Increasingly management are being challenged to take a critical look at the way SOX / JSOX testing is performed and managed in their organisation in an effort to reduce costs. We have created a list below of the most common opportunities we see to achieve this based on our experience of delivering streamlined programmes, whilst not compromising on quality. It is not uncommon for significant (>30%) cost savings to be realised if the below issues can be addressed.
Auditing too many locations - for multi-location businesses, what % coverage do you have over your consolidated balance by financial statement line item (FSLI)? Is that excessive? Could you de-scope certain locations altogether, without compromising overall quality?
Auditing low risk or immaterial FSLIs - similarly, are there any FSLIs which could be de-scoped at a Group level as they are immaterial and / or low risk (when assessed in light of entity-level control testing results)?
Testing IT systems / applications with no direct link to SOX controls - has the IT scope just been rolled forward without ensuring each system / application still links to an account, business process or location?
Testing irrelevant Entity-Level Controls (ELCs) - what would happen if you removed certain ELCs from scope? Would it impact on your assessment of the control environment? If not, why are you testing it?
Sub-optimal use of automated controls - are you taking full advantage of available automated controls? Are you excessively testing manual controls where there is a more efficient solution?
Being unaware of significant change programmes - are there any significant changes ongoing to key processes or systems (e.g. re-designs, upgrades, outsourcing) which will affect the control environment / management's capacity? If yes, do you need to test all controls prior to the change, or is it more efficient to wait until the new environment is established? Do you need to re-arrange testing dates to accommodate management's other commitments?
Management not prepared for testing - do management know which controls are going to be tested? Do they know what evidence you require for each control, and what your materiality levels are? Do they know when you are performing the testing, and how much of their time you will need? Are open / close-out meetings booked, as well as walk-throughs in advance?
Testers not prepared for testing - are your team sufficiently briefed on the areas being tested? Do they have the results and working papers from prior years to refer to? Do they understand the nature of the controls being tested and the financial reporting risks / wider processes they fit into? Are test plans up to date and reflective of any changes in the control environment / RACMs?
Unable to get comfortable with Information Produced by Entity (IPE) - are IPE evidence expectations clear with management and do they know how and where to store the evidence? What will you do if IPE evidence is not available, or unreliable? How can you (efficiently) get comfortable with the reports / data you are relying on?
Testing the letter of the control rather than the management of the risk - is there sufficient flexibility in the control wording / test script to allow management to deviate from the exact control descriptions, while still managing the underlying risk appropriately? Are testers equipped to make that judgement, or are testers seen by management as being petty?
Excessive contesting of findings by management - what is the process to resolve contested findings or deficiencies found in 'grey areas'? Who makes the final call, when and on what principles are the conclusions based (to help drive consistency and fairness)? Are your auditors reaching the same conclusions, or are they challenging your judgements as well?
Auditors not relying on internal audit as much as they can / duplication of effort with external auditors - is the methodology with external auditors (e.g. sample sizes, extent of testing etc.) consistent to ensure maximum leverage of your work? Are you performing joint walk-throughs (in cases where the external auditor needs to perform independent testing)? Are you documenting your work in a format / document that can easily be relied upon by the external auditors (or are they 'translating' it into their own templates)? Are you aligning your findings and conclusions periodically with the external auditor, rather than waiting to the end of the year? Do you have open and clear communication channels with the external auditor to discuss contentious issues or problems?
Failing to remediate the root-cause of a deficiency and therefore the finding recurs - does management know how to fix deficiencies noted in previous years / rounds of testing? Do they have the necessary resources and capabilities to do so. Are management upfront in telling you which controls they have had problems with prior to testing?
Poor work-flow management - are you drowning in multiple spreadsheets? How timely is the review and conclusion of testing performed by the team manager? How responsive are team members to review comments? How quickly are reports to management finalised? Where is work stored for easy retrieval by other team members? Are there opportunities to improve the use of technology to more efficiently manage the programme?
Insightfulness of reporting to senior management - are you offering more than mere status updates and factual results to senior management? Are you stepping back and assessing the bigger picture, drawing trends and patterns around issues and / or good practice? What cultural inferences can you make? Which teams are more compliant than others, and why? Which areas have improved / worsened? How well are change programmes being managed / implemented?
Lessons learned not shared - do you take the opportunity to debrief with management and external auditors at the end of the year? Are lessons learned captured and commitments made to improve the process for the year after?
Did any of the opportunities particularly resonate? What actions are you going to take? What others have we missed? Please leave a comment, we would love to hear your thoughts.
MERC & CO help clients improve the design and execution of their SOX / JSOX programmes to deliver cost savings and a risk intelligent control environment. If you would value a more in-depth discussion about your particular situation, please contact Ross Olding - ross@mercandco.com.