If you’re a public entity, you know the strain SOX testing puts on company resources: the time to discuss controls and walkthrough processes with the testers; the time to pull documentation for the testers and answer questions; and the time to help coordinate the testing. It’s all time well spent, though, since it enables your CEO and CFO to sign a proclamation stating that the company’s internal control structure is sound, and stands able to help prevent or detect a material misstatement to the company’s financial statements.
The term “SOX control” is a misnomer, however. Controls are not in place simply because of the regulation, but to protect shareholders and ensure the company’s financial information is accurate. SOX requires existing accounting controls be tested to validate that they’re designed appropriately and operating effectively.
As we’re now more than 15 years into the regulation, if you haven’t already optimized your control environment, what are you currently doing? Have you implemented RPAs (Robotic Process Automation), data mining, exception reporting or other forms of data management within your internal control over financial reporting process? With the recent innovation in technology, now may be the time to readdress your optimization opportunities. Not only will it be a better way to manage your business, it could also help reduce your overall SOX compliance testing budget.
If you are using RPAs to perform some of your internal controls, or if you’re using dashboards or other exception reporting, rigor would have to be performed in the first year of SOX testing to ensure the precision and completeness of the data being used to develop reports. Once a baseline understanding is obtained, however, each subsequent year should merely be a follow-up and/or refresher to that information.