Planning is an extremely important part of your SOX compliance process. Not only will it help you plan out the path ahead, but it becomes a valuable starting place for discussing the project with your auditors and audit committee. The planning process is a valuable time to form consensus, formalize the compliance plan and define responsibilities. Any differences of opinion should be resolved at this stage.
We recommend a plan which encompasses, at a minimum, the following areas:
Staffing: Define who is responsible for an area of compliance and plan feedback and communication with members of the team, audit committee and external auditors. Take some time to consider how you will staff this project. In order to successfully complete this project you will need both knowledge and capacity. Ultimately, there is no one best way to staff this project. Each method (Outsourcing, co-sourcing, direct hire or existing staff) has its positives and negatives. The key is to find the one that best fits your company’s needs.
Timing: Divide the task into key deliverables and plan a schedule for implementation. You will want to have the maximum amount of time to complete the project; however, if you take too long there will be little time to rectify any deficiencies identified. Consult with your outside auditors to determine the minimum period that a control must be in effect before you can begin testing. If that period is two months for example, you will not be able to begin testing until the third month.
A basic compliance process that will work for many companies is:
- First two months – Organize, launch, document and identify Financial Reporting risks
- Third to sixth month – Identify controls that adequately address Financial Reporting risks and evaluate evidence of the operating effectiveness of Internal Control Over Financial Reporting
- Seventh to ninth month – Remediate control in need of remediation and re‐test
- Tenth and eleventh month – Conclude and report
Framework: Select a recognized framework to construct your testing plans and ongoing compliance tasks. Do yourself a favor, choose the COSO framework. While the final rules do not prescribe which framework to use, the COSO framework is the best known. If you use a different framework you will need to thoroughly research what is required by that framework.
Identify important business cycles: Define business cycles (e.g. Financial Close Reporting, Order to Cash, Purchase to Pay, Inventory Management, etc.) and correlate each cycle to components of the financial statements. One of the most important things you must accomplish in the planning phase is to select your business cycles. To select your cycles, begin by describing a list of potential cycles. Make sure that every line item in the balance sheet & income statement would fall under one of the cycles. Next look at the disclosures, make sure you know which cycle would include each of the significant disclosures. Remember that you are testing controls over financial reporting; therefore you want to make sure you cover all items that are material enough to be presented in your financials.
Assess control environment: Examine risk‐tolerance and anticipated impact for a control failure on a company‐wide level. Once you have considered the impact, you will want to determine the company’s overall risk level. The higher the risk in the control environment, the tighter your internal controls should be and the higher the level of testing.
Plan for testing: Define the testing level (e.g. number of selections, rotation plan, handling test failures, etc.) and define a consistent testing methodology. You should lay out a methodology of how you intend to test your controls. The end goal of your test plan methodology is to provide a “Reasonable assurance” that the controls over financial reporting are effective.
See more about SOX-Expert TaskMap Edition here
Dan Anderton is a partner at SOX Experts LLC and our guest blogger today.
For more information contact us at 203-894-1992 or at danderton@sox-expert.com