Every SOX audit season reveals a bit of information about auditors’ expectations. And every year, those expectations seem to shift, with not much transparency about where the bar is. So, preparing for auditors’ scrutiny often involves frustration and scrambling as companies try to comply with ever-changing auditor expectations. Fortunately, we didn’t get any big surprises this year and what we did see indicates the areas of focus we can expect to see again:
Management review controls: Auditors are looking for evidence that (a) reviewers understand what they are reviewing, and (b) the review was performed at an appropriate level—with supporting documentation attached.
A third party should be able to determine how the reviewer performed the review—what they tied out, what supporting documents they looked at, what calculations they reperformed, how they concluded that the data included was complete and accurate, and how any estimates and assumptions were supported (i.e., what contrary evidence was evaluated, what sensitivity analysis were performed, etc.). Of course, not all these steps are necessary for every review, but any time you have a complex report or an area where there is significant judgment involved, there’s higher risk—and the more robust the review procedures should be.
User access reviews: Companies should regularly revisit their processes to ensure access reviews are up-to-date and comprehensive. Anyone doing these reviews needs to have a clear understanding of what the various roles mean in terms of who can access what and what they are permitted to do when they have that access. It’s especially important to pay attention to customized roles and whether any segregation-of-duties conflicts open up when new access permissions are created. (For more insights on user access controls, see where deficiencies may be found during an audit and how to avoid or mitigate them.)
Segregation of duties: Usually a big—and necessary—undertaking, this analysis typically only needs to be performed on an annual basis, so long as you have strong access controls and not a lot of changes going on. Ideally, you should conduct your annual review close to your year-end, and then monitor for changes throughout the subsequent year.
Are you recovering from a rough SOX audit? Need help remediating material weaknesses? Or is it time for a review of your controls? RoseRyan SOX compliance experts can help year-round, so reach out anytime.