Sarbanes-Oxley: In a world of constant change, knowledge is power

Managing your SOX program with a strategic, risk-based mindset


Authored by RSM US LLP

COVID-19 was a catalyst for change in our business and control environments, but through all of the chaos, we also were reminded of the fundamentals of risk management and internal controls. As your organization navigates its new normal while also likely heading into the 2020 financial statement audit, it is important to equip yourselves with a deep understanding of your organization, its material risks, and the authoritative guidance and trends to optimize your Sarbanes-Oxley (SOX) program for the future. If you are wondering what to expect or just want to have one less surprise land on your desk in 2021, read on for strategies to manage your SOX program while facing unprecedented business challenges and changing guidance in the times of COVID-19. 

Evaluating the impact of COVID-19 on SOX and audits of internal control over financial reporting (ICFR)

As with most of the business world, SOX programs and integrated audits did not escape COVID-19 unchanged. The Public Company Accounting Oversight Board (PCAOB) recently released a Spotlight publication that provides insights and lessons learned from interim PCAOB inspections highlighting where auditors may shift their attention to address the impact of COVID-19. What does this mean for you? 

The foundation for evaluating the impact of COVID-19 on your company is to have a robust understanding of your organization’s people, processes and technology, specifically those with a material impact on financial reporting, to evaluate what has changed. For example, did you experience a plant or warehouse closure or significant workforce changes? You also should consider whether certain controls can still achieve intended objectives given limitations resulting from COVID-19—for example, if controls are not able to be performed due to remote work or other restrictions (e.g., inventory counts). The company may need to identify alternative monitoring controls to sufficiently address relevant risks. 

Risk profiles have changed rapidly over the past year, and it may be necessary to update risk assessments more frequently than companies had previously to reflect changing economic and business environments. Management should be prepared to focus the risk assessment on material changes to the control environment that may require disclosure, even at interim periods. 

As economic environments rapidly change, the basis for your risk assessment may also have changed. Is the forecast you used in Q1 2020 still relevant as of Q4 2020? It is likely that your materiality calculation and the inputs, such as a forecast/projection, have been updated throughout the year, and depending on significance, you may see substantial changes to your SOX program scope as a result.

Another control environment consideration is the identification of new or changing risks. For example, going concern disclosures that may have previously been a simple assessment may now require robust analysis and enhanced documentation to support conclusions due to the economic downturn. We also encourage companies to assess IT-specific considerations, especially those that are affected by a remote work environment (e.g., data centers, system implementations, etc.), and to understand the interdependencies of third-party service providers. To the extent a service provider experienced a material change in its control environment, you should assess the impact as soon as possible. 

No matter the organization, it is imperative to evaluate your company’s risk assessment and internal control environment through a strategic, risk-based lens; not all risks and changes are material to a particular environment, nor do they merit the same response. Engage your auditor early and often to discuss significant changes and your planned responses before undergoing unnecessary work. If you haven’t yet, consider documenting your risk assessment and COVID-19-impact conclusions to support management’s SOX-related attestations. 

Understanding and responding to new PCAOB audit standards

If managing a response to COVID-19 and constant video calls have not made you weary enough, 2020 also brought new and amended PCAOB audit standards that bring increased scrutiny of internal controls in two key areas: (1) use of the work of specialists and (2) accounting estimates. Although these standards are effective for audits of fiscal years ending on or after Dec. 15, 2020, we believe they will affect assessments for years to come.  

  • Auditing Standard: AS 1105, Audit Evidence (as amended)
    • This standard strengthens the requirements for auditors when evaluating the work of a company’s specialist. To anticipate the enhanced audit procedures, we recommend formally assessing the use of specialists, including their expertise and competence. It is critical to establish procedures to validate the completeness and accuracy of information sent to and from the specialist. As you implement control procedures to address the material risks when using a specialist, be sure to update test plans and assess the design and operating effectiveness as part of your SOX program. 
  • Audit Standard: AS 2501, Auditing Accounting Estimates, Including Fair Value Measurements
    • Significant estimates have seen more focus in recent years through management review controls and critical audit matters, and this new standard likely will increase focus on areas requiring significant judgment, including challenging situations that are subject to potential management bias. What should you do? If you have not yet, we recommend reassessing controls over significant judgments and critically evaluating the design. Pay particular attention to the precision of the control and the detail of the review. Assess the appropriateness of the assumptions that are subject to management’s bias. Determine whether the evidence adequately supports management’s conclusions. 

SOX issues in the spotlight 

In addition to all the new items that arose in 2020, it is worth noting the topics that continue to be in the spotlight for SOX, especially as PCAOB inspection results permeate through audit methodologies and updated firm guidance. All things IT-centric continue to rise to the forefront, and you would be well-served to keep these items on your SOX program radar moving forward. 

Cyberrisk and controls, while not new, continue to evolve and remain an area of increased focus of the PCAOB. Cyberrisks and controls should be clearly considered in your risk assessment, but remain focused on those that have a direct link to financial reporting and/or safeguarding of assets (e.g., vendor master data, wire authorizations, backup and recovery, etc.). Continue to stress the importance of due diligence in a remote environment given increased phishing attacks. Some firms have issued new guidance, so keep an eye out for questions and expanding areas of focus on cyber-related controls, including intrusion detection and prevention, all while maintaining focus on the reasonableness of your controls relative to your risk profile. 

Another old, yet somehow new, SOX topic is Segregation of Duties (SOD). Auditors continue to raise the bar, where it has increasingly become the expectation that a company utilize an SOD tool to proactively identify and respond to potential issues. While not required, SOD tools can be effective mechanisms to manage large amounts of data quickly. However, no SOD tool is effective unless it is appropriately customized for an environment. Before heading down the path of trying to solve for every possible conflict in your environment, be sure to scope your SOD assessment to focus on material risks and relevant mitigating controls. Aim for reasonable, not absolute, assurance. Operationally, you may have your sights set higher, but there is no benefit in taking on more than is needed for the purposes of your SOX program. Be wary of taking credit for credit’s sake and always base your assessment on material SOX considerations identified in the risk assessment.

As information technology general controls (ITGCs) and other IT areas receive intense scrutiny from PCAOB inspectors, it stands to reason that ITGC failures and their resulting impact would receive additional focus as well. It is very easy to document a manual or IT-dependent manual control and determine whether it is effective after testing throughout the year. But what if the system report or workflow used in that control had an ITGC failure? Could you still rely on that information? Did that workflow still route accurately for approvals? What is the impact of a control deficiency evaluation when there are interdependencies? 

When evaluating ITGC deficiencies, you will need to understand and consider the impact of dependent business process controls. To the extent possible, identify interdependent controls within your documentation so you can clearly see control linkages, especially in the event of an ITGC failure. Aim to get control owner buy-in early and ensure that critical IT controls in access and change management have increased focused on control execution. Control failures in this area likely are not happening in a vacuum. To avoid surprises late in the year, we recommend testing the effectiveness of these IT-linked controls early and often and designing a test plan that provides ample time to remediate, when feasible. 

SOX outlook—what’s next? 

If somehow, after addressing everything else in this article, you still have time to be on the leading edge, then look no further than robotic process automation (RPA) and data analytics for the future of SOX. 

RPA refers to a set of modular software programs (or bots) to complete structured, repeatable and logic-based tasks by mimicking the actions taken by humans and is likely to find its way in your organization, if it hasn’t already. Pilot cases are proving efficacy, so you can expect to see RPA in business processes, external audits, and SOX assessment procedures as RPA adoption grows exponentially.

Whether using RPA in an existing process to execute controls or in the independent assessment of the operation of controls, it is important that efficiency gained through RPA is managed in a controlled environment. Bots need to be implemented and maintained in a controlled manner so the outputs/results can be relied upon (i.e., information is complete and accurate). This would include the adoption of a control framework that is similar or adheres to industry-accepted practices like the Control Objectives for Information and Related Technology framework. 

Data analytics are providing another avenue for automation and efficiency. Numerous firms are incorporating analytics as part of their audit procedures. Many organizations are using analytics and reporting tools in operation of controls, but it is important to be cautious when introducing an analytic that is relied upon for the purposes of SOX. Be sure to understand the new risks of material misstatement that could be introduced by the use of the analytics itself. It is important to know the potential impact stemming from incomplete or inaccurate analysis due to the design/logic of the analytic. In the event that analytics are being used to evaluate controls, be sure that control objectives are well understood, establish a position and know what the impact of a deviation is. As is the case with any deviation, it is important to know the auditor’s guidance, and in AS 2201, the PCAOB notes to paragraph 48 that “an individual control does not necessarily have to operate without any deviation to be considered effective.” However, evidence of an individual deviation will need specific consideration when concluding the control is effective. 

Past is prologue, but aim to stay ahead of the curve

It is important to remember that key SOX topics highlighted in prior years will continue to be top of mind for your external auditor. This includes some of the fundamental internal control considerations related to the flow of transactions, data processing and design of controls. Attention must be paid to how critical information is processed and used in controls, including the reliability of data, and the overall competence of control owners. In addition to maintaining focus on prior year’s themes, it is equally important to familiarize your organization with the SOX trends emerging as a result of COVID-19, regular PCAOB inspections, and auditing standards and methodology updates that come each year. Foster your network of industry and market peers, including those that share the same audit firm, to keep abreast of trends and issues as they arise. 2020 brought us a once-in-lifetime pandemic that fundamentally altered the way we do business, but it is the foundation of risk management and understanding of authoritative guidance—and most importantly your business—that will serve as the key elements for a successful SOX program in the future.