SOX – SARBANES OXLEY
SOX COMPLIANCE IN VOLATILE TIMES:
THE IMPORTANCE OF A RISK-FIRST APPROACH
THE CHALLENGE
Though Sarbanes-Oxley (SOX) compliance addresses financial reporting risks to significant accounts, disclosures, and assertions, many business processes touch upon operations and IT. In fact, operational, IT, and financial risks are often more interconnected than independent of each other. Viewed in this light, an effective SOX controls environment can give organizations an advantage in managing enterprise-wide risks. However, this can only be true if practitioners approach SOX from a risk-first perspective, rather than a check-the-box task that occurs in a silo.
In reality, in the process of ticking off SOX items, auditors can lose sight of the big picture. For example, during the risk and control mapping process, the control is often designed before the risk, even though best practice would dictate that the risk should drive the design of the control. Even the most seasoned SOX practitioners can fall prey to this, despite a risk-first approach being more conducive to revealing control gaps and weaknesses.
Risk must come first, because risk drives everything. A risk first approach is even more important considering the rapidly changing risk environment following the events of 2020. If your risks are changing, your processes and controls should change with them — including those that fall under SOX.
Typical Risk Mapping Approach
- Identify process
- Map to controls
- Deduce which controls mitigate risks
Risk-First Approach
- Identify risk
- Identify process
- Identify controls that mitigate the risk
SOX COMPLIANCE IN VOLATILE TIMES: THE IMPORTANCE OF A RISK-FIRST APPROACH
THE SOLUTION
Keeping risk top of mind is the first step to a more informed, effective, and efficient SOX program. Just as internal auditors are performing risk assessments more frequently, SOX practitioners should meet with their risk and audit counterparts more frequently to understand changes to the risk environment. This allows the SOX team to adapt its risk assessment and scoping efforts to reflect new risks. In return, they can provide valuable input to the ERM program and ensure that ICFR is appropriately identified across the risk portfolio.
In addition, this playbook contains a carefully curated menu of resources intended for SOX practitioners to leverage, share, and discuss with their teams. Each section has been written with the goal of providing the most valuable considerations and best practices for each stage of the SOX lifecycle, as well as practical tools and checklists to help auditors drive efficiency throughout their engagements.
3 KEYS TO A SUCCESSFUL SOX RISK ASSESSMENT
The SOX risk assessment is the foundation for the entire SOX program. An auditor’s goals when performing the SOX risk assessment are:
• Determine the materiality and the risks of material misstatement in the organization’s financial reporting processes.
• Refresh risk and control mappings to reflect the current control environment.
• Design test procedures to effectively test controls, based on a deep understanding of management’s expectations and risk tolerance levels.
In addition to following the guidance outlined in Auditing Standard 2110 and other relevant resources, the following are three keys to a successful SOX risk assessment.
Auditors will sometimes roll forward their SOX controls from year to year without a proper review of management’s estimates and expectations. When performing in-depth analysis of financial and operational data, seek to understand management’s level of risk tolerance by asking questions such as:
• What will cause you to investigate a certain result or trend in company performance measures?
• What kinds of issues have you encountered, and what red flags have you looked for?
• What do you see as a risk to meeting your initiatives
and goals?
Doing so will reveal the level of precision at which tasks or controls are being executed. You can then use this information to drive the basis of your risk assessment to understand what a control will (or should) identify.
Seek to understand management’s main concerns and strategic initiatives for the year through interviews with executive stakeholders and other assurance providers. Doing so will help create a more holistic picture of the objectives and strategies of the organization that drive material line items. Review the
results from other risk assessment procedures (enterprise risk assessment, fraud risk assessment, IT risk assessment) to further enhance and inform your understanding of business risks that could result in risks of material misstatement. Although the SOX
risk assessment is separate from the enterprise risk assessment, there can be — and often are —related risk areas.
In the spirit of efficiency, collaboration, and agility, it is
important to take stock of relevant work that has already been performed in your organization. Are you coordinating with related functions — e.g. internal audit, risk management, information security, compliance — to determine whether emerging risks are being considered as part of your SOX scoping efforts? Make an effort to meet regularly with other
assurance team leads, as doing so can reveal insights relevant for your SOX program that may create efficiencies. For example, if your organization has a risk management function, syncing with them may help you determine whether a certain process is low risk or requires additional testing.
