Automating a SOX 302 certification program
Ensuring that signing officers certify for quarterly reporting can be a daunting task. To streamline this process, organizations need to ensure fair distribution of responsibility across internal control stakeholders. In this article, we discuss how to conduct sub-certifications with control owners, and deploy 302 certification requests using the Projects and Results apps.
This article builds on the examples illustrated in Implementing a SOX 404 program.
What is a 302 certification?
Sarbanes-Oxley (SOX) Section 302 requires an organization's CEO and CFO to assert the integrity of the key controls that influence their financial statement reporting on a quarterly basis.
Prior to the officers signing, certification requests are sent to process or control owners in various departments within the organization. This approach helps to assure signing officers that key internal controls over financial reporting are operating effectively across all departments, and provides them with the confidence they require to sign the 302 quarterly certifications.
Where do I automate a 302 certification program?
You can automate a 302 certification program using the Projects and Results apps.
The big picture
- A single Project can contain multiple Certifications.
- Questionnaires can be deployed from Projects. Responses are stored in Tables in Results.
- Triggers automate your organization's remediation processes by executing a set of actions based on record data in Tables.
Steps
Ready for a tour?
Let's take a closer look at these features in the context.
1. Create a certification program
Certification programs allow you to define the groups of people that need to certify, the items they need to certify on, and other contextual information. You can send certification requests to the right people, at the right time, and deliver the assurance CEOs and CFOs need when they sign the 302 quarterly certifications.
Tip
To further automate and streamline the certification process, you can set up the certification program once, and re-use it quarter over quarter. Simply rollforward the project containing the certification program.
Enable certifications
The first step is to enable certifications in a project. Once enabled, you can begin creating a certification program.
See an example
Example
Scenario
As a SOX Director, you need to obtain sub-certifications from all disclosure committee members to support the SOX 302 CEO and CFO certifications.
Process
Help topic Creating certification programs
Within the Canada - SOX Review 2018 project settings, you enable certifications.
Result
You can begin creating a certification program within the project.
Enter certification details
Once you have enabled certifications within the project, you can begin creating a certification program by entering some basic details. You can customize the email subject and message that you intend to send, attach files, and provide any relevant details to the people participating in the certification program.
See an example
Example
Scenario
You are ready to begin creating a certification program. You want to centralize all documentation pertaining to the program, define a program due date, and provide disclosure committee members with the appropriate contextual information.
Process
Help topic Creating certification programs
From the Canada - SOX Review 2018 project dashboard, you click Add Certification. You enter the following key details:
- Name Disclosure committee members sub-certification
- Due date December 14, 2018
- Email subject Action required: SOX sub-certification
- Email message As part of our quarterly and annual reporting process, this questionnaire is circulated at the end of each report period to ensure that all relevant events, contracts, and facts have been reported and that all material information has been considered for inclusion in our regulatory filings. You must respond by December 14, 2018.
You also attach a few supporting files to provide additional context to the disclosure committee members.
Result
You have provided the key details about the certification program, and customized the email subject and message you intend to send to participants. Any additional instructions and files you specified will be included in the questionnaire sent to disclosure committee members.
Create or select a questionnaire
A self-assessment is a best practice approach to evaluating an organization's internal controls and processes, and typically takes the form of a questionnaire. Self-assessment questionnaires can be used to assess the level of SOX Section 302 compliance within an organization, and are an effective approach to identifying areas of risk exposure, as well as highlighting potential opportunities.
Tip
You can copy one of the following template questionnaires from Results as a starting point for building out your own questionnaire:
- Managers Disclosure Certification
- Officers Disclosure Certification
- SOX 302 Certification
See an example
Example
Scenario
As part of your quarterly and annual reporting process, you need to circulate a questionnaire at the end of each report period. You want to ensure that all relevant events, contracts, and facts have been reported, and that all material information has been considered for inclusion in regulatory filings.
Process
Help topic Creating questionnaires
In Results, you copy the Officers Disclosure Certification questionnaire from the Template Questionnaires collection to the Canada - SOX Review 2018 collection, and rename the questionnaire SOX 302 Sub-Certification.
Then, you then adjust the language in the questionnaire, and modify the questions in the questionnaire to align with your organization's requirements. Finally, you return to Projects, and select the questionnaire you just built.
Result
You are now set up to send the questionnaire to gather information from the disclosure committee members.
Specify participants and items
CEOs and CFOs are typically far removed from day-to-day control activities. However, they need to feel confident when certifying as consequences can be severe. Many organizations adopt a sub-certification process, where key employees are asked to sub-certify. This creates an accountability chain within the organization. Within the certification program, you can specify who needs to sub-certify, and what items they need to sub-certify on. You can also define whether participants should respond in a specified order, or at the same time.
See an example
Example
Scenario
You previously created a SOX 302 Sub-Certification questionnaire, and now you plan to send it to the following people:
You want Shalini to respond first, as she is the closest person to the business operations. Then, you want Brad to respond, followed by Tim.
Process
Help topic Creating certification programs
You create a Sequential certification, define the certification group "IT personnel", and add Shalini, Brad, and Tim to the group, in that order. Finally, you specify the controls that each participant must sub-certify on: NS-002, NS-005, NS-006.
Result
You have specified who needs to sub-certify, and in what order they need to provide their responses. You have also defined which controls each person needs to sub-certify on.
Review and finalize
The final step involved in creating a certification program is to verify your setup, and choose to send certification requests later or immediately.
See an example
Example
Scenario
You have finished setting up your certification program. Now, you want to review the information before officially sending out the certification requests to the disclosure committee members.
Process
Help topic Creating certification programs
You review each section to verify that the information is accurate. Upon your review, you notice that you still need to provide some additional contextual information to the disclosure committee members.
As a result, you decide to save the certification program setup, and send the certification requests later.
Result
The certification program is saved. You can return to your setup and send the certification requests at a later time.
2. Deploy 302 certification requests
SOX 302 certifications and financial reporting is very important to the executive branch of the business and often results in critical demand from Controllers, VPs, and even the CFO. You can use questionnaires to deploy multiple 302 certification requests to owners across different departments in the organization, and aggregate responses for further review or escalation.
Certification requests can be sent to anyone, including non-licensed users.
See an example
Example
Scenario
You are ready to send certification requests to the disclosure committee members. You need them to be able to review the controls for which they are responsible, assess the adequacy of controls, and communicate the results to management.
Process
Help topic Creating certification programs
You open your saved certification program and send the certification requests.
Result
Shalini is the first person to receive the questionnaire. She receives a single email that lists the three controls she needs to sub-certify on. Once Shalini submits her first response on any of the controls, Brad begins receiving questionnaires.
Brad receives an email that references the specific control that Shalini recently certified on, and is able to submit his own response. He receives subsequent emails (one per control) after Shalini finishes sub-certifying.
Tim begins receiving the questionnaires once Brad submits his first response. He receives subsequent emails (one per control) after Brad finishes sub-certifying. Once Tim is finished, all certifications are complete.
All of the responses are saved back into the Canada - SOX Review 2018 collection to await further review or escalation.
3. Automate 302 certification workflows
Triggers perform a set of actions whenever specific conditions or thresholds are met, and can be used to automate different aspects of the 302 certification program. You can use triggers to aggregate responses through several levels of certifications, set specific criteria for triggers to run every 302 quarterly period, and define escalation workflows for completed and non-actioned certifications.
Tip
To track outstanding certifications and any lagging indicators, you can visualize data using Storyboards, or create a specific SOX 302 results dashboard in Reports.
See an example
Example
Scenario
For your SOX team to efficiently identify and respond to non-actioned certifications, you need to create an automated response workflow that performs a weekly check on outstanding certification requests.
Any certification requests that remain idle for 10 days must be escalated to critical priority and assigned to the appropriate team member for investigation and remediation.
Process
Help topic Create a trigger
You configure a scheduled trigger that runs every Monday at 9am PST when records remain idle for 10 days.
The trigger takes the following actions when records are not updated:
- assigns the record to a member on the SOX team
- escalates the priority of the record to critical
Result
The trigger notifies the SOX team member and escalates the priority of the record when the conditions are met. The action is automated and the entire process is managed through Results – with no external systems or bottlenecks to contend with.
What's next?
To learn more about how to provide assurance on effectiveness of the control environment by testing the controls, see Demonstrating assurance over internal controls.
