SARBANES-OXLEY ACT


LESSONS LEARNED FROM SOX 404 EFFORTS

GaP RESOURCES began applying the firm's audit expertise to SOX 404 engagements in June 2003. We continue to offer experienced resources to assist operating unit and corporate personnel with 404 related documentation, design, training, testing and project management. For each of these tasks, GaP Resources focuses on providing tactical level support to efficiently and effectively meet our clients' SOX 404 objectives. Our assistance to date has included accounting and financial reporting at both corporate and subsidiary levels (including business operations within insurance and services sectors), corporate shared service activities (payroll, accounts payable, etc), IT general controls including application development and operations/security. Our clients range in size, with annual revenues of $82 million to $10 billion.

Based on GaP consultants' collective involvement in SOX 404, we have developed the following, lessons learned, which may benefit your project.
  • Start with the financial statements.
  • Don't wait to begin your IT work.
  • Focus on key controls.
  • Ensure coverage across all financial statement assertions for each material balance.
  • As controls are identified, determine evidence necessary to test the controls.
  • Perform education and training early; continue training throughout the process.
  • Analyze whether testing of third parties is required.
  • Utilize SOX 404 / audit expertise to assist at the tactical level.
  • Consider additional testing assistance.
  • Allocate resources to the external audit review process.
  • Obtain early involvement and buy in with the external auditor.
  • Build on your organization's SOX 404 projects.

Start with the financial statements. The 404 scoping exercise should begin with an analysis of material amounts on the company's balance sheet and income statement. Using the financials as the basis, or anchor, will ensure all material amounts are addressed and will greatly aid in mapping from financial statement balances to associated key business processes, IT platforms and controls.

Don't wait to begin your IT work. IT controls have had particularly close scrutiny in 404 reviews. Control documentation may not be readily available even when controls are in place. Also, IT issues can require significant time for remediation. As a result, get started early in the 404 process with IT control identification, testing and remediation.

Focus on key controls. Identifying proper key controls in accounting, operations and IT areas is a critical success factor. Control design can reduce necessary control documentation and related testing by identifying one comprehensive control instead of multiple detailed controls. Proper control design also builds consistency throughout the organization wherever possible.

Ensure coverage across all financial statement assertions for each material balance. Financial statement assertions are another area of focus by outside auditors as a measure whether the company has identified all necessary controls for a given balance. These assertions--completeness, existence, accuracy, valuation, ownership and presentation—should each be tied to relevant controls for in-scope balances.

As controls are identified, determine evidence necessary to test the controls. Certain key controls may have historically been properly designed and executed, but the control performer may not have prepared and retained adequate audit evidence. For instance, if a senior member of the accounting team reviews large, unusual accruals each quarter for propriety, does someone retain evidence of the review? Specific necessary evidence should be determined and communicated during the control identification process; this communication will facilitate successful testing.

Perform education and training early; continue training throughout the process. Whether in formal kickoffs to the project or in less formal meetings, incorporating experienced and knowledgeable people within the SOX 404 project will help to build the expertise internally to successfully complete the project and sustain the work into the future. Develop and distribute tools to help ensure consistency in approach and documentation. These tools can include standardized templates to document testing and results, reference cards with key terminology and sample sizes defined, test documentation tip sheets, template for reporting issues, project timelines/calendars, etc.

Analyze whether testing of third parties is required. Be certain to include coverage for services provided by third parties that have a financial statement impact. If your contract with a third party does not provide for an annual SAS 70 report it may be necessary to perform testing at the vendor site to provide assurance that key third party controls are adequate.

Utilize SOX 404 / audit expertise to assist at the tactical level. Design and documentation of key controls and related tests is an acquired skill that comes with exposure to SOX 404 projects combined with a strong audit background. Expertise at the tactical level will help ensure the groundwork is laid for an efficient, effective and repeatable process.

Consider additional testing assistance. A smaller team of testers with audit background is preferable to mass involvement from your work force in this exercise. Testers with audit experience will likely master the learning curve quickly; a smaller team will help ensure consistency and will minimize the training required for these critical personnel. It is also imperative that control testers are independent of control performers; some entities have chosen to have consultants and/or auditors complete all testing to ensure independence.

Allocate resources to the external audit review process. Although it varies from company to company, the external audit review of SOX 404 work can require significant support resources. SOX testing workpapers must be properly documented and organized. Audit review notes and comments must be addressed. Also, independent testing by the outside auditor adds significant work to your company's effort.

Obtain early involvement and buy in with the external auditor. This will help minimize surprises later in the project. Establish goals for milestones of the project and obtain external audit buy in for those milestones, which can include: coverage analysis, identification of key controls, test plan for key controls, interim testing and results, issues identified and remediation plans, final test results. This interim involvement allows management to implement necessary modifications earlier in the process. With coordination, some testing may also be leveraged by the external auditors in performance of their annual financial statement audit.

Build on your organization's SOX 404 projects. SOX 404 projects can be more than a compliance exercise. Controls should not be designed for SOX, but for improving the internal controls of the company. This project can help educate personnel across multiple levels within an organization about key financial controls, and can help identify areas requiring process improvement.

GaP Resources can help you effectively apply these lessons. We deliver:

  • Specific and extensive SOX 404 and audit experience. Our SOX 404 clients include Aon Corporation (corporate level, various US and international operating units, and IT areas), Heidrick and Struggles (accounting/reporting and IT assistance) and Allscripts Healthcare Solutions (IT assistance).
  • Seasoned consultants who possess both audit and corporate experience. This dual understanding helps us understand documentation needs from an audit perspective and process/control norms from a process perspective.
  • Training and Knowledge transfer. We can transfer knowledge by conducting internal control workshops to explain the purpose of the effort, producing appropriate documentation and reports, and working with management and other control professionals within your organization to complete the job as efficiently as possible.