SOX Great Expectations

Expectations are expanding in today’s Sarbanes-Oxley environment. In fact, the overall regulatory landscape is receiving more attention than ever. Bridgepoint Consulting hosted an event on October 25 at the offices of Bazaarvoice for internal audit and SOX compliance executives to discuss how the current SOX landscape is affecting them.

Pronounced discussion themes included:

• More comprehensive walk-throughs by external auditors
• Increased supporting evidence of reviewer’s process and precision for review and approval controls, including scrutiny of thresholds used
• Stringent documentation of the completeness and accuracy of key reports;
• Increased rigor upon IT general controls effectiveness with emphasis on user access and program change

The following information provides a snapshot of highlights from the meeting’s discussion.

The SOX Regulatory Landscape and COSO 2013 framework implementation

The regulatory landscape impact on SOX programs has been intense. The external auditor has passed along the increased PCAOB scrutiny and pressure on management’s assessment of financial reporting internal control effectiveness. Therefore, external auditors and internal audit resources are becoming more risk adverse, as the risk ratings and number of key controls are trending up. The resulting increase in documentation and analysis of control structure drives expanded testing and applies pressure on the timeline. As a result, audit executives and management are finding they need more resources dedicated to SOX to meet the demand for more extensive levels of effort.

Implementation of the COSO 2013 framework is completed or in process for this first effective year. Attendees at the event discussed the integration of the principles and points of focus mapping into the entity-level risk-control matrix. Management is generally improving the design of entity-level controls. However, there were mixed experiences regarding the extent of entity-level controls operating effectiveness testing.

What’s changed with conducting / updating SOX Risk assessments?

A common opinion expressed among the group was the increased formality of documenting the risk assessment for SOX scoping purposes. The basis of the risk assessment continues to be quantitative materiality, along with other qualitative criteria (e.g., complexity, volume, judgments and estimates, susceptibility to fraud) for additional consideration of risk.

Additionally, some companies experienced increased inquiries and scrutiny by the external auditors for calculations of materiality. Continuing challenges for management include the extent of risk assessment documentation, the frequency of risk assessment updates during the year, and the basis and methodology for determining materiality.

What’s changed with system, process and controls documentation expectations?

The participants noted increased attention to how the operation of controls is evidenced. In addition, management is organizing and updating master lists of third-party providers [including the related SSAE 16 (SOC1) reports] and key reports/spreadsheets that are mapped to the key controls. With the COSO 2013 implementation focusing on entity-level controls, and mapping to the principles and points of focus, the renewed examination and documentation of segregation of duties was also mentioned. External auditors are continuing to increase focus on evaluation of systems and applications in-scope, and related IT General Controls and the coverage provided by third-party SSAE 16 (SOC1) reports.

The group discussed the extent of documentation for controls around “review and approval” to demonstrate the reviewer’s criteria for further inquiry, investigation and follow-up. This year, “review and approval” controls continue being held to a high standard and require increased documentation. How adequate is the review process documented? What is the reviewer’s thought process and understanding of key reports used in the review? How does the reviewer know the key report or spreadsheet is complete and reliable? Are review thresholds and their basis of precision documented?

What triggers control design effectiveness deficiencies?

Regarding the deficiencies, event participants noted the following common weaknesses:

• IT general controls for systems and applications not initially included in SOX scope
• Lack of control operation evidence
• Lack of evidence for automated and interface controls
• Failure to obtain SSAE 16 (SOC1 ) reports from third-party providers,
• Concentrated duties, and
• Missing entity level controls resulting from COSO 2013 mapping
• Other missing controls (gaps)

The walk-through activities at the controls level performed by external and internal auditors is considerably more in-depth than prior years. Auditors are asking more probing questions and focusing heavily on review and approval controls, journal entry controls and revenue cycle controls. External auditors are examining key reports thoroughly for their completeness and accuracy of data presented and asking how the reviewers confirm reports or spreadsheets integrity.

Other areas of focus were also noted in evaluating the significant assumptions for asset impairment analyses and evaluating compensating controls as related to identified deficiencies.

What are drivers of control operating effectiveness evaluation?

The importance and pervasiveness of IT general controls is a driver for control operating effectiveness assessment, including rigor of user access and program change management. Testing considerations discussed also included: the sampling methodology applied based on control risk ratings, the frequency, and the period coverage needed for roll forward testing.

What’s next?

SOX program expectations will continue to be high in today’s regulatory environment resulting in expanded level of effort by all stakeholders and related increased needs for adequate resources.