SOX Audit & Compliance Process
Due to Enron Corporation, WorldCom, and Tyco International’s fraud activities and accounting scandals in the early 2000s.The bill was introduced.
SOX compliance testing is the procedure by which a company’s management judges internal controls over financial reporting. This control testing is mandated by The Sarbanes-Oxley Act of 2002 (SOX). SOX is a U.S. federal law requiring all public companies doing business in the United States to comply with the regulation. It also increases the responsibility of corporate governance.
Sarbanes –Oxley- A US law passed in 2002 to strengthen corporate governance and restore investor confidence sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.
What actually the SOX address?
Sarbanes-Oxley Act Consists of 11 sections, SOX compliance testing is primarily related to Section 302, 404, and 906. As well as you also need to take care of PCAOB(Public Company Accounting oversight Board) auditing standards. Requirements under these sections-
- Auditors are responsible for maintaining a system of internal controls over financial reporting.
- Financial report quarterly effectiveness of internal controls and procedures of financial reporting must be signed by the company’s CEO and CFO under SOX section 302.
- An internal control assessment process needs to meet statutory requirements under SOX section 404.
- Corporate Responsibility for Financial Reports under SOX section 906, Quarterly evaluation, addresses criminal penalties for certifying a misleading or fraudulent financial report. Penalties can be upwards of $5 million in fines and 20 years in prison.
- Management needs to ensure its stockholders that business is effectively controlled and reliable financial information timely.
SOX Testing Phase & Model-
What exactly are we testing?
Test of design:-To test whether the control is designed effectively in line with the control objective. For example, SAP is configured to block the invoice if the price or quantity is outside the defined tolerance.
Test of effectiveness:- To perform the actual testing.
Test of completeness:- To confirm if the data reconciliation at the table level and the report matches.
Test of accuracy:- There are generally two ways to gain assurance for completeness and accuracy. One is to compare the report to information or data external to the system and the other is to compare the report to the internal database.
Types of Controls-
Automated Controls: There are many different forms of automated controls, namely Configuration/ Master Data/ Transactional level automated controls. Using CCM a control owner can be notified when these configurations/ Master Data/ Transactional level fields/values change. Controls monitored by this solution save time and money to the organization, as they are triggered only when needed, allowing the process and control testers/owners to focus on other tasks in the meantime.
Semi-Automated Controls (ITDM — IT Dependent Manual Controls): A system-generated report lists issues to the control tester when triggered, the issues will be in draft status and a remediation plan cannot be assigned until issues are confirmed and submitted by the control tester. The control tester also has the option to void and close the issue.
Manual Controls: A detailed test plan will be submitted to the control tester when control is triggered, who will then execute the test plan and raise issues if any. The control tester also has an option to pass the test and submit it to the issue owner/sub-process owner to close the control testing.
Control Testing Procedures:-
Based on an organization procedure can be different, To record-keeping on the TOE template in Excel is really important, and while you document you need to meet Control objectives based on Control descriptions.
Example of Real-world SOX Audit Control Testing
When you will work with companies You need to do deeply performing for Control testing for all regions, Communicate with other teams for population reports, validation of population report, sample selection, request for sample documentation. Checking of sample documentation, performing in record keeping in all samples in excel or software based on company tools, submit for manager review, uploading in SAP GRC and it can be Journal entries Process.
Importance of SOX Audit Control Testing
Every organization is responsible to fulfil the provision of the SOX Act (Sarbanes-Oxley). Most of the organizations run on SAP as an ERP system. Therefore, all the IT controls are linked to an Organizational Business process. These controls being set up correctly and working as desired form an integral part of an organization’s performance in the Global Market. In order to achieve the above, a fully complied quality assured SOX Audit of the IT controls needs to be done to give assurance to the shareholders. Hence, it is vital that the SOX activity is completed with due diligence and professionally in line with the quality standards.
SOX compliance software-
Many organization also use modern software for SOX audit control testing, some popular software is:
• SolarWinds Security Event Manager
• Workiva Internal Controls Management
• Netwrix Auditor
• ManageEngine EventLog Analyzer