Don’t Miss This Critical Last Step in Your SOX Process

Now is the optimal time to discuss how you might improve your company’s SOX process, including the enhancement and testing of internal controls over financial reporting (ICFR), so it will be more efficient and more effective next year. And the current team is in the best position to note the FY2021 pain points—and improvements you’d like to incorporate for next year.

Here’s a post-mortem checklist to help you ask the right questions.

The External Auditor

When heading into the year-end crunch, there’s nothing worse than having to scramble to address surprises from your external auditor. So this is a great place to begin your post-mortem.

• How’s the partnership?
• What worked or didn’t work for FY2021?
• If you were hit with year-end surprises, how could they be avoided in the future?
• Are you getting good value for the services received?
• What could be done to improve the relationship?

Ongoing Impacts of COVID-19

As we advised early on, the pandemic had an extreme impact on the global business environment, as well as companies’ risk profile and considerations for risk management, compliance and internal controls. How do the ongoing pandemic challenges, including variants such as Omicron, affect your business?

• Was your company’s revenue or supply chain adversely impacted? If so, how did this affect materiality and the control environment?
• If so, how did this impact revenue, materiality, forecasts and the overall control environment? Has your company endeavored to qualify new vendors to bolster supplies of component parts?
• How was the company’s IT environment impacted? Have new applications been implemented?
• Did you change any in-scope locations?
• Were processes executed differently or not at all?
• What other control changes were identified?
• Any gaps in control execution? Holding off on physical inventory count may have been ok for one year. Now, companies and auditors are rethinking the longer-term strategies to ensure that fixed assets and inventory counts are accurate.
• Did you identify any new segregation of duties issues?

Testing Evidence

The process to capture and retain evidence of effective control operation may represent a challenge if there’s no central repository for business and IT documentation.

• Are you using a system to contain documentation and SOX testing results?
• Is all support electronically scanned?
• Have you implemented service level agreements around delivery of timely and appropriate evidence or PBC requests (items prepared by the company)?
• What might you recommend to improve the testing and evidence gathering process?

2022 Internal Controls Planning

There is always room for continuous improvement. Consider the opportunities below and where you might further optimize your company’s program.

• Are you expecting any acquisitions or new system implementation that should be considered as you move into the next fiscal year?
• Are there expected changes in the market cap that would trigger 404b compliance?
• Are process owners engaged to update narratives, flowcharts and risk control matrices (RCMs), or are updates performed by a separate team?
• Do process and control owners embrace a culture of ownership and accountability?
• Does it seem your company has too many SOX controls? Or not enough?
• Are the high-risk areas adequately covered? Is there a plan to reduce the efforts dedicated to low/no risk activities?
• Is there an opportunity to rationalize or “right-size” the control set?
• How can we approach SOX in a more Agile way?

SOX and Internal Controls Service Partnership

Working with the right partner can make all the difference in making the SOX reporting process as painless and efficient as possible. For example, our biopharma client got to healthy SOX compliance in just one year. And we helped a newly public SOX client remediate all of their material weaknesses from the prior year.

• How is your company’s SOX service provider partnership going?
• Is there an opportunity to enhance your company’s alignment with the external auditors and reduce the impact on control owners?
• Was work completed on schedule and within budget, or was there scope or budget creep?
• Did you receive regular status reports with helpful and insightful advice?
• Are you ready for a change or refresh?
• Is there an opportunity to optimize the internal control set?
• Is there an area of risk or concern that a partner might help you address?

Finally, if you need help with your FY2021 post-mortem or with planning for a more efficient, effective ICFR process next year, our Internal Audit and Compliance team is here to help. We’ll not only assess your program and provide recommendations for enhancing the control environment, but also reduce pressure on your team by advocating for you and challenging unrealistic or extraordinary requests.

---

This article was originally published in February 2021 and has been updated.