After going public, one of the initial hurdles companies face is developing a comprehensive control environment. As mentioned in part one of this series, Laying a strong foundation and building a robust control environment will help ensure companies can successfully address risk As time passes, those responsible for performing internal controls testing gain extensive knowledge over the control environment, procedural nuances specific to the organization, and factors contributing to areas of improvement. Unfortunately, expertise is not gained overnight and the time it takes to obtain the necessary knowledge could open a window of risk for the organization. A goal for public companies working through their internal control procedures should be maintaining and maximizing compliance efforts while minimizing cost. In order to help control the cost to the organization, management should consider several strategies to reduce both the cost and burden.
Re-Scoping the Control Environment
Following the initial year of compliance with 404(b), companies will continuously grow and change. Factors contributing to change vary, but they typically result in the need to periodically re-scope the internal control environment. Three contributing factors are:
- Implementation of a New Reporting System: As time progresses, the reporting systems an organization utilizes may become outdated and/or obsolete. Companies need to ensure that they are leveraging available technologies and employing the most current system to facilitate the daily activities performed by all members of the organization. Periodically, organizations should evaluate their reporting system and determine whether they would benefit from an upgrade or the implementation of a new product.With the introduction of a new, or upgraded, reporting system comes the need to review the control environment. First, risks are assessed and any new risks are identified prior to a determination being made as to whether current controls appropriately mitigate all risks, or if new key controls need to be implemented. If any new controls have been added, they must be reviewed in order to maintain compliance. Similarly, the new system may re-categorize controls that were once key, but now are secondary to other controls and may not need to be evaluated for compliance purposes.
- Automation of Manual Processes: We live in an era driven by technology where there is a constant push for more automation. The processes that once necessitated manual inputs, data processing, and physical evidence of review and approval are now built into the systems that companies utilize on a day-to-day basis. Within the corresponding control environment, auditors are able to rely on tests of application controls that only require a small sample size – as opposed to manual controls that require multiple, larger samples to gain comfort that each control is operating effectively within the control environment. Similar to the implementation of a new reporting system, risks should be re-assessed and any new key controls identified and included within the control environment.
- Implementation of a New Business Process Area: Changes can occur within an organization related to entry into new business lines. While staying within their industry, a business may find themselves in a position to enter into a new service area or expand upon current offerings. For example, a research firm may move into the manufacturing space, resulting in the need for multiple new process areas. To ensure continued compliance with SOX requirements, each area needs to be evaluated to identify the key controls and to determine if the area is high risk. The identification of new risks requires reviewing all current internal controls to determine if risks are still being effectively mitigated, or if additional key controls should be added to the control environment.
While some re-scoping efforts may drive up the cost of SOX compliance in a given year, the goal of any organization is to continue to drive down costs. Re-scoping is a key exercise that must be completed to ensure that only the relevant key controls are being tested in a given fiscal year.
Working with the External Auditors to Gain Reliance
No public organization is able to audit their own financial statements. Instead, they hire external auditors to review the quarterly and annual filings and issue an opinion as to whether the financial statements are presumed to be free of any material misstatements. To provide a clean opinion on an organization’s financial statements, external auditors must also evaluate the effectiveness of internal controls. Therefore, auditors must test the key controls within all high-risk process areas to support substantive testing procedures. Duplicative efforts by both internal and external auditors to perform the same tasks can be costly. Organizations should evaluate the control environment and have discussions with external auditors about reliance on work that was already performed.
During the course of SOX testing for a given fiscal year, external auditors can work in tandem with the organization’s internal (or outsourced/co-sourced) auditors to gain reliance on work that was completed on behalf of the organization’s management. Procedures must be evaluated and the external auditors must gain comfort that the internal auditors/compliance team are arriving at the appropriate conclusions related to the design and operating effectiveness of internal controls. While this may be a greater effort at the out-set, the total cost of SOX compliance for the year can be driven down, as two project teams will be utilizing the same work to arrive at their conclusions.
Outsourcing/Co-Sourcing SOX Compliance Efforts
The major benefit of having an organization’s employees perform SOX compliance testing is their institutional knowledge of the business, the processes performed, control owners, and the systems/documents used to facilitate day-to-day operations. While they may have a greater inherent level of familiarity and institutional knowledge, companies in the early years of compliance may not have a dedicated team with the training and experience to adequately identify risks, assess key controls, and develop potential process improvement opportunities within a given process area. When in-house personnel lack the expertise to appropriately assess internal control design and effectiveness, companies may consider co-sourcing or outsourcing their compliance efforts.
Outside firms have resources dedicated to the practice of risk management with specialties in areas such as SOX compliance. Organizations in the early years of compliance, or those that are re-scoping or implementing new systems or process areas, may want to consider partnering with outside consultants to complete the required compliance testing. The benefits of utilizing outside resources could include decreased costs, as risk management professionals have extensive knowledge, structured approaches and procedures, and the ability to complete compliance work efficiently and effectively.
SOX compliance is achievable and shouldn’t break the bank. Organizations will be able to successfully navigate compliance if they are able to adapt and identify the best approach to performing compliance on an annual basis.
Now What?
- Part 1: Sarbanes-Oxley 404(b) Compliance: A Refresher of the Initial Questions You Should Be Asking
- Part 2: Sarbanes-Oxley 404(b) Compliance: Determining the Control Environment
[sch_pullbox] If you’d like to learn more about the benefits of partnering with professionals such as SC&H Group for your SOX compliance requirements, please reach out to our team. [/sch_pullbox]
