15 Jan Succeeding With Your SOX Compliance in a Pandemic Era
As 2021 commences we reflect on a year of fiscal quarters completed under the most unique remote work environments. Yet, what seemed to be just a temporary shift in working conditions is now the reality of the COVID-19 new year.
As with many industries across the spectrum, financial and accounting teams had to demonstrate their prowess in quickly acclimating and innovating their processes to continue to perform unhindered in the face of new challenges. The results have been that with the right mind set and drive, firms have transformed a seemingly overwhelming obstacle into the opportunity to excel and solidify their business solutions and company goals.
Entering 2021, SOX professionals are focused on guaranteeing successful completion of their SOX compliance program in a new environment, which is essentially the implementation of all testing required, identifying any control deficiencies, and reporting to management to facilitate the evidence by the CEO and CFO of effective internal control over financial reporting. Paramount to a successful 2021 SOX compliance program, SOX professionals should ensure the following two areas are secured:
Is my SOX scope thorough?
Refreshing materiality to reflect the anticipated volatility in 2021 can be achieved by using Q1 results to forecast year-end results. With the new year, when SOX teams use every completed quarter as a potential forecast of year-end numbers, they can revise materiality as needed.
Revisions to the materiality may require the inclusion or removal of financial statement line items (FSLI) from your scope. However, materiality is only half of the scoping picture — layering in the risk assessment provides for a qualitative dynamic to the scope. SOX professionals need to continually layer in these qualitative assessments to ensure a comprehensive scope.
Another key focal point are risk assessments for process areas requiring estimation and judgment; process areas impacted by resource attrition; supply chain issues and third-party dependent areas. The scope is the blueprint of the SOX compliance program — a wrong scope has disastrous implications, hence the crucial need for balances and processes that have a significant risk of material misstatement are included.
Can all my SOX key controls be tested at one time?
Following the initial scope, SOX teams may encounter additional in-scope FSLI, and hence incremental SOX key controls to test. July through September is typically the interim test period for SOX teams — the period in which many of the control samples are tested. A smaller sample size is tested in the subsequent roll-forward test period, which runs from November to January of the following year. Adding the newly scoped-in controls to the test volume in the interim period is more advantageous as the SOX team can better meet the needs of the volume.
Advantageous to the team would be to ensure that all SOX key controls, except those that are executed annually, at year-end, have been tested at the conclusion of interim testing. This testing of all in-scope controls where possible during the interim test period allows for pinpointing control deficiencies early enough for oversight to remediate, or identify, compensating controls for failing controls. If the number of in-scope SOX key controls increases, SOX teams need to verify that they can execute testing of all the controls, not only before the fiscal year-end, but in a timely fashion prior to the year-end to allow for post-testing assessments. During this interim test period, SOX teams should accomplish the following:
- All in-scope SOX controls, where possible, are tested by the close of the interim testing period. Prior to the conclusion of the interim testing period, SOX teams should forecast the level of effort required in terms of man-hours to complete the annual SOX control testing factoring in a marginal increase based on any quarterly scope refresh. SOX teams should continue, wherever possible, to automate control testing, including newly scoped-in controls. This full, or partial, testing automation should be arranged to reduce the manual level of effort required in SOX testing.
- Communicate the additional testing resources required based on the projected man-hours to management. Given that SOX teams often are part of an internal audit function, additional resources may be utilized from that function. Yet, if additional testing resources are pooled from business operation teams, SOX teams should factor in a training period for these resources.
Accurate financial reporting is pivotal to holding trust in the economy as we continue to navigate through another year of the COVID-19 pandemic. The internal controls that magnify the reporting process and mitigate against the risk of material misstatement become crucial in providing this type of financial reporting that is needed. Moving ahead, the SOX professionals will play a key role in their ability to evaluate the effectiveness of internal controls.
FPV & Galíndez, with their team of experienced professionals who have weathered the storm of 2020 successfully, are ready for seamlessly guiding their clients through 2021 SOX compliance. Get more information on how we can assist you here.
About the author: Wilfredo Vera Pujols, CISA, CDPSE
A skilled consultant in the areas of Internal Audits and Compliance, Vera holds a BBA in Information Services from the University of Puerto Rico Mayaguez and a Master’s in Computer Sciences from the illustrious Polytechnic University of Puerto Rico. He has used his excellent preparation in the last 3 years of his specialty in Auditing and Consulting, Internal Controls, and SOX for our diverse clientele. Among some of his major clients are Evertec, Triple S of Puerto Rico, and Banco Popular, to name a few. We are sure that this ISACA member, along with the expertise of FPV & Galíndez’s skilled Consulting Department will provide strategic solutions for any IT and Cybersecurity needs your organization may have.