having management pull together larger testing samples.
Test of Operational Effectiveness
In order to place reliance on key internal controls, they must be tested to verify they have been operating effectively throughout the reporting period. The team coordinated with process owners to test each control in accordance with established policies and standards.
Remediation and Results
Controls deemed ineffective were immediately assigned to remediation action plans and owners. In some instances, the controls were able to be adequately remediated in time so that they could be relied upon for the current reporting period. Ultimately, we had management take a holistic look at all of the year-end deficiencies to arrive at their final opinion. No material weaknesses noted!
Optimizing the Program
Once we had implemented our new SOX-compliant program for this healthcare software company, we began optimizing it to reduce costs further while maintaining solid controls around financial reporting risk. This effort was ongoing, occurring each of the next several years we managed the SOX program. We primarily did this in two ways:
Automation – Eliminating manual controls by relying more on the application or interface controls.
Standardization and Centralization – Processes were moved to a centralized corporate team where synergies allowed controls to cover more risks.
It is important to note that we worked with many different departments across multiple levels within the organization to ensure that everyone bought into our vision for streamlining processes without sacrificing quality or accuracy. In total, our efforts resulted in 33% cost savings versus prior years without compromising quality or accuracy – a win/win situation!
Conclusion
We must remain current with best practices when managing SOX programs at organizations of all sizes. My recent experience managing a public healthcare software company’s SOX program has confirmed how important it is to have robust policies and procedures in place and maximize efficiency gains from automation and centralization opportunities without sacrificing quality or accuracy along the way! Our efforts resulted in 33% cost savings versus prior years without compromising on either front – proof positive that taking a comprehensive risk-based approach can yield impressive results!
Where is your SOX program in terms of maturity?
I’m interested to know how your implementation went compared to where you are today. Let me know in the comments below.
0 Comments