Now that the dust is settling on the 2019 financial reporting cycle, it is a great time to evaluate what went well and what you would change going forward in your Sarbanes-Oxley program. We surveyed our consultants and found a few hot spots that some companies may have overlooked in the past but shouldn’t in 2020.
1. Companies treating Sarbanes-Oxley as a risk management process tend to be more efficient.
It’s time for a robust risk assessment. Many companies are still—even after almost 20 years, treating SOX as a compliance activity when it should be considered a risk management activity. Yes, SOX is a law and must be complied with—that is a fact. But it’s also true that companies that undertake a thorough risk assessment early in the year are more likely to identify changes needed to their SOX program and anticipate areas where their external auditor may expand their focus. This provides time to consider options and implement changes that efficiently address the risk. Additionally, ongoing conversations with the external audit team will provide input as to the effectiveness of financial statement risk mitigation and can yield significant efficiencies in the audit.
2. The rigor of control documentation and testing should emphasize high-risk controls and reveal efficiencies in designing, operating and testing lower-risk controls.
With risk as the focus, doing the right thing becomes clearer: Higher risk areas such as transactions that require significant estimation should be considered for contemporaneous documentation regarding review of inputs, assumptions and conclusions. Validation of reports supporting significant journal entries should include how management reviewed the completeness and accuracy of the underlying data. This includes reports discussed further in the next point below.
At the end of the day, higher risk should result in more work, and lower risk results in less work. Some companies are getting surprised with control deficiencies or worse because they are not addressing the nuances of higher risk areas.
3. Third-party reports should not be taken at their face value.
Errors in reports, spreadsheets and information your company receives from other entities can negatively impact your financials if left unchecked. These information sources are known as “information produced by the entity” or IPE and represent a common problem area for most companies subject to SOX. To address this issue, it is best to capture report or query parameters, develop check totals and other integrity checks, and understand how the information provider checks report completeness and accuracy. All of this will help you ensure that significant errors are not unknowingly included in your financials.
Keep in mind that reports produced by service providers and business partners create the same risk and should be managed in a similar fashion. Use of such reports is an area where external auditors increased their focus in 2019, and we expect this focus to intensify in 2020.
4. Abbreviated documentation of management review controls is no longer sufficient.
A management review control is a specific type of control that, as one would expect, describes how management reviews a particular area. Commonly referred to as an MRC, these controls vary in complexity and the underlying risk of the area being reviewed. While a sign-off and date may address the risks of a bank reconciliation review, it is no longer sufficient in more complex areas such as, but not limited to, the review of reserves, accruals and intangibles. So, contemporaneously capturing the details of what the review entailed can be very helpful to substantiate the adequacy of the review. We expect audit attention to continue increasing in this area.
5. Increased use of service providers is complicating control risk management.
With the popularity of SaaS offerings and companies seeking repetitive process automation or RPA, companies can solve one problem and create another by expanding their control risk to include their service providers’ control risk.
For seasoned public companies, management is accustomed to obtaining SOC 1 reports, reviewing them and concluding on reliance. Even with this mature process, there are a few things to keep in mind. Many of the larger service providers are splitting their reports between business processes and IT. Some service providers rely on subservice providers for significant parts of their process. Auditors of the service providers are increasingly finding deficiencies and even qualifying their reports. SOC 1 report reviews need to take each of these nuances into account and determine if anything mentioned impairs the company’s ability to rely on service provider controls. All of these realities need to be addressed in the report review and considered in the reliance conclusion.
Lastly, new service providers may not have mature controls or may not offer SOC 1 reports. In any of these situations, companies should clearly know what controls they rely upon and have a fallback plan if reliance cannot be achieved.
6. Scams, especially email scams, are on the rise.
As discussed in our February blog post on Sarbanes-Oxley compliance, the frequency and severity of cybersecurity scams, including social engineering and malicious sites, are increasing. An effective SOX risk management program has to include a thorough assessment of fraud risk and appropriate controls. These include finance and information technology controls. There are practical ways to reduce these risks, and a SOX program that addresses these risks can help.
7. Process documentation does not mean step-by-step procedures.
There are few instances when a process is so complex and high volume that detailed procedures are necessary for management to understand how the risks are being managed. More often than not, process documentation that includes (1) the details of all the main types of transaction classes and (2) the controls in place specific to those transaction classes, and addresses the related risks, fulfills the need for process documentation.
So, process documentation can be in many cases a simple extrapolation of the company’s risk and control matrix from the planning process.
8. Assessing your company’s filer and reporting status may be in order.
If your company is considered, under the SEC’s definitions, a small reporting company (SRC) or an emerging growth company (EGC), or if the stock price has recently decreased, an assessment may be on tap for the reporting year. Do this early in the year and adjust accordingly.
This directive mostly applies to smaller companies that have recently gone public, but it affects larger companies as well. For a smaller company, the effort needed for an effective SOX risk management program increases when a 404(b) trigger is met. Lead time will need to be adjusted. It is the reverse for companies that fall back into the SRC definition; they might find that their SOX efforts can be streamlined. Plan ahead for these status changes.
Of course, SOX’s compliance aspects should not be overlooked. Sarbanes-Oxley, however, is rooted in risk management. Taking a risk management approach to SOX will not only help solve how to comply with SOX requirements but will also result in better risk management overall. Taking a risk-based approach can also save costs by streamlining efforts and avoiding losses due to theft and fraud.
Ken Roberts is a RoseRyan consultant who works with companies of all types in our Corporate Governance area. He’s an expert in SOX and internal control testing, and he’s held CFO, controller and internal audit roles. He also has experience with M&A integration work and operational accounting. Ken previously worked at Ernst & Young.