Common SOX scoping mistakes
This last week, I held another (the fourth) of my ‘master classes’ for SOX program leaders. In these small groups, we explore how to use a true top-down approach to ensure management’s SOX program focuses on the ‘right’ controls. (I say ‘true top-down approach’ because it extends from financial reporting risks all the way down to IT general controls and up to activities in the COSO Control Environment component – often referred to as indirect entity-level controls). We also cover techniques for minimizing the cost of the SOX program such as the value of entity-level controls, automated testing, and more. But, this post is not about the classes.
Companies have had SOX compliance programs for as many as ten years. Yet, when I talk to the leaders of those programs I find that many are still making ‘mistakes’ that are costing their company in terms of unnecessary cost. That cost may be in external auditor fees as well as in management time, plus disruption to the business.
The more common mistakes include these five:
1. Failing to take a true risk-based approach, with the result that more controls are included in scope as ‘key controls’ and tested by both management and the external auditor.
A simple test is whether the scope includes any controls where a failure would never rise to the level of a material weakness. If they would not, how can they be key? How can it be said that they are relied upon to either prevent or detect (in a timely manner) a material misstatement of the filed financial statements?
Too many organizations are testing controls that are ‘important’ but are not key to the risk of an error that is material. Many still test controls that were identified years ago based on somebody’s checklist (usually the external auditor’s) of important controls.
2. Failing to focus on the risk of a material error. Only failures that could result in a material error need to be considered as risks for the purposes of SOX.
It is essential to understand what material means. It is not an automatic percentage of net income. It is what is important to the reasonable investor in making their buy/sell decision.
This is especially true when it comes to fraud. Fraud is only a risk that needs to be addressed in the SOX program if it would result in an error in the financial statements that is material. Most frauds fail both tests: they would not result in an error, and any such error would not be material. Fraud is much more of a threat to operational efficiency than to external financial reporting.
In addition, it is important to remember that there has to be at least a reasonable likelihood that a material error would result from a control weakness. Just because it is theoretically possible doesn’t mean that it is reasonably likely.
3. Separating who is responsible for the identification of key controls between those in business processes (including at the entity-level) and IT general controls (ITGC) processes. Often, a separate IT team (whether within the IT department or a group of IT auditors) defines the IT general controls work based on a professional feel for important IT-related risks based on their experience or a checklist of ‘best practices’ rather than extending the top-down and risk-based scoping process into ITGC. The IT general controls work is not clearly linked to risks of material financial reporting errors and this inevitably leads to a scope that is far larger than necessary – and running the risk of missing areas that should be included.
For example, I still find companies that have included in scope controls related to viruses and back-up procedures (under pressure from the external auditors). It is extremely unlikely that either would lead to a material error, and the PCAOB included language in Auditing Standard Number 2 specifically excluding backup from scope.
Others get into controls over the operating system simply on principle rather than understanding the potential for a failure in that area resulting in a material mistake in the financial statements. That potential is, for almost everybody, rare; if there is an operating system failure it (a) is immediately apparent to both users and IT, and (b) extremely unlikely to create a change in a financial statement balance that is material and unnoticed.
The overall SOX program lead often has little authority over the work done in the IT area – and may have about the same level of understanding!
If any organization is to have a true risk-based SOX program, all of it has to be based on the risk of a material misstatement. The SOX lead has to be actively involved in everything.
The IIA has guidance on how to extend the risk-based approach into ITGC that should be mandatory reading for every SOX practitioner. The GAIT methodology is available from the IIA web site and I have included it in the files I share in this page on my blog.
4. Not establishing a goal for reliance by the external auditor on management testing. While people understand that the external auditor can place a lot of reliance on management’s testing of key controls, and they may have a soft goal for improving it, this opportunity to make significant reductions in the cost of compliance is often not fully appreciated.
Taking for granted that the external auditor will maximize reliance is a mistake. They won’t unless they are pushed. They may, themselves, underestimate what is possible and mistakenly inform management that they cannot, for example, place any reliance on management testing for so-called high risk areas. In fact, they can – and they often assess as high risk areas that don’t merit that label if a risk-based approach is in place.
So, organizations should (a) understand the current level of reliance, (b) set a target to improve that level and reduce total costs, and (c) execute.
One of the keys is to understand what is possible and set a target. In my last company, we had 80% reliance (across all controls, including so-called high-risk) and I have heard others achieving the same level.
Be a hero, and take a seven-figure amount out of SOX costs!
By the way, management should not assume that the external auditor has a perfect understanding of SOX and Auditing Standard Number 5. Many mistakes are being made based on imperfect directives from the externals.
5. Mistakenly believing that entity-level refers only to controls at the corporate level. In fact, controls operate at several levels within the organization (COSO Internal Controls Framework tells us that activities in all components operate at all levels of the organization).
For example, at my last company we had controllers in each country performing trend analyses and HR professionals ensuring awareness of the corporate code of conduct: in other words, we had both direct (trend analyses) and indirect (code of conduct awareness) controls operating at the country level. We also had budget to actual and trend analyses being performed at regional level, and all of these were in addition to the controls being performed at the corporate level.
Controls can be identified, both direct and indirect entity-level, at many different levels within the organization.
This is an opportunity to bring more entity-level controls into scope that are below the corporate level and operate at a higher level of precision.
I have had a lot of success bring these in to replace a much larger number of controls at the activity level, shaving a lot of cost from the SOX program.
These five are not the only mistakes. Can you identify more? Please share.
For more on how to optimize the SOX program, see this publication from the Institute of Internal Auditors: Minimize Costs and Increase the Value of Your Sarbanes-Oxley 404 Program: Management’s Guide to Effective Internal Controls