SOX Compliance Audit: everything you need to know in 2023
Some organizations are new to Sarbanes-Oxley (SOX) Act requirements, while others are seasoned professionals. No matter your GRC strategy or the maturity of your SOX program, it can likely be made more efficient and less painful. Read on to learn more about SOX compliance requirements and what you can do to improve your next SOX compliance audit.
SOX aims to enhance corporate governance through measures that will strengthen internal checks and balances and strengthens corporate accountability. However, it is essential to emphasize that Section 404 does not require companies to establish and maintain an adequate internal control structure and assess its effectiveness annually.
SOX is a long and complex piece of legislation, but there are four essential requirements:
Section 302 mandates that corporate officers, typically the CFO or CEO, certify that the company's financial statements comply with SEC requirements. Officers who sign off on financial statements they know to be false are subject to criminal penalties and prison.
Section 401 states that financial statements are accurate and prepared following GAAP accounting standards. Additionally, financial reports will include any off-balance-sheet transactions to ensure they meet the same standards.
Section 404 (also known as SOX 404 controls) requires that management and auditors set internal controls and reporting procedures to ensure the adequacy of the controls.
Section 802 includes three rules that impact recordkeeping:
Deals with the destruction and falsification of records.
Strictly defines the retention period for keeping records.
Traces the records companies need to store, including electronic communications.
Demonstrating SOX compliance
SOX compliance generally refers to the annual audit where companies are obligated to submit financial reports and prove the accuracy and security of their financial data. SOX compliance focuses on the following areas:
1. Financial Reporting
Companies must provide routine financial reports approved by independent auditors. The SOX Act states that accounting companies that conduct audits can't offer any other services to the businesses they audit, like consulting or tax guidance.
All financial statements from public companies must comply with GAAP (Generally Accepted Accounting Principles). Financial statements must equitably represent the company's financial circumstances. The CFO or CEO must certify that "to the best of their knowledge, there are no untrue or misleading statements or omissions in the reports."
2. Internal Controls
Section 404 (SOX audit controls) requires organizations to implement internal controls to ensure accurate financial reporting. These controls, sometimes called 404 controls, are rules that prevent and detect errors in a company's financial reporting process. Internal controls avoid or detect concerns in organizational processes, ensuring the organization achieves its objectives.
SOX does not provide a list of specific controls. Instead, companies must define their controls to meet the regulator's goals. Types of SOX controls include:
Data backup systems, and
3. Data security policies
SOX requires companies to create and uphold a data security policy that protects the storage and use of financial data. SOX requires organizations to enforce this policy consistently and to communicate it with employees.
4. Real-time issuer disclosures
"Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand and supported by trend and qualitative information of graphic presentations as appropriate." In summary, the company must tell shareholders and stakeholders immediately if an event significantly changes financial conditions or operations.
5. Criminal penalties
SOX makes the signing executives, usually the CEO or CFO, personally and individually responsible for their attestations. The penalty for filing a false or misleading report can be a fine of up to $5 million and 20 years of jail time.
6. Internal audit priorities
Internal audit and controls testing is typically the largest, most complex, and most time-consuming part of compliance because internal controls include all of the company's IT assets. These assets include computers, hardware, software, and all other electronic devices where financial data resides.
Automated SOX and internal controls for a stress-free audit
Your ERP is the most critical system under scrutiny during your SOX audit because it contains the most key controls. And of your key controls, SOX ITGCs make up a majority.
Manual testing of ITGCs in your ERP is a very tedious task. Reducing manual processes can significantly impact your SOX compliance costs. Manual processes require the involvement of employees or auditors and are not sustainable. In the long run, automated controls are more stable because they enable a repeatable, reliable, and predictable framework while lowering the cost of compliance.
Among the other benefits of automating your SOX and SOX IT controls are the following:
Continuous Controls Monitoring
Automated controls allow for Continuous Controls Monitoring (CCM). It is essential to ensure that the data entered in your ERP when onboarding a supplier, for example, remains correct when it is time to pay invoices. Because the time between onboarding and payment can be lengthy, there is ample opportunity for internal and external bad actors to manipulate your data. CCM ensures that your data stays correct and up to date.
When a finance team is responsible for processing thousands of invoices, it can be a significant challenge to ensure that all the data in the invoices are correct. This process can consume many resources, including time and staff hours. Automated controls can shave hundreds of hours of manual checks, freeing your team to focus on other priorities.
Reduced fraud risk
Increasingly, organizations are concerned about insider threats. One malicious employee with elevated privileges can manipulate data in your ERP and perpetrate fraud against your organization. Identifying an employee engaged in fraud can take years to detect because they are adept at covering their tracks, know what manual controls are in place, and understand how to circumvent them. Automated controls can reduce this risk by limiting staff members' access to data and systems that can be manipulated.
Improved security posture
Automated controls improve an organization's overall security posture. For instance, you can automate reminders to managers to test or execute a specific control and alert compliance officers when that work hasn't been completed. Test reports can be used in standard reports or risk dashboards to let you quickly see and report security compliance.
The upfront costs of implementing automated controls may be higher than manual controls. However, over time automated controls are more cost-effective. Once an organization embraces automated controls, it can meet CCM and compliance obligations more efficiently. Automated controls also require fewer staff hours, saving you money.
Reducing manual controls significantly impacts the SOX compliance costs of an organization. Manual processes requiring the involvement of employees or auditors are not sustainable. In the long run, automated controls are more stable because they enable a repeatable, reliable, and predictable framework while lowering the cost of compliance.
When considering automated control solutions, you should look for a solution that allows the entire organization to utilize a single, fully-integrated platform that helps the company assess and manage identified risks and mitigate those risks through effective internal control and audit programs.
SOX compliance can feel like a chore, but businesses can see tangible benefits by adopting SOX standards. SOX-compliant companies report it improved financial reporting, cybersecurity, and access control. Complying with SOX is a value-adding endeavor in an organization’s overall governance program.
Everything you need to know about ITGC SOX
Another area that ITGCs seek to address is external audits. During your annual SOX audit your ITCGs are examined to ensure the accuracy of your financial reporting. If your ITGCs are insufficient it can lead to disclosures to investors if your ITGCs are cited in your financial audit. You also risk losing business if poor ITGCs scare potential customers are concerned about security risks. Disclosures and poor security will also lead to costly remediation.
Solving the high costs of SOX compliance
The Sarbanes-Oxley Act has been in place for more than 20 years, and during that time, compliance costs have continued to increase. While there have been years where gains have been made to curb compliance costs, on the whole, they have steadily increased, and the last two years are no exception.
IT Application Controls and the benefits of automation
Application controls are the security measures organizations can implement within their applications to keep them private and secure. Applications play a vital role in the operations of organizations. However, they also put organizations at risk of a breach.