Companies can follow these tips to create more effective Sarbanes-Oxley (SOX) self-assessment and monitoring procedures that help management correct issues and weaknesses before auditors arrive.
Use automated dashboards. Quick views in the form of dashboards, team sites summarizing performance, real-time financial reporting, and team document sharing have created an explosion of information that before would have taken manual analysis, reconciliations, meetings, and human follow-ups. Consider whether your SOX program is still relying on manual work while the users in your organization are running the business with these more automated views.
Consider leveraging automated alerts. Companies are using software to create automated alerts when an error is identified or a step in a process was missed, and artificial intelligence engines are being used to perform analysis and identify variances. Companies that are automating their processes should consider whether they can rely on such technology as a key SOX control.
Use self-monitoring programs. Some processes are either so complex or so important to get right that companies have been doing their own sampling (or "testing") of their processes before a formal SOX assessment. In the past, the approaches used for these programs and the required evidence may have differed from auditors' SOX requirements. Those differences meant that these programs were not relied upon for SOX purposes. Scope differences also were a reason this work was not used. However, often a small adjustment in the scope or type of procedures can result in one effort providing the monitoring and SOX control evidence.
Start from scratch again. A great way to understand how management really runs the business is to not look first at the controls that were documented before but to start over. Ask key personnel how they know that their process is working. For example, asking the accounts payable department how they assure that the accounts payable file is complete (without referring first to old SOX documentation) can identify key elements or processes that are excluded from SOX documentation.
Consider replacing SOX-only processes. Other manual testing processes that are only required for SOX may continue to be enforced but provide no other value for the company. Further, excessive manual documentation may be retained for a SOX assessment that isn't useful for business operations. Perhaps some of these procedures can be replaced with evidence that already is produced for other business purposes instead of a "SOX-only" procedure.
Invest time to save time. It takes an investment of time to look for existing monitoring processes and automated sources of control evidence. However, once even a few of these are identified, the time saved by not requiring side documentation efforts for SOX can be significant. Improved linkage between the basis for management's SOX program and the underlying processes that management is directing will further strengthen management's awareness of its own control health on a timelier basis.
— By Kelle Roodman, CPA, vice president, Finance at Symetra Financial. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA's editorial director, at Kenneth.Tysiac@aicpa-cima.com.