Corporate Governance (Sarbanes-Oxley – SOx – Resolution)
-
The resolution of all SOx compliance requirements is represented in the final report of the external independent SOx auditor after the completion of the annual SOx-mandated audit of the enterprise, including the internal controls for financial records.
-
SOx also mandates that both the chief executive officer (CEO) and the chief financial officer (CFO) sign statements attesting to the accuracy of all the SOx-related financial reports prepared annually by their enterprise.
-
SOx Section 404 is generally-considered to be the most-critical in terms of providing guidance on creating and maintaining annually a SOx-compliant framework for the enterprise; through custom and usage, various best practices have been formulated by SOx compliance practitioners, regarding what might be done to prepare for an audit of a typical SOx-compliant framework, such as, for example:
-
defining the roles of the SOx team members clearly, so there is no overlap of tasks that might cause confusion among the team members as to who must do what;
-
ensuring that audits are performed objectively, rather than subjectively, through the segregation of duties;
-
integrating SOx compliance into all the other enterprise applications – such as perhaps your compliance with Environmental Protection Administration (EPA) regulations, Food and Drug Administration (FDA) guidelines, International Standards Organization (ISO) sections, Occupational Safety and Health Administration (OSHA) rules, Six-Sigma principles, and the like;
-
providing continuing training for all team members, to ensure competency in their respective tasks;
-
rolling over previous controls, corporate policies, protocols and the like from year to year whenever possible, and being judicious when integrating new controls, rather that attempting to re-invent the wheel with each new iteration of a SOx framework (in other words, evolution rather than revolution);
-
staying current with all new developments in the SOx compliance universe, through attending industry seminars, the use of industry publications, monitoring case law, monitoring regulatory changes, and the like;
-
using SOx control monitoring tools to continuously monitor analytics, critical processes, disk analysis, metrics, real-time drill-down dashboards, setting monitor probes on specific controls, providing transparency and visibility across the enterprise intranet, and the like;
-
using change management software, so that if you change a control in one section of your SOx framework, that same control will be synchronized in all other relevant areas of your framework;
-
utilizing simplicity of language and thought whenever possible (such as creating simple checklists for every auditing task, that can be used by anyone in the enterprise after only minimal training);
-
using the fewest controls possible to accomplish your purpose, rather than formulating a needlessly byzantine labyrinth of overly-complex controls, interrelated through some mysterious codex of gnostic mysticism, known only to the chosen few (thus, in the event that revisions must be made to the framework, there will be more people available who may be able to provide insight), which could lead to siloing information and tasks between departments and divisions, causing inefficiencies due to lack of critical information;
-
using a dedicated SOx internal communications system, rather than using the general enterprise email system, so that confidentiality can be maintained regarding all SOx-related issues;
-
using the corrective and preventive action (CAPA) approach for adverse event management, remedial action, root cause analysis, and the like, to identify any weaknesses in the SOx framework and then to immediately remediate such weaknesses.
-
Due to the complexity and expense of performing an annual SOx audit of the enterprise, especially in the first instance, it is highly-recommended that enterprise management proceed deliberately and slowly, similar to the detailed preparations that armed forces commanders might undertake when planning a prolonged military campaign; the steps required to prepare for a SOx enterprise audit may generally follow a methodic sequence (although not necessarily in the exact order presented below), such as, for example:
-
analyzing and identifying the particular SOx requirements that may apply to each and every enterprise department and division workflow, no matter where such department or division may be located; this task will require close collaboration between, at a minimum, the enterprise accounting department, financial/treasury department, law department, risk management department, and any subject matter experts (SMEs) that may be required;
-
assembling a dedicated internal SOx audit team of enthusiastic employees to support the SOx enterprise audit (which generally-requires time-consuming tasks, such as: gathering much internal enterprise documentation; interviewing all enterprise employees in all departments and divisions; creating charts and spreadsheets to document enterprise controls, business policies, and the workflow for each department and division; massive document management; and the like), interested in improving all aspects of the enterprise (and it is important to note that such employees need not necessarily have prior SOx experience – after all, no one performing a task for the very first instance has prior experience performing that task; rather, enthusiasm and willingness to learn should be the key attributes for the chosen employees on the SOx enterprise audit team, since SOx audit concepts and techniques are relatively-easy to learn, and the enterprise can provide whatever training may be necessary);
-
choosing which industry-accepted framework may be most-applicable for the SOx enterprise audit –for example, frameworks such as the: Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technology (COBIT); Treadway Commission Committee of Sponsoring Organizations (COSO) – in which the sponsoring organizations included the: American Accounting Association (AAA); American Institute of Certified Public Accountants (AICPA); Financial Executives International (FEI); Institute of Internal Auditors (IIA); Institute of Management Accountants (IMA); Information Technology Governance Institute (ITGI) – for example, ITIG emphasizes data privacy and security, so the use of the ITIG framework may be more-applicable to an enterprise heavily-involved in providing cloud and information technology (IT) services, rather than to an enterprise that may be producing food products;
-
performing a gap analysis, to determine the strengths and weaknesses inherent in the existing enterprise controls, and to highlight whatever new controls may be necessary; auditors should be able to determine whether a control is missing, or may be poorly-designed, or may be adequately-designed, but just poorly-implemented;
-
documenting whatever existing SOx controls the enterprise may already be in place, and whether they perform correctly (as may have been identified in the gap analysis);
-
developing (if necessary) any new controls that the enterprise may need to implement, in order to achieve full SOx compliance (as may have been identified in the gap analysis);
-
engaging a reputable outside auditing firm (and, depending on the size of the enterprise – for example, if the enterprise has both numerous domestic and international divisions and subsidiaries – it may be beneficial for the enterprise to engage both a reputable inside auditing firm as well as a reputable outside auditing firm, since the inside firm would be able to provide guidance and training to the SOx audit team as required, as well as valuable insight as to the local customs and usage for conducting business, and that inside auditing firm would also be familiar with the formatting of reports and familiarity with the laws applicable to the various aspects of the enterprise in various locations, which would accelerate and streamline the collection of relevant information and the formatting of the documentation required by the outside auditing firm, thus decreasing the time required to complete the SOx enterprise audit);
-
planning for future expansion of the enterprise, and attempting to anticipate what existing SOx controls could scale with such expansion, and what new SOx controls may be needed to compensate for such expansion;
-
performing a materiality analysis, to identify accounts material to the enterprise financial statements, and to assess their respective reporting risks (as a double-check on the gap analysis); in general, the auditors should consider as “material” any statement or set of figures in a financial statement that might influence a potential investor (some auditors may consider any issue that might potentially affect 3-5% of the operating income or 5% of of the assets of the enterprise as being “material”); auditors should be able to determine the location of all material accounts, the balances thereof, and to examine all transactions related to all material accounts, and then to apply the internal controls used by the enterprise for such transactions to balance out any risks related to such transactions; the controls related to materiality should clearly indicate that all conflicting actions by those with conflicting interests who may be involved involved in any such transaction should have been segregated, to avoid conflicts of interest, and auditors should attempt to distinguish between key controls (those in which failure might cause catastrophic harm to the enterprise) and non-key controls (perhaps preliminary administrative controls – such as signing off on particular ascending dollar limits by different ascending levels of managers, before any executives are involved);
-
performing a general risk analysis of the entire enterprise, using appropriate standards – such as those, for example developed by the: American Institute of Certified Public Accountants (AICPA); International Auditing and Assurance Standards Board (IAASB); Public Company Accounting Oversight Board (PCAOB); in particular, the PCAOB standards recommend a top-down approach (meaning that the auditors will first take a “macro” or overview approach, when analyzing the enterprise financial statements, using substantive factors as the basis for their decision-making as they seek to identify the “big picture”, before addressing the “micro” details “in-the-weeds”); the auditors should be able to understand the assessed overall risks to the enterprise in relation to the internal controls implemented by the enterprise, before drilling down to the internal controls governing divisional, departmental and even significant accounts activities.
-
performing a fraud risk analysis of the entire enterprise (as a double-check on the general risk analysis), to determine which processes and workflows within the enterprise are particularly-susceptible to fraud; the auditors should be able to verify that the applicable internal controls are sufficiently robust as to immediately detect any fraud by anyone in the transaction chain; periodic surprise reconciliations are actually one of the most-effective tools in this regard, to detect fraud (such as false reimbursement claims by employees) as soon as possible;
-
performing a structural analysis and documentation for every department and division within the enterprise; so much of the SOx compliance effort focuses on financial-related controls, that this aspect of SOx compliance is often overlooked, or perhaps given only minor consideration; yet it is important to understand where every financial control fits into the functioning of the enterprise, from controls as mundane as those relating to ordering paper clips to those governing how many millions of dollars the enterprise may order in any particular quarter; to that end, every department, division, process within each such department and division, and every person working within each such department and division performing some process therein relating to any control (financial or otherwise) used within the enterprise must be thoroughly documented, through both text explanations in detailed books for each such department and division and through graphical corporate flow charts, itemizing each and every action performed by any employee in such department or division; the level of detail in the text and flow charts should be granular-enough that some future auditor could for example come into a department without knowing anything of that department’s work beforehand, pick up the book or examine the flow chart for such department, and within minutes understand what processes are performed in that department, what employees perform what process and in what sequence, all the controls that may relate to that department and the processes therein, and how the work of that department relates to the entire enterprise; to this end, it will be necessary for enterprise representatives (or the internal auditor, if one is employed in preparation for the audit by the external auditors) to visit physically (preferable) or virtually (if a physical visit is not possible) each and every department and division of the enterprise, to interview all employees, and to observe how each department and division works (thus facilitating the text and graphical descriptions);
-
rigorous testing of all the existing and newly-implemented controls, and making any required improvements to them, prior to commencing the SOx enterprise audit; the tests for all controls will involve various methodical and time-consuming, mundane (but necessary) actions by the auditors (such as for example – examination of the documentation for the controls; inspection of the rationale for implementing the particular control as related to a particular process; inquiry as may be required for the auditor to understand the control and its function; observation of the control in action; recommendations the auditor may have about the efficacy of the control); at a minimum, to be effective, a control-testing protocol should include – an inventory of all controls, as related to the relevant departments and divisions, and the processes thereof, itemizing all key and non-key controls; prioritization of resources and time for testing all key controls, at a minimum; a design evaluation relating to the relevance of the design of appropriate tests for each control to be tested; documentation of all the lessons learned as a result of organizing the control-testing protocol);
-
at the end of the audit, management will be responsible to present a detailed report of all the findings of the independent external auditor (including any report of an internal auditor, if one is employed), including the recommendations of management, to the board of directors.
-
All this preparation for a SOx audit (whether annual or initial) is absolutely necessary, because the consequences to the enterprise for failing an audit may range from minor (simply being required to remediate all deficiencies) to major (such as: loss of reputation due to the perceived incompetence of those managing the enterprise; loss of future business; massive monetary fines; jail time for violators; delisting of the enterprise stock from the relevant exchange); it may be beneficial to implement an audit management software (AMS) platform to assist with running internal mock audits, to prepare the enterprise for the actual external independent SOx audit.
-
Drafting and negotiating all SOx-related documents and legal support for all SOx-related tasks.
Progress_Page_Last_Updated_221105_1231