Guide to Internal Controls for SOX Compliance

SOX aims to protect investors in public companies by increasing corporate accountability and transparency. It imposes requirements for effective internal control over financial reporting and adequate disclosure controls to inform investors of other material issues that might affect shareholders’ decisions about buying the stock.

SOX also establishes penalties for corporate executives and boards of directors that mismanage or manipulate a company’s financial reporting to mislead investors.

Under SOX Section 404(a), which applies to all publicly traded companies, management must assess the effectiveness of its internal controls over financial reporting (ICFR) using a top-down risk assessment, which sets the scope of such testing. An external auditor can use that evaluation to provide formal opinions on its internal controls.

Under SOX Section 404(b), large publicly traded companies must also undergo an external audit of their ICFR. Both senior management and the external auditor are responsible for making their assessment using a top-down approach.

The most important SOX compliance requirements are in sections 302, 404, 409, 802, and 906 of the law. Compliance in these areas can also provide significant support for data protection programs.

Corporate Responsibility for Financial Reporting

The chief executive officer (CEO) and chief financial officer (CFO) are directly accountable for the accuracy of all financial filings submitted to the Securities and Exchange Commission (SEC), according to Section 302.

The executives are also accountable for creating and maintaining SOX internal control over financial reporting, which must be validated within 90 days of the report’s release.

Management’s Evaluation of Internal Controls

Section 404 is the most complicated, contentious, and expensive part of all SOX compliance requirements. It requires that all public companies must include a statement from management in the company’s annual report about the effectiveness of ICFR – including the possibility that management believes ICFR isn’t fully effective. This is Section 404(a).

Section 404(b) requires large public companies to undergo an annual audit from an independent registered auditor. That auditor must offer an opinion on the effectiveness of the company’s ICFR – again, including the possibility that the auditor believes ICFR isn’t fully effective; in which case, the auditor should identify any material weaknesses in ICFR that the auditor has identified.

Real-Time Issue Disclosure

Under Section 409, companies are required to disclose, in near real-time, any material change in financial condition or operations. This is to protect the interests of investors and the public. The organization will be exposed to penalties if it knowingly or recklessly delays disclosing pertinent information.

Criminal Penalties for Document Tampering

Altering, destroying, mutilating, hiding, or falsifying financial data, papers, or tangible objects to obstruct, impede, or influence authorized investigations is punishable by up to 20 years in jail under Section 802.

This section also establishes penalties of up to 10 years for an accountant, auditor, or someone who knows and deliberately fails to keep all audit or review papers for five years.

Responsibility for Financial Reports

According to Section 906, the criminal punishment for certifying a false or fraudulent financial report can range from $5 million in fines to 20 years in jail.

SOX requires annual audits and dissemination of those audits to shareholders. Companies hire independent auditors to perform SOX audits, separate from other audits to avoid conflicts of interest.

The primary objective of the SOX compliance audit is to verify that the company’s financial statements are free of material misstatement. Auditors compare past financial statements with those of the current year and determine if everything is in order.

Auditors may also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards.

• Risk assessment. This part of the audit process should help the auditor identify risks and potential impacts; it should not produce a list of compliance procedures.
• Materiality analysis. This step determines which items are material to the balance sheet and profit and loss account. Auditors usually calculate a portion of the financial statement accounts to assess materiality.
• SOX controls. In the materiality analysis stage, the auditor identifies and documents SOX controls that can prevent and detect the improper recording of transactions. This stage involves identifying the procedures to calculate account balances correctly.
• Fraud risk assessment. The auditor considers the potential for fraudulent activity to assure early detection and prevention of fraud.
• Documentation. The description and documentation of rules should include details on the operation of key management, such as frequency, testing, and associated risks.
• Testing of controls. Testing of SOX controls involves verifying the effectiveness of the test methods, assuring that the appropriate process owner operates the control, and checking whether the control successfully protects against material misstatements.
• SOX deficiency assessment. An effective SOX program should reduce the time spent on manual activities. Automated controls will reduce the potential for deficiencies.
• Report. The final stage of SOX control testing is for the auditor to prepare a report on the controls and submit it to the audit committee.

SOX compliance testing is how a company’s management or the auditor assesses ICFR as mandated by SOX.

Compliance testing is usually split into phases. The first part is a design testing phase, where a “walk-through” of a transaction process is performed from start to finish. For example, consider the purchase order process. Segregation of duties and potentials for fraud would be examined, from purchase requisition to receipt of goods to payment of the supplier’s invoice.

You would then trace all of this information back into the accounting records. These activities validate that your documentation of the controls and the processes match with what you observed while testing one transaction.

The second, more extensive phase (sometimes broken into multiple steps) is operational effectiveness testing. During this phase, a large sample or the entire population of transactions is tested to see if the control works the same way every time. Here, you’re validating that the controls consistently function as designed.

Internal compliance teams typically test controls three times throughout the calendar year. The last one is a year-end test to assure compliance requirements are being met.

In addition, a company is required to maintain documentation supporting management’s assessment of the company’s internal controls over financial data.

Operational effectiveness testing is a large portion of Section 404. Management performs an internal audit, completing SOX testing for all essential controls to confirm those controls function as designed. Management then concludes that there are no deficiencies, issues, or errors; or documents any such shortcomings that management does find.

Management can then affirmatively state it performed its SOX compliance testing and concludes that its internal SOX reporting controls over data security are in place and working.

Internal controls are used to detect and prevent risks in the organization’s processes that might prevent the company from achieving its objectives. For example, SOX regulatory requirements for public companies include establishing internal controls for operations that affect financial reporting.

SOX 404 controls are guidelines that can help a company’s financial reporting processes avoid and detect errors. These controls should be applied and verified at all stages of the company’s financial reporting processes. In addition, internal auditors should conduct periodic compliance audits to verify that adequate controls are in place and functioning correctly.

This standard does not provide a list of specific controls. Instead, it requires organizations to define their processes and internal controls in whatever way allows the company to meet SOX compliance objectives. These may include, for example, access control, change management, segregation of duties, cybersecurity solutions, and backup systems.

A company’s compliance with SOX assures investors that the company’s financial statements are reliable; that inspires both investor confidence and market certainty.

These advantages represent macro-level improvements for the overall market. But what are the implications of SOX at the level of an individual company? Here are some benefits of SOX compliance.

Risk Classification

Not all risks are equal. SOX compliance gives companies a starting point for asset and risk analysis. Understanding the risks means being able to target controls more effectively.

The best way to define the scope and extent of SOX testing is to conduct a risk assessment focused on the risks associated with Sarbanes-Oxley compliance.

Strengthening the Control Structure

Another benefit of SOX compliance is improved awareness of internal controls and how these controls fit together into a larger structure. When auditors and management focus on internal controls as part of a SOX review, the business quickly realizes how critical control activities are to its financial success.

The additional scrutiny that occurs through a SOX assessment prompts participants to work even harder to assure that activities important to financial reporting are correctly executed.

Better Audits

Although “better audits” is vague, many parts of the audit process can benefit from SOX compliance. More effective and efficient operations lead to better audit results. With better internal audit results, the external audit process becomes more efficient.

Streamlining external audit reduces overall audit costs by reducing the cost of employee time responding to external audit findings and corrective actions. In addition, creating a better collection of audit evidence minimizes the workload for the people supporting auditors.

Better Operational Performance

When organizations implement internal controls early, SOX compliance motivates the organization to assess its risk annually. As a result, organizations can put best practices in place from the beginning, and keep operational performance strong from a much earlier point in the company’s life.

Team Collaboration

SOX compliance requires deep, frequent collaboration among internal stakeholders. Internal auditors and those overseeing SOX assessments must collaborate cross-functionally with those who own or contribute to financial and information controls, such as finance, operations, and human resources. SOX requirements incentivize the creation of stronger working relationships across teams.

If you’re struggling with your SOX compliance efforts, ZenGRC is the solution!

Reciprocity’s ZenGRC can help companies struggling with SOX compliance efforts by providing them with expert help. The software streamlines and organizes the entire compliance process and automates repetitive elements to save time and resources.

It is a single source of truth that assures your organization is always audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

Schedule a demo today to learn more about how ZenGRC can keep your company SOX compliant.