If your company has a December 31 fiscal year-end, you’re likely in the throes of completing SOX year-end testing and documentation. But before you call it done, and the team moves on to other things, take time to conduct a post-mortem: What went well? What didn’t? And how can you make it better?
Now is the time to determine how you can improve your SOX process, including the enhancement and testing of internal controls over financial reporting (ICFR), so it will be more efficient and more effective next year. And the current team is in the best position to note the FY2020 pain points—and improvements you’d like to incorporate.
Here’s a post-mortem checklist to help you ask the right questions.
The External Auditor
When heading into the year-end crunch, there’s nothing worse than having to scramble to address surprises from your external auditor. So this is a great place to begin your post-mortem.
- How’s the partnership?
- What worked or didn’t work for FY2020?
- If you were hit with year-end surprises, how could they be avoided in the future?
- Are you getting good value for the services received?
- What could be done to improve the relationship?
Impacts of COVID-19
As we advised early on, the pandemic had an extreme impact on the global business environment, as well as companies’ risk profile and considerations for risk management, compliance and internal controls. How did this COVID-19 and shelter-in-place policies affect your business?
- Was your company’s revenue impacted? If so, how did this affect materiality and the control environment?
- Did you change any in-scope locations?
- Were processes executed differently or not at all?
- What control changes were identified?
- Any gaps in control execution?
- Did you identify any new segregation of duties issues?
The process to capture and retain evidence of effective control operation may represent a challenge if there’s no central repository for business and IT documentation.
- Are you using a system to contain documentation and SOX testing results?
- Is all support electronic scanned?
- Have you implemented service level agreements around delivery of timely and appropriate evidence or PBC requests (items prepared by the company)?
- What might you recommend to improve the testing and evidence gathering process?
2021 Internal Controls Planning
There’s always room for continuous improvement. Consider the opportunities below and where you can further optimize your program.
- Are process owners engaged to update narratives, flowcharts and risk control matrices (RCMs) or are updates performed by a separate team?
- Does it seem your company has too many SOX controls? Or not enough?
- Are the high-risk areas adequately covered? Is there a plan to reduce the efforts dedicated to low/no risk activities?
- Is there an opportunity to rationalize or “right-size” the control set?
- How can we approach SOX in a more Agile way?
SOX/Internal Controls Service Partnership?
Working with the right partner can make all the difference in making the SOX reporting process as painless and efficient as possible, as our biopharma client discovered when we helped them overcome past deficiencies and get to healthy SOX compliance in just one year.
- How is your company’s SOX service provider partnership going?
- Was work completed on schedule and within budget, or was there scope or budget creep?
- Did you receive regular status reports with helpful and insightful advice?
- Are you ready for a change or refresh?
- Is there an opportunity to optimize the internal control set?
- Is there an area of risk or concern that a partner might help you address?
Finally, if you need help with your FY2020 post-mortem or with planning for a more efficient, effective ICFR process next year, our Internal Audit and Compliance team is here to help. We’ll not only assess your program and provide recommendations for enhancing the control environment, but also reduce pressure on your team by advocating for you and challenging unrealistic or extraordinary requests.
Ready for a new SOX partner for FY2021? If so, let’s talk.