The management of Sarbanes-Oxley (SOX) compliance is a never-ending cycle of deadlines. The natural response after filing may be to pause, roll forward and start the next year as the year before. Did someone say SALY? If this is your routine, then you may be missing an opportunity to strengthen your SOX program and decrease the level of effort and cost of compliance.
Control rationalization is an important step in determining whether internal controls are appropriately identified. Ideally this activity is performed on an annual basis to strengthen the company’s control environment. Control rationalization is an integral part of establishing an optimized SOX compliance program.
The main focus of control rationalization should be a risk assessment of the control environment. The goal of the assessment is to determine that all financial statement risks are mitigated by a control activity. The result will be the elimination of any redundant controls (i.e., controls that cover the same risk) or the identification of a risk that may not be mitigated.
Organizations should take the following approach when performing control rationalization:
Apply a top-down risk assessment:
- Perform a risk assessment to develop an understanding of financial reporting risks, including quantitative and qualitative factors. The company should focus on the WCGWs (what could go wrong) within each financial reporting process.
Rationalize existing controls and redesign test plans:
- Map existing controls to the risk assessment performed in the first step. For risks that address multiple controls, evaluate which control is the strongest in detecting or preventing a material misstatement. Then classify the remaining controls as non-key in your control framework.
Leverage automated controls and enable technology:
- As processes are automated, the company should leverage automated controls and remove as many manual controls as possible from its control environment. For example, implementing a workflow for purchase orders (PO) and invoices that automatically routes to the appropriate approver based on the company’s delegation of authority policy. Another example would be implementation of an employee expense workflow, which allows employees to enter expenses into an application and route to their manager for approval.
Standardize and centralize processes:
- Control processes around journal entries and account reconciliations should be standardized across the company, to the extent possible. Templates and review processes should be streamlined for consistency and efficiency. Further, a standardized process could allow for a single control to address all journal entries and account reconciliations rather than requiring separate controls.
- Consider interfacing key modules (accounts payable, inventory, etc.) with the general ledger system to automate recording between the sub-ledger and general ledger. This interface can help create a more effective financial close process.
While it is easy to get into the routine of performing the same testing as last year, these steps will help enhance the SOX compliance program. Organizations that complete an effective control rationalization project can be confident that their SOX program gains efficiency while increasing overall cost effectiveness.
For more information on this topic, or to learn how Baker Tilly SOX specialists can help, contact our team.