How to Knock the SOX off Compliance: a Sarbanes-Oxley Roadmap

Businesses required to comply with the Sarbanes-Oxley Act (SOX) can come across a number of uncertainties and questions about what needs to be done in order to be compliant. In short, SOX compliance requires companies to have an internal control environment in place over financial reporting to ensure that financial information from a company fairly depicts the financial condition and the results of the company’s operations. For SOX to be completed both efficiently and effectively, organizations need to have a framework in place. From there, they will begin to experience benefits that can be felt by the entire company.

Organizations should consider the following elements to implement and maintain a successful SOX framework:

• Strategy - Includes defining the needs of the company and the mission they’ll follow as they implement their SOX processes. Also, in this first step a risk assessment is performed to identify risks that could affect the business.
• Structure – Defines the department setup, including stakeholders and internal audit, as well as the budget for the engagement.
• People - Understanding which employees will be involved in the SOX process, which includes employees and third-parties who will be responsible for coordinating the SOX efforts.
• Technology – Applications or tools that will be used to complete the SOX processes and make the audit more efficient.
• Process - Includes documented methodologies and procedures to define clear guidance on how the SOX process should be completed.

SOX can be complicated and sometimes difficult to manage, but there are certain things companies can implement and focus on to ensure that their SOX procedures are completed appropriately and in a timely manner. A big item of focus should be communication throughout the SOX engagement. Good communication can affect so many aspects of the audit and can help streamline the engagements. Examples of how communication can affect SOX includes:

• Communicating with employees to ensure they know their roles/responsibilities and what is needed at different points throughout the engagement.
• Communication with stakeholders to determine that the engagement is on track or if new areas need to be tested. Status meetings and communication of deficiencies, once identified, can help keep everyone informed and on schedule.
• Communication with external auditors is essential in planning for the SOX engagement, determining the approach, expectations for the testing, and ensuring everyone is in agreement with management action plans.

Another important task, is to promote a culture and mindset of continuous improvement, which involves constantly looking for ways to improve SOX audits and not always relying on what was done in prior years. This can be accomplished through the following techniques:

• Optimization of key controls to ensure that appropriate controls are in scope
• Assess the design and scope of controls annually
• Review the use of technology and innovation in SOX engagements, such as the utilization of data analytics to develop better findings or recommendations for the stakeholders, or the use of robotic process automation (RPAs) to increase efficiencies.

When companies take the time to implement a SOX program using a well-designed framework – and address items like communication and continuous improvement – they can begin to experience many different benefits, including efficiencies related to the optimization of controls, an increased reliance on automated controls that lead to a reduction of the total compliance effort, and the strengthening of existing controls through continuous improvement, all of which can bring about an overall change in corporate culture that helps people throughout the organization become more aware of the controls in place and why they’re necessary.

To learn more about Schneider Downs SOX Team, visit our deditcated Sarbanes-Oxley Solutions page.