As we head into the home stretch for this year’s SOX programs, we thought it would be helpful to highlight some key areas of focus by auditors that deserve particular attention this year. No year is ever the same: From dealing with pandemic-related risks to implementing new accounting standards, companies always have new considerations when it comes to complying with SOX. Based on my SOX crystal ball, here’s what I expect will be key areas of focus in SOX assessments.
How Is Your SOX Compliance in These Key Areas?
Not surprisingly, auditors’ areas of focus tend to align with the areas that the Public Company Accounting Oversight Board has been prioritizing during its inspections. Here’s what the PCAOB says about that:
“While inspections vary by firm, we may focus on auditor’s risk assessment processes, financial reporting, and audit areas affected by economic trends or pressures, audit areas that present challenges and significant risk, new accounting standards, and areas of recurring audit deficiencies.”
What does this thinking mean for SOX compliance in 2021? Well, let’s start with areas of recurring audit deficiencies—we’ve seen internal controls over financial reporting on that list for many years, and no matter how much effort companies put into making improvements, it still isn’t enough in the PCAOB’s view. With all this mind, here some aspects of ICFR that merit your attention this SOX season:
Risk assessment process: Spend the time to prepare a thorough risk assessment and include robust documentation. Have you identified all the areas for potential material misstatements? Do you have controls to mitigate your significant risks? Are all your financial statement assertions covered?
Many companies have addressed the risks in their control set associated with the sudden shift to remote work made because of COVID shelter-in-place orders, but the pandemic continues to present risks to the business. We continue to see supply chain shortages crop up as well as other new impacts of our pandemic life. Be sure you have addressed key changes to your business in your risk assessment.
If you’ve recently adopted new accounting standards, such as ASC 606 (Revenue) or ASC 842 (Leases), or refined your workflow and processes in these areas, make sure you’ve updated your design of controls to reflect the new risks and process flows as part of your sox compliance program.
Management review controls: This has been on the PCAOB list for quite some time—so expect to see further scrutiny here. Look to stated precision levels utilized in the management review process and what the reviewer does when something falls outside those threshold levels, or what happens when the process doesn’t follow the “normal” process. Your auditors will likely expect to see documentation showing that you’ve done these steps for each review.
Completeness and accuracy of IPE: From a SOX perspective, IPE, or “information produced by the entity,” means documenting how control operators satisfy themselves that the data used in the execution of the control is complete and accurate. It sounds simple enough, and yet this is an area that gives most people trouble. We see the whole range of reactions in our client base—from control owners who say, “I get this report from our IT team—it’s their job to make sure it’s complete and accurate” to “It’s a canned report from a leading cloud company—of course it’s complete and accurate.” The reality is, the responsibility for completeness and accuracy is shared between the application owner and the application user.
Let’s break this down even further:
For canned reports—standard reports that you run from a third-party application—you’ll need to demonstrate the report was generated using the appropriate parameters, that the calculations performed in the report are accurate, and that the vendor has effective access and change management controls in place.
- Parameters: Verify that the parameters used to generate the report are correct, and indicate that you have reviewed them. You can do that by tick mark, a highlight, whatever works for you. But you really do need to look at the parameters—we’ve seen companies run Q1 reports with the dates of January 1 to March 30. The after-the-fact argument of “there was no activity on March 31” isn’t going to fly—the only way to prove that is to run the report using the right date. We’ve also seen stock reports run without a complete population (e.g., it’s missing one of the stock plans).
- Accuracy of calculations: Verification of calculations performed can be accomplished a few ways—it could be the vendor actually does this verification and includes it in the SOC 1 report. If that’s the case, you can rely on that. Most of the time, a SOC 1 report doesn’t cover this, so you’ll need to do your own verification. Generally a “test of one” will suffice—but be sure you do a “test of one” on all the use cases, not just one. (Here’s a simple example: You can manually recalculate monthly depreciation expense for a single asset and compare your calculation to the report output—if it matches, you’re good. But also include a test for a fully depreciated asset, for an asset added during the month and for an asset retired during the month.)
Digging Deeper into SOC 1 Reports
Effective assessment of a SOC 1 report could be a blog topic in and of itself—so we’ll just hit some highlights:
Make sure the SOC 1 report covers the period you are relying on and it has a bridge letter to get you to the end of your fiscal year. Many vendors will issue a SOC 1 report covering the period through September or October, and then issuing a bridge letter saying there were no changes through December 31. For a calendar year-end company, that should work. If your fiscal year-end is different, you’ll need to do additional work here.
You should also evaluate if the design of controls listed in the report covers the key risks you need covered, and whether any testing exceptions were noted. If there are missing controls, you’ll need to do something more on your end (such as verification of calculations). If there are testing exceptions, then evaluate the impact to your organization—it could be the exception is in an area you are not relying on, or you might have compensating controls in place to mitigate the risk.
The SOC 1 report will also list out any sub-service organizations the vendor relies on, and whether the report includes controls from the sub-service organization. Often they are excluded, so you will need to obtain and review those SOC 1 reports separately. Finally, look at the list of User Control Considerations—controls that the vendor expects you to have in place, typically around access, and evaluate whether your controls address those areas.
You’ll need to go through a similar process for information used in control execution that is developed in-house and for calculations in Excel workbooks, such as tax provisions, data from a data warehouse that was extracted from other systems, custom reports, queries and scripts, etc.
Always Be on Top of SOX Trends
SOX compliance is always evolving. The SOX experts at RoseRyan can help your company master the latest key areas of focus and ensure that your company not only meets compliance requirements but does so in an efficient way that can be carried over to future years. To learn more about how we can create a tailored SOX program for your company and our SOX philosophy, see our latest video , and contact us to help you with your SOX program.
Pat Voll is a vice president at RoseRyan, where she guides and develops new solutions for our strategic advisory practice, which includes corporate governance, strategic projects and operational accounting. She also manages multiple client relationships and oversees strategic initiatives for the firm. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.