The Sarbanes-Oxley Act of 2002 introduced major changes to the regulation of financial practices and corporate governance. Much debate ensued about whether smaller companies and their external auditors would also have to follow SOX. Thus, a lighter version of SOX was introduced in 2007.
“This was the go-ahead to take a top-down approach and focus on the larger risks,” says Tom Powers, CPA, director, assurance and business advisory services, GBQ Partners LLC.
Smart Business spoke with Powers about some of the lessons learned from SOX and how to increase efficiency during SOX audits.
What are some lessons that companies have learned from SOX?
Before diving into the control risk matrix for purchase-to-pay or order-to-cash cycles with 10, 15 or 20 controls, visit with the controller, CFO and other upper management and ask the simple question: ‘How do you know when there is a material error in your monthly, quarterly or annual financial statements?’
It may have been a while since you’ve heard what happens, because Jane approves the general ledger account distribution or Joe makes sure all invoices were prepared for all shipments sent out. Yes, these are important process level controls to help run your business, but may not be what management is ‘banking on’ to catch the material mistake that prevents the material weakness. Typically, management has a number of analysis, comparisons, trend reports or other dashboards that send up the red flags. Think about putting more effort into understanding and testing those more powerful controls and less time and effort into the nitty-gritty process level controls.
How can you increase SOX efficiency?
It’s time to think about internal audit getting back to performing operational reviews and special projects on targeted areas to identify value. You need to turn over SOX to process level owners. One tool that is helpful to increase operating effectiveness is to create a dashboard — a spreadsheet that lists your company’s key controls, along with the individual responsible for performing or reviewing the control procedure, with check-off boxes for each month or quarter.
Sort the overall dashboard by individual and create a one- or two-page dashboard for each individual. Have them post it at their cubicle or desk to constantly serve as a reminder of the responsibilities required to be completed each month or quarter. Have the individuals complete the periodic dashboard initialing each periodic performance box and submit those to designated corporate accounting personnel who reviews and takes actions when the boxes are not checked off.
A number of deficiencies occur simply because people forget. The individual dashboard serves as a friendly reminder of to-do’s, increases accountability and provides a place for people to positively indicate that they have performed the control procedure, especially if there is not a paper trail.
What are some risks to be aware of with SOX?
The first is evaluating the design of internal controls. The second is promoting the idea that, in general, the implementation of effective internal controls and/or processes could provide the company with increased processing efficiencies and potential cost savings. Never mind SOX, how much time and money could a company save if management knew they could take proactive steps to implement key controls around significant processes?
In 2004, how many companies had to test the same key controls multiple times before the operation of control appeared effective? How much more time and how many more resources did it take for the company to perform this undertaking?
What effect can SOX have on your existing procedures?
Existing policies and procedures serve as building blocks for SOX process documentation and define employees’ roles and responsibilities. Once you have identified significant SOX processes, documentation begins with evaluating those policies and procedures. The SOX documentation process is the most practical time to recommend ways to update any outdated or inadequate policies and procedures to avoid future pitfalls.
How do the SAS 70 User Control Considerations affect SOX?
User-access reviews, segregation of duties, checklists, policies and procedures, and entity-level controls remain internal to an organization. What happens when a company outsources functions or relies on an outside vendor to provide core and/or support services that management relies on to support the assertion that the financial statements are fairly presented in accordance with GAAP?
Management should consider the activities of any service organization it uses when assessing its own internal controls over financial reporting. These rules are covered in SAS 70, which spells out how an external auditor should assess the internal controls of the service provider used by the company it is auditing. Obtaining a SAS 70 Type II report from the service provider constitutes acceptable documentation and will allow a company to properly evaluate the operating effectiveness of controls at the service organization.
A Type II report includes the external auditor’s opinion on the fairness of the presentation of the service provider’s description of its controls and how well suited the controls are to achieve the specified control objectives. It also includes the auditor’s opinion on whether the controls were operating effectively during the period under review.
The hard part of management’s assessment is an evaluation of recommended user control considerations, which are recommended by the service provider for companies to have in place to support the achievement of the service provider’s control objectives.
Tom Powers, CPA, is the director of assurance and business advisory services at GBQ Partners LLC. Reach him at firstname.lastname@example.org or (614) 947-5215.