Implementing a SOX 404 program

Sarbanes-Oxley (SOX) compliance can be a heavy burden that falls on the shoulders of many stakeholders, departments, processes, and systems. By creating a properly structured SOX 404 program, the right controls and process changes can be far more automated when it comes time to roll-up the reports. In this article, we discuss how to implement a SOX 404 program using the Projects, Frameworks, and Reports apps.

This article illustrates how to manage a SOX compliance program using COSO® Internal Control Framework 2013, an integrated framework that enables organizations to effectively and efficiently develop systems of internal control.

However, the same workflow can also be applied to other frameworks that support SOX compliance requirements, such as:

  • the COBIT® 5 Framework
  • security frameworks published by the Information Technology Governance Institute (ITGI)
  • auditing standards developed by the Public Company Accounting Oversight Board (PCAOB)
  • regulations applying to government or higher-education, including OMB Circular A-123, Uniform Grant Guidance, or GreenBook

What is SOX compliance?

In 2002, the SOX Act legislation ushered in a renewed focus on corporate compliance by requiring that organizations provide quarterly and annual reports certifying the accuracy of their financial statements. The SOX Act was designed to increase transparency in financial reporting and standardize a system of internal checks and balances.

SOX Section 404 requires organizations to have an external audit performed to assess and report on the effectiveness of internal controls.

Where do I implement a SOX 404 program?

You can implement a SOX 404 program using the Projects and Reports apps.

The big picture

  • Frameworks are used to centrally capture the master relationship between requirements and controls, manage changes in an evolving regulatory and business environment, and build individual projects.
  • Projects are used to test the design and operational effectiveness of the control, and capture issues. If you created the control in a framework, you can sync changes back up to that framework from a project for use in other projects as well.
  • Report templates can be copied and modified to easily generate reports based on data from the Diligent One apps, and reports can be broadcasted to recipients on a recurring schedule.

Within a framework, you can track assurance and testing results associated with operational risks and controls in multiple projects to develop a dashboard of risk and project outcomes. As you test controls, Projects automatically aggregates testing results from the projects associated with the framework, and calculates assurance in real-time. At any point, you can generate reports to send to the appropriate recipients.

Steps

Ready for a tour?

Let's take a closer look at these features in the context.

1. Set up the program

The first step is understanding the best method to set up data in the system so that you can report out appropriately.

You can create frameworks to manage a structured set of information and use frameworks to build multiple projects. You can also customize the terms and labels in the projects according to your organization's standards. Tagging structures can also be set up to map objectives, risks, and controls to relevant contextual data points (assets, owners, entities, etc.) and enable risk and control reporting on those dimensions.

Tip

The Projects app offers several risk and control libraries (project templates) that contain pre-populated content for specific workflows, such as SOX compliance. There are two project templates that align with SOX 404 requirements and are typically used to jumpstart SOX compliance projects and create re-usable templates:

  • Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework)
  • IT General Controls Review (SOX Content)

Configure project terminology

Terminology can vary widely between different types of projects, and also between organizations performing the same types of projects. Organizations can configure different project types so that the terminology used by each team is reflected in the relevant projects.

Example

Scenario

You are a SOX Audit Manager that owns two projects. You want to ensure that the terminology displayed in both SOX projects aligns with your organization's preferred lexicon.

Process

Help topic Customizing terms, fields, and notifications

You navigate to the Sarbanes-Oxley Review project type, and configure the following terms on each tab:

Tab Field Term
Project Term for fieldwork

Process Documentation & Testing
Section Term for section Significant Process
Label for sections tab

SOX Processes
Narratives Label for narratives tab Narratives and flowcharts
Issues Term for issue

Deficiency
Label for issues tab Deficiencies

Result

The custom terms will be applied to the projects you create and associate with the Sarbanes-Oxley Review project type.

Set up projects and frameworks

Frameworks are helpful for reducing manual efforts involved in setting up projects, and can be used to centrally manage information in evolving regulatory and business environments. A common practice for many organizations is to segment SOX 404 requirements by process and sub-process in their projects and frameworks.

Example

Scenario

To begin the process of centralizing your SOX documentation, you create two projects:

  • Canada - SOX Review 2018
  • Brazil - SOX Review 2018

Recently, you recognized that similar risks and controls can apply to both projects. To provide a starting point for building out your projects, you create a project from a project template called Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework). You want to use this template to create a single set of risks and controls that can be used in both projects.

Process

Help topics

You create a new framework called SOX Process Control Framework. Then, you import the objectives (containing risks and controls) from the project template to the framework. Finally, you import the objectives from the framework into each project.

Result

The objectives, risks, and controls in the framework are linked to the objectives, risks, and controls in the projects.

You can now update the projects as needed, optionally apply those updates back up to the framework, and also ensure that updates made in the framework propagate to the appropriate projects by syncing projects with frameworks.

Model your organizational entity structure

Organizations are comprised of different business units, departments, locations, regions, and legal entities – all of which have controls that impact financial statement reporting. You can model your business and legal entity structure in your SOX management process to enable reporting on testing status and issue management to executives.

Example

Scenario

Your organization is comprised of different departments, regions, and locations. You want to be able to report on internal controls from different cross-sections of the business, and allow stakeholders at all levels of the organization to obtain the information they require.

Process

Help topic Setting up entity tagging

Under Manage Entities, you model your business structure based on the departments, regions, and locations that are applicable to both projects:

  • Canada - SOX Review 2018
  • Brazil - SOX Review 2018

Result

You can now tag projects, significant objectives, risks, controls, and deficiencies to the relevant contextual data points and enable risk and control reporting on those dimensions.

2. Document objectives, risks, and controls

Using frameworks as a centralized repository of information, you can work with process and control owners to draft process narratives, capture risk and control attributes in different attestation projects, and request further documentation, as required. Specific user roles can be leveraged to prescribe the right access and the right responsibility to process and control owners.

Plan projects

Every project begins with a planning phase. Planning a project involves preparing and consolidating planning information in a project, including the project background, purpose, scope, and relevant planning files. Planning files can include a variety of different documents, such as scoping information, engagement letters, SOX sampling methodology documentation, and even details about project team structures.

Example

Scenario

You are responsible for preparing and consolidating all planning documentation related to the Canada - SOX Review 2018 project. You need to capture this information in the project so that it can be referenced at a later date.

Process

Help topic Planning projects

First, you navigate to the Planning page, and begin to define the background, purpose, and scope of the project. Then, you add supporting documentation using the Planning Files page:

Result

Planning information is captured:

  • Background In 2002, the SOX Act legislation ushered in a renewed focus on corporate compliance by requiring that organizations provide quarterly and annual reports certifying the accuracy of their financial statements. The SOX Act was designed to increase transparency in financial reporting and standardize a system of internal checks and balances. SOX Section 404 requires organizations to have an external audit performed to assess and report on the effectiveness of internal controls.
  • Purpose / Objective The organization is invested in adopting SOX in order to apply a best practice model and be compliance-ready when the company goes public.
  • Scope This project will evaluate the design and effectiveness of the preventative and detective controls in the organization to mitigate the process-level risks related to SOX 404 compliance. We will include all key business processes within the project scope, specifically:
    • Entity Level Controls: Control Environment, Risk Assessment, Information and Communication, Monitoring Activities, Control Activities
    • Financial Close & Reporting
    • Disclosure Controls & Procedures
    • Taxation
    • Revenue & Receivables
    • Information Technology General Controls
    • Spreadsheet Controls
    • Procurement
    • Treasury
    • Inventory
    • Payroll & Human Resources
    • Property Plant & Equipment

Document narratives

Narratives are a framework for understanding how your organization's internal controls fit into a business process. Many organizations rely on flowcharts as a primary method to visualize and show the detailed workflow within a given area. Any audio or visual content can be attached to support narrative documentation, and you can associate controls for referencing purposes.

Example

Scenario

One of your responsibilities as a SOX Audit Manager is to document narratives that describe each process. You need to construct a narrative that relates to the Revenue & Receivables process in the Canada - SOX Review 2018 project. In the narrative, you plan to define the process, clearly outline the IT systems that support the billing processes, and attach a summary of the risks and primary controls associated with the process. As you gather more information, you intend to update the narrative, accordingly.

Process

Help topic Defining narratives

You navigate to the Narratives tab in the project, and add a new narrative entitled Revenue Recognition Process Narrative.

You begin defining the narrative as follows:

Process Overview Revenue recognition is the process of recording revenue, invoices, and accounts receivable for North America (NA).

IT Systems

System Process supported
QUO Billing
EWR

Billing
RIU Billing
RIU reporting

Revenue reporting and analysis
Xerdox base

Financial reporting
Rac GL

General Ledger
Rac AR

Accounts Receivable

Finally, you attach a Word document containing a summary of risks and primary controls associated with the Revenue & Receivables process.

Result

The first portion of the narrative is drafted, and the Word document is added as a supporting attachment. In many cases, narratives need to be updated on a quarterly, or interim and roll-forward basis.

To add workflow management and automation around the broadcasting and review of updated flowcharts, narratives, and other process-related documentation, you can:

  • sign-off on your work, and assign a member on your team as the next reviewer of the narrative content
  • create a hyperlink in your respective SOX 404 project to the aggregate flowchart reports

Define risks and controls

Defining risks and controls results in the production of a risk control matrix (RCM). A RCM is a combination of identified risks and corresponding controls (the measures or courses of action for how the risk will be mitigated).

Tip

Once risks and controls are defined, process owners can set up a schedule in Projects to assure that control activities are being performed consistently.

Example

Scenario

Your organization has a mature and refined risk assessment process, and evaluates risk across two dimensions (Impact and Likelihood). Impact is scored on a 5-point scale and Likelihood is scored on a 3-point scale.

You need to evaluate the inherent risk score to determine the raw risk the organization faces if no controls or other mitigating factors have been put in place. You also want to assign your primary controls an effectiveness score, so that during testing later on, any failed control will provide a residual risk score.

Process

Help topics

You capture the following information in the Canada - SOX Review 2018 and Brazil - SOX Review 2018 projects:

Project Risk Impact Likelihood
Canada - SOX Review 2018 REV-R.01 Untitled Risk: Revenue and cash receipts may not be recorded, recorded in the wrong period, or recorded incorrectly (i.e. wrong amount). 3 - Medium 1 - Low
Brazil - SOX Review 2018 3 - High 3 - High

You also assign an effectiveness score (Control Weight) to the associated controls in each project:

  • REV-03 30%
  • REV-04 20%
  • REV-05 50%

Result

The inherent risk assessment is completed. Inherent and residual risk scores are aggregated to the framework for reporting purposes. The residual risk score remains the same as the inherent risk score until control design and effectiveness is evaluated.

Manage requests

You can request documentation from business owners and stakeholders and store relevant discussions in Projects. You can also send recurring reminders to people that are responsible for fulfilling requests, and consolidate multiple requests into a single email.

Example

Scenario

You need to gather additional information from the Accounting department to better understand the organization's cash inflow as it pertains to sales of merchandise.

Process

Help topic Adding requests

You send a request to the Accounting department, asking for a summary of the cash receipts journal for the current accounting period.

  • Description Please provide a summary of the cash receipts journal for the current accounting period.
  • Status Open
  • Owner Accounting
  • Due Date 08/03/2018

Result

Accounting receives the request and is able to provide the relevant documentation by attaching a file and posting a comment.

3. Evaluate control design and effectiveness

Many SOX compliance functions look to the business to take on some of the responsibilities of evaluating control design and effectiveness. Simple tasks, such as updating a control walkthrough and documenting control effectiveness test steps, are accessible by the owners themselves. This allows for the assessment of those controls to be truly owned by the business. Evaluating control design and effectiveness allows you to benchmark how well your organization is doing in managing compliance risk and requirements.

Tip

Inspirations, a catalog of risk scenarios and tests collected from Diligent initiatives worldwide, offers a series of analytic testing ideas by process that cover all financial operations. For more information, see Tools & Templates.

Evaluate control design

You can perform a walkthrough to evaluate the design of the control. Control owners can also help to evaluate the design of a control through attestation and / or attachment of evidence, define action plans to implement missing controls to address instances of non-compliance, or explain why a control is not necessary.

Tip

Frontline staff in an organization can use the Mission Control app to manage the controls they have access to, outside of the Projects app. Mission Control is an app that presents control information from Projects in a simplified and centralized view.

Example

Scenario

Now that you have assessed inherent risk and obtained the requested documentation, you need to perform a walkthrough to evaluate the design of each control.

Process

Help topic Executing procedures and testing controls

You capture the following walkthroughs in both the Canada - SOX Review 2018 and Brazil - SOX Review 2018 projects:

Designed appropriately

Project Risk Control Control Attributes Walkthrough Results
Canada - SOX Review 2018 REV-R.01: Untitled Risk REV-03
  • Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
  • Weight 30%
REV-04
  • Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
  • Weight 20%
REV-05
  • Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
  • Weight 50%
Brazil - SOX Review 2018 REV-R.01: Untitled Risk REV-03
  • Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
  • Weight 30%
REV-04
  • Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
  • Weight 20%
REV-05
  • Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
  • Weight 50%

Result

The walkthrough for each control is captured in both projects:

Define test plans

Test plans identify how you will test the control. You can define test plans to specify the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.

Example

Scenario

Before you launch into testing the effectiveness of controls, you need prepare a test plan that identifies how you will test each control. You want to define the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.

Process

Help topic Executing procedures and testing controls

You document the test plan for REV-03 as follows:

  • REV-03 Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
  • Testing Method Inspection
  • Total Sample Size 25
  • Test Steps / Test Attributes
    1. Confirm there is an appropriate segregation of duties.
    2. Confirm accounts receivable balances.
    3. Compare details of cash receipts with journal entries and corresponding bank deposit slips.
    4. Trace bank transfers and perform cash cutoff tests to ensure that appropriate transactions are included in financial statements.
    5. Compare cash balances with forecasts and budgets.

Result

The test plan for REV-03 is captured.

Evaluate control effectiveness

Evaluating control effectiveness involves documenting detailed testing results, and specifying whether or not the control passed or failed. Once you have finished evaluating the effectiveness of the control, you can markup portions of text and link to evidence, such as policy or procedure manuals, regulations, SLAs/SLSs, and contracts.

Tip

To avoid manual scoring of control effectiveness, you can use Assessment Drivers to automate different control assessments. You can link a metric created in the Results app to a control assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.

Example

Scenario

Now that you have evaluated control design, and prepared a test plan that defines how you will test each control, you need to evaluate control effectiveness to determine the residual risk, or how much risk remains after controls have been put in place.

Process

Help topics

You test the operational effectiveness of each control in both the Canada - SOX Review 2018 and Brazil - SOX Review 2018 projects, and capture the following information:

Operating effectively

Exception(s) noted

Project Risk Control Control Attributes Q1 Testing Q2 Testing Q3 Testing Q4 Testing
Canada - SOX Review 2018 REV-R.01: Untitled Risk REV-03
  • Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
  • Weight 30%
REV-04
  • Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
  • Weight 20%
REV-05
  • Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
  • Weight 50%
Brazil - SOX Review 2018 REV-R.01: Untitled Risk REV-03
  • Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
  • Weight 30%
REV-04
  • Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
  • Weight 20%
REV-05
  • Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
  • Weight 50%

Result

Testing results associated with the control are aggregated to the framework for reporting purposes:

Capture deficiencies and actions

You can capture and assign flagged deficiencies for remediation throughout the compliance review process, and delegate deficiencies to control or issue owners to update the status and related action plans. You can also assign actions to any stakeholder for easy tracking, evidence capture, and resolution.

Example

Scenario

Since Q4 Testing for Control REV-03 failed in the Brazil - SOX Review 2018 project, you need to note the exception by logging a deficiency. You also want to create a specific follow-up measure that is associated with the identified deficiency, and assign it to the appropriate staff member.

Process

Help topics

You document the following deficiency and action in the Brazil - SOX Review 2018 project:

Issue

  • Title/Headline Inadequate segregation of duties
  • Description Segregation, or separation, of accounting duties means dividing the tasks so that different people are handling transaction processing, data recording, financial statement preparation and auditing. Relying on one person to handle all the accounting functions could lead to poor internal controls, accounting fraud and misappropriation of company assets.
  • Owner Accounting Manager
  • Issue Type Deficiency
  • Date Identified Date
  • Severity High - Serious audit observation that leads to financial loss
  • Published Published

Action

  • Title Enforce the segregation of duties and / or implement compensating controls
  • Owner Accounting Manager
  • Description Ensure that the accounting department is organized in a way that achieves adequate separation of duties. When duties cannot be separated, implement the following compensating controls:
    • Handle all exception reports at the supervisory level
    • Implement role-based access control in IT systems
  • Due Date Date
  • Status Opened
  • Priority High

Result

The deficiency and action are captured. At a later date, Audit can review the remediation plan, and document retesting results to determine whether or not the deficiency has been truly remediated.

4. Report on internal controls

Reporting on internal controls is important to the executive branch of the business and often results in critical demand from Controllers, VPs, and even the CFO. At any time during the project cycle, you can generate reports to provide information to executives and the board for regulatory reporting purposes. You can also broadcast custom reports on a scheduled basis to track remediation and lagging indicators.

Tip

There is a variety of default one-click reports available to download in the Projects app that evolve automatically as the project progresses. For example, the Test Plan report can be downloaded to determine whether a project is supported by valid sampling methodology, identify heavy manual testing, and create efficiency gain opportunities. For more customized reporting options, organizations can use the Reports app.

Example

Scenario

You need to provide detailed control testing status information to your PMO. The report should include control testing progress for both projects (Canada - SOX Review 2018 and Brazil - SOX Review 2018), including control attributes, effectiveness evaluations, and control test preparer sign-offs. You also want to provide the opportunity to filter control testing data based on project or effectiveness scoring.

Process

Help topics

First, you copy the Control Testing Details report template, and modify the report as needed. Then, you save and activate the report. Finally, you broadcast the report via email to the appropriate recipient on a specified schedule.

Result

The report is shared with the specified recipient on a recurring schedule. Broadcasting a report is an effective way to share data with other people on a recurring basis. If you need to target different audiences, you can set up multiple broadcast schedules for a single report.

What's next? 

Learn how to automate a SOX 302 certification program

The Projects and Results apps can be used to efficiently conduct self-assessments, deploy 302 certification requests, and ensure fair distribution of responsibility across internal control stakeholders.

To find out more, see Automating a SOX 302 certification program.