Certainty in risk intelligence
SOX / JSOX efficiency finder
The cost of SOX compliance is an ongoing challenge for most organisations who continue to report increases in the number of hours devoted to internal SOX testing. One recent study suggested over half of companies in 2019 experienced a rise in the hours spent by internal resources on SOX testing compared to 2018, and only a small percentage noting a decrease. That is despite significant investment in technology, including data analytics, robotic process automation, machine learning and Governance Risk and Compliance (GRC) systems in recent years. The increase in internal hours is compounded by rising external audit fees, with a significant majority of SEC registrants reporting fee rises in 2019.
Why is that? Sure, the compliance 'hurdle' is ever rising, with the Public Company Accountancy Oversight Board (PCAOB) updating their minimum requirements on areas such as Information Produced by Entity (IPE), the extent of testing required for Management Review Controls (MRCs) and additional IT security considerations, including around cyber defences in recent years. And perhaps the picture would be even worse without technology investment.
However, in our view, the majority of the efficiency leakages you may suffer from are better solved through having a balanced focus on both the 'analogue' elements of the testing programme, as well as the digital. We specialise in helping you improve those analogue processes. Technology may have been sold as a silver bullet, with all SOX testing soon to be completed by a 'bot. Our view is different. We see the efficiency of SOX testing being largely dependent on both:
Several key macro-decisions: Have I got the appropriate scope, or am I over-testing locations, account balances or IT systems? What is my IPE assurance strategy? What else is going on in the business which could impact my testing approach (e.g. major IT / Finance change programmes)? Have I aligned my methodology as best as possible with the External Auditor?
1000's of other micro-decisions: Is this evidence for this particular control sufficient? Have management made the right judgement on this disclosure? How can I best position and communicate the results of my testing to avoid contested findings by management? Is this a significant deficiency or material weakness? How can I get the External Auditor to see, and appreciate, our point of view?
Read our blog on 16 common sources of inefficiency in SOX / JSOX programmes here.
Technology can help enable the above decisions to be executed more efficiently, but until these fundamentals are in place, the pay-off from technology and system investments will be inherently limited.
What we offer
We work with those responsible for management's internal testing of SOX controls to dramatically improve:
The cost of compliance - our experts have helped management deliver material cost reductions in their SOX testing programmes. How would you re-deploy your resources? What would a 10-25% annual cost saving be valued at in perpetuity?
The relationship with External Auditors, Finance and other key stakeholders - External Auditors typically rely on only 30-45% of the control testing performed internally. We help them place more reliance on your work by helping you achieve and demonstrate alignment on methodology and by delicately assuaging any quality concerns they may have. We also improve the working relationship between your assurance team and front-line Finance, utilising a playbook of tactics to build transparency, rapport and trust, while also maintaining sufficient independence between the two functions.
The capacity for the testing to deliver valuable, insightful reporting - we have all at one point presented SOX testing results to the blank faces of senior management. What if we could structure the testing programme to produce useful, business-focused insights by design? We take joy in observing the 'aha' moments of business leaders when SOX testing helps connect the dots, describe developing trends and offer root-cause solutions to perennial problems.
The way it works
Our internal controls specialists have developed a proprietary diagnostic tool which helps pinpoint end-to-end cost leakages in your SOX testing programme. The tool leverages our collective experience in design, management, testing and auditing of SOX frameworks for clients at all stages of maturity, providing a broad perspective with which to quickly identify opportunities to reduce your cost of compliance. We examine each key stage of the programme in detail to uncover lost value, ranging from upfront scoping and planning processes to ongoing testing and reporting activities, as well as the relationship and interactions with key stakeholders (including your External Auditor).
Our review typically covers a period of 2-6 weeks, depending on the scale of your testing programme. We review key documents, interview relevant stakeholders and, if possible, observe activities in practice.
We then reflect on what we have seen / heard, compare this to our library of leading practices, and consolidate our findings into an actionable listing of observations and efficiency improvement ideas, tailored to your circumstances. We discuss these outputs with you and representatives from Finance, the External Auditor and any other key stakeholders, reflecting the feedback from each party in a final report.
Our deliverables include practical recommendations, formatted in a 'ready to implement' project plan, with estimates of the potential cost saving opportunity for each. We then usually recommend a suitable 'task-force’ to be assembled by the organisation to execute the plan, which we can further support with if desired.
Recommendations in our report might include, for example:
Removing immaterial locations / components from testing scope, saving both internal management time and external audit costs.
Adjustments to the timing of testing and other labour intensive activities to avoid common calendar pinch-points for management (e.g. month-end testing).
Agreeing in principle with the External Auditor how 'grey area' findings will be assessed and dealt with.
Improvements to the project management structure and internal reporting processes.
Policy development and related training for Finance management on areas such as IPE.
Restructuring of testing templates and documentation / evidence needs, to better align with that of the External Auditor.
Find out more
If you would like to explore how we may be able to help you, please contact Ross Olding (email@example.com).