The season for Sarbanes-Oxley audits is now mostly behind us, which means we’re moving into the season of webinars about this year’s SOX audits and lessons we can learn for future years. I attended one such webinar this week and am here to pass along my notes.
The webinar itself was run by audit firm RSM, hosted by Robert Frattasio (partner) and Maggie Berkeley (principal). They led off with a polling question for the audience that seems simple and standard for these affairs, but actually is quite thought-provoking: Did you feel more pressure this year from your auditors?
More than 70 percent of the audience said yes, they felt more pressure this year. Why? The top reasons were that the audit firm itself just wanted more evidence (37 percent), and internal changes at the company that prompted more skepticism from the audit firm (23 percent). A smattering of other reasons trailed behind, but the clear message here is that SOX compliance programs are under more pressure across the board.
Broadly speaking, Frattasio said, auditors continue to focus on “all our old favorites” of SOX controls: management review controls, segregation of duties, IT general controls, estimates, and more. (See Figure 1, below.)
That’s the master list, anyway. A few other specific themes also received lots of attention.
The Big Issue: IT Controls
As Berkeley described it, many of the big issues this year revolved around IT controls. That’s not a surprise; the more companies rely on IT systems for financial processes and reporting, the more important the controls for those systems become.
For example, she said, one tricky subject this year seemed to be “non-configurable” controls — that is, controls built directly into an IT application by the software developer, which cannot subsequently be changed by the company using the application. How would an auditor confirm that those controls truly can’t be changed?
The auditor might try observing the customer using the application, or reviewing the documentation provided by the software vendor. The auditor could also review whatever SOC 2 report you obtain from the vendor to confirm the integrity of the controls, or watch a system administrator try to change the non-configurable control and fail. These days, it’s also quite possible that the auditor might try all of those tactics.
For internal audit and SOX compliance professionals, you really need to know which IT controls you can or can’t alter, and how to prove that statement.
Or consider the issue of interdependent IT controls. That’s not uncommon at a large company, but it also means that the SOX compliance team needs to know how those controls interconnect — so that if one fails, you can immediately trace which other controls might also be in jeopardy and swoop in with compensating controls.
One can easily imagine that the auditor will ask how you’re certain of those interdependencies, which suggests that control mapping (to identify and chart out those interdependencies) will be an important capability. Those maps will let you walk the auditor through your logic and explain why you have the compensating controls you do.
Berkeley also threw in a bonus observation about segregation of duties. She recommended mapping out all duties within each role, to identify overlaps and conflicts. (For example, don’t just say, “The ‘controller’ role has all controller duties.” List exactly what those duties are.) Then go further, mapping out all your company’s financial applications and the processes they perform.
If you then overlay the map of duties and map of applications (Berkeley said technology exists to do this; I’m sure RSM would be happy to discuss for a fee), that can bring possible segregation-of-duties violations to light.
Watch for Bank-Related Turbulence
I wasn’t expecting this, but Berkeley and Frattasio chatted a bit about how this spring’s banking instability has affected SOX compliance and 10-Q disclosures in several ways. Silicon Valley Bank’s implosion is a gift that keeps on giving, apparently.
First, you might see an increase in phishing attacks from hackers claiming to be vendors that need to change their bank account details with your accounts payable team, so you may want to give your accounting team a refresher training course in cybersecurity.
Even better, if you’re more ambitious: redesign your accounts payable processes so that if vendors want to update their bank account data, they’ll need to log into a portal and do it themselves. Clearly that raises access control issues you’ll need to address somehow, but assuming you figure those out, it takes the phishing risk off your plate. I’d take that trade any day of the week, since falling for a phishing attack always makes you look like an idiot.
Second, if your company itself needs to change banking relationships because one (or more) of your banks goes the way of SVB, could that be a material change that needs to be disclosed, either in the 10-Q or an 8-K filing?
Obviously that’s a question for the legal department; our point here in SOX land is simply that your team needs to know that. You can’t have people in the treasury or accounting teams changing up bank relationships without telling legal that this is happening and it should go through a disclosure review process. Perhaps have a written policy to that effect.
Your Auditors Are Feeling the Heat
Frattasio noted that we’re now 18 months into the new regime at the Public Company Accounting Oversight Board, after years of inaction in the 2010s. New auditing standards are forthcoming, but they’re also slow-going — which means that for now, all auditors see from the PCAOB is more aggressive enforcement.
“This is not just talk,” Frattasio said. “They have followed up with action, and very clear action at that. What that tells me is that you can expect enhanced focus from your auditors.”
What a coincidence! That’s exactly what respondents said in that polling question at the start of the webinar.