I’ve been working in corporate governance, SOX compliance, for almost four years now and the most difficult task for any company has been the development of the SOX narrative.
The narrative is the framework for understanding how your controls fit into the business process. Depending on your preference, this may take the form of a flowchart or a Word document. In companies new to SOX compliance, there is an eagerness to detail every step that they take in a process. They want to tell you everything that they do; but that isn’t the point of a narrative—that’s a desk procedure.
In my opinion, the narrative is the starting point for understanding your controls, whether they are key or nonkey. Key controls are the gatekeepers, the ones that keep your process in check and on track. For example: within your financial statement close process, a journal entry is supported by documentation and then reviewed and approved. The review and approval, which is by someone other than the preparer, is the key control. The approver is the one who verifies that the JE is properly supported, is a valid entry, is in compliance with company policy, and that the JE is affecting the appropriate accounts.
By documenting how your process works from a high level, the controls, or absence of controls, will stand out for you. You can determine which controls are the gatekeepers and what evidence there is that the control is in place.
Writing the narrative takes time and effort, and may often feel like a tooth extraction. But when it’s done correctly, it will save you time and money because you will be testing a smaller set of controls.