Sarbanes-Oxley (SOX) compliance can be a heavy burden that falls on the shoulders of many stakeholders, departments, processes, and systems. By creating a properly structured SOX 404 program, the right controls and process changes can be far more automated when it comes time to roll-up the reports. In this article, we discuss how to implement a SOX 404 program using the Projects, Frameworks, and Reports apps.
This article illustrates how to manage a SOX compliance program using COSO® Internal Control Framework 2013, an integrated framework that enables organizations to effectively and efficiently develop systems of internal control.
However, the same workflow can also be applied to other frameworks that support SOX compliance requirements, such as:
the COBIT® 5 Framework
security frameworks published by the Information Technology Governance Institute (ITGI)
auditing standards developed by the Public Company Accounting Oversight Board (PCAOB)
regulations applying to government or higher-education, including OMB Circular A-123, Uniform Grant Guidance, or GreenBook
What is SOX compliance?
In 2002, the SOX Act legislation ushered in a renewed focus on corporate compliance by requiring that organizations provide quarterly and annual reports certifying the accuracy of their financial statements. The SOX Act was designed to increase transparency in financial reporting and standardize a system of internal checks and balances.
SOX Section 404 requires organizations to have an external audit performed to assess and report on the effectiveness of internal controls.
Where do I implement a SOX 404 program?
You can implement a SOX 404 program using the Projects and Reports apps.
The big picture
Frameworksare used to centrally capture the master relationship between requirements and controls, manage changes in an evolving regulatory and business environment, and build individual projects.
Projectsare used to test the design and operational effectiveness of the control, and capture issues. If you created the control in a framework, you can sync changes back up to that framework from a project for use in other projects as well.
Report templates can be copied and modified to easily generate reports based on data from the Diligent One apps, and reports can be broadcasted to recipients on a recurring schedule.
Within a framework, you can track assurance and testing results associated with operational risks and controls in multiple projects to develop a dashboard of risk and project outcomes. As you test controls, Projects automatically aggregates testing results from the projects associated with the framework, and calculates assurance in real-time. At any point, you can generate reports to send to the appropriate recipients.
Steps
Ready for a tour?
Let's take a closer look at these features in the context.
1. Set up the program
The first step is understanding the best method to set up data in the system so that you can report out appropriately.
You can create frameworks to manage a structured set of information and use frameworks to build multiple projects. You can also customize the terms and labels in the projects according to your organization's standards. Tagging structures can also be set up to map objectives, risks, and controls to relevant contextual data points (assets, owners, entities, etc.) and enable risk and control reporting on those dimensions.
Tip
The Projects app offers several risk and control libraries (project templates) that contain pre-populated content for specific workflows, such as SOX compliance. There are two project templates that align with SOX 404 requirements and are typically used to jumpstart SOX compliance projects and create re-usable templates:
Terminology can vary widely between different types of projects, and also between organizations performing the same types of projects. Organizations can configure different project types so that the terminology used by each team is reflected in the relevant projects.
You are a SOX Audit Manager that owns two projects. You want to ensure that the terminology displayed in both SOXprojects aligns with your organization's preferred lexicon.
You navigate to the Sarbanes-Oxley Reviewproject type, and configure the following terms on each tab:
Tab
Field
Term
Project
Term for fieldwork
Process Documentation & Testing
Section
Term for section
Significant Process
Label for sections tab
SOX Processes
Narratives
Label for narratives tab
Narratives and flowcharts
Issues
Term for issue
Deficiency
Label for issues tab
Deficiencies
Result
The custom terms will be applied to the projects you create and associate with the Sarbanes-Oxley Reviewproject type.
Set up projects and frameworks
Frameworks are helpful for reducing manual efforts involved in setting up projects, and can be used to centrally manage information in evolving regulatory and business environments. A common practice for many organizations is to segment SOX 404 requirements by process and sub-process in their projects and frameworks.
To begin the process of centralizing your SOX documentation, you create two projects:
Canada - SOX Review 2018
Brazil - SOX Review 2018
Recently, you recognized that similar risks and controls can apply to both projects. To provide a starting point for building out your projects, you create a project from a project template called Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework). You want to use this template to create a single set of risks and controls that can be used in both projects.
You create a new framework called SOX Process Control Framework. Then, you import the objectives (containing risks and controls) from the project template to the framework. Finally, you import the objectives from the framework into each project.
Result
The objectives, risks, and controls in the framework are linked to the objectives, risks, and controls in the projects.
You can now update the projects as needed, optionally apply those updates back up to the framework, and also ensure that updates made in the framework propagate to the appropriate projects by syncing projects with frameworks.
Model your organizational entity structure
Organizations are comprised of different business units, departments, locations, regions, and legal entities – all of which have controls that impact financial statement reporting. You can model your business and legal entity structure in your SOX management process to enable reporting on testing status and issue management to executives.
Your organization is comprised of different departments, regions, and locations. You want to be able to report on internal controls from different cross-sections of the business, and allow stakeholders at all levels of the organization to obtain the information they require.
Under Manage Entities, you model your business structure based on the departments, regions, and locations that are applicable to both projects:
Canada - SOX Review 2018
Brazil - SOX Review 2018
Result
You can now tag projects, significant objectives, risks, controls, and deficiencies to the relevant contextual data points and enable risk and control reporting on those dimensions.
2. Document objectives, risks, and controls
Using frameworks as a centralized repository of information, you can work with process and control owners to draft process narratives, capture risk and control attributes in different attestation projects, and request further documentation, as required. Specific user roles can be leveraged to prescribe the right access and the right responsibility to process and control owners.
Plan projects
Every project begins with a planning phase. Planning a project involves preparing and consolidating planning information in a project, including the project background, purpose, scope, and relevant planning files. Planning files can include a variety of different documents, such as scoping information, engagement letters, SOX sampling methodology documentation, and even details about project team structures.
You are responsible for preparing and consolidating all planning documentation related to the Canada - SOX Review 2018project. You need to capture this information in the project so that it can be referenced at a later date.
First, you navigate to the Planning page, and begin to define the background, purpose, and scope of the project. Then, you add supporting documentation using the Planning Files page:
Result
Planning information is captured:
Background In 2002, the SOX Act legislation ushered in a renewed focus on corporate compliance by requiring that organizations provide quarterly and annual reports certifying the accuracy of their financial statements. The SOX Act was designed to increase transparency in financial reporting and standardize a system of internal checks and balances. SOX Section 404 requires organizations to have an external audit performed to assess and report on the effectiveness of internal controls.
Purpose / ObjectiveThe organization is invested in adopting SOX in order to apply a best practice model and be compliance-ready when the company goes public.
ScopeThis project will evaluate the design and effectiveness of the preventative and detective controls in the organization to mitigate the process-level risks related to SOX 404 compliance. We will include all key business processes within the project scope, specifically:
Entity Level Controls: Control Environment, Risk Assessment, Information and Communication, Monitoring Activities, Control Activities
Financial Close & Reporting
Disclosure Controls & Procedures
Taxation
Revenue & Receivables
Information Technology General Controls
Spreadsheet Controls
Procurement
Treasury
Inventory
Payroll & Human Resources
Property Plant & Equipment
Document narratives
Narratives are a framework for understanding how your organization's internal controls fit into a business process. Many organizations rely on flowcharts as a primary method to visualize and show the detailed workflow within a given area. Any audio or visual content can be attached to support narrative documentation, and you can associate controls for referencing purposes.
One of your responsibilities as a SOX Audit Manager is to document narratives that describe each process. You need to construct a narrative that relates to the Revenue & Receivables process in the Canada - SOX Review 2018project. In the narrative, you plan to define the process, clearly outline the IT systems that support the billing processes, and attach a summary of the risks and primary controls associated with the process. As you gather more information, you intend to update the narrative, accordingly.
You navigate to the Narrativestab in the project, and add a new narrative entitled Revenue Recognition Process Narrative.
You begin defining the narrative as follows:
Process OverviewRevenue recognition is the process of recording revenue, invoices, and accounts receivable for North America (NA).
IT Systems
System
Process supported
QUO
Billing
EWR
Billing
RIU
Billing
RIU reporting
Revenue reporting and analysis
Xerdox base
Financial reporting
Rac GL
General Ledger
Rac AR
Accounts Receivable
Finally, you attach a Word document containing a summary of risks and primary controls associated with the Revenue & Receivables process.
Result
The first portion of the narrative is drafted, and the Word document is added as a supporting attachment. In many cases, narratives need to be updated on a quarterly, or interim and roll-forward basis.
To add workflow management and automation around the broadcasting and review of updated flowcharts, narratives, and other process-related documentation, you can:
sign-off on your work, and assign a member on your team as the next reviewer of the narrative content
create a hyperlink in your respective SOX 404 project to the aggregate flowchart reports
Define risks and controls
Defining risks and controls results in the production of a risk control matrix (RCM). A RCM is a combination of identified risks and corresponding controls (the measures or courses of action for how the risk will be mitigated).
Tip
Once risks and controls are defined, process owners can set up a schedule in Projects to assure that control activities are being performed consistently.
Your organization has a mature and refined risk assessment process, and evaluates risk across two dimensions (Impact and Likelihood). Impact is scored on a 5-point scale and Likelihood is scored on a 3-point scale.
You need to evaluate the inherent risk score to determine the raw risk the organization faces if no controls or other mitigating factors have been put in place. You also want to assign your primary controls an effectiveness score, so that during testing later on, any failed control will provide a residual risk score.
You capture the following information in the Canada - SOX Review 2018 and Brazil - SOX Review 2018projects:
Project
Risk
Impact
Likelihood
Canada - SOX Review 2018
REV-R.01 Untitled Risk:Revenue and cash receipts may not be recorded, recorded in the wrong period, or recorded incorrectly (i.e. wrong amount).
3 - Medium
1 - Low
Brazil - SOX Review 2018
3 - High
3 - High
You also assign an effectiveness score (Control Weight) to the associated controls in each project:
REV-03 30%
REV-04 20%
REV-05 50%
Result
The inherent risk assessment is completed. Inherent and residual risk scores are aggregated to the framework for reporting purposes. The residual risk score remains the same as the inherent risk score until control design and effectiveness is evaluated.
Manage requests
You can request documentation from business owners and stakeholders and store relevant discussions in Projects. You can also send recurring reminders to people that are responsible for fulfilling requests, and consolidate multiple requests into a single email.
You need to gather additional information from the Accounting department to better understand the organization's cash inflow as it pertains to sales of merchandise.
You send a request to the Accounting department, asking for a summary of the cash receipts journal for the current accounting period.
Description Please provide a summary of the cash receipts journal for the current accounting period.
Status Open
Owner Accounting
Due Date 08/03/2018
Result
Accounting receives the request and is able to provide the relevant documentation by attaching a file and posting a comment.
3. Evaluate control design and effectiveness
Many SOX compliance functions look to the business to take on some of the responsibilities of evaluating control design and effectiveness. Simple tasks, such as updating a control walkthrough and documenting control effectiveness test steps, are accessible by the owners themselves. This allows for the assessment of those controls to be truly owned by the business. Evaluating control design and effectiveness allows you to benchmark how well your organization is doing in managing compliance risk and requirements.
Tip
Inspirations, a catalog of risk scenarios and tests collected from Diligent initiatives worldwide, offers a series of analytic testing ideas by process that cover all financial operations. For more information, see Tools & Templates.
Evaluate control design
You can perform a walkthrough to evaluate the design of the control. Control owners can also help to evaluate the design of a control through attestation and / or attachment of evidence, define action plans to implement missing controls to address instances of non-compliance, or explain why a control is not necessary.
Tip
Frontline staff in an organization can use the Mission Control app to manage the controls they have access to, outside of the Projects app. Mission Control is an app that presents control information from Projects in a simplified and centralized view.
Now that you have assessed inherent risk and obtained the requested documentation, you need to perform a walkthrough to evaluate the design of each control.
You capture the following walkthroughs in both the Canada - SOX Review 2018 and Brazil - SOX Review 2018projects:
Designed appropriately
Project
Risk
Control
Control Attributes
Walkthrough Results
Canada - SOX Review 2018
REV-R.01: Untitled Risk
REV-03
Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
Weight 30%
REV-04
Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
Weight 20%
REV-05
Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
Weight 50%
Brazil - SOX Review 2018
REV-R.01: Untitled Risk
REV-03
Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
Weight 30%
REV-04
Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
Weight 20%
REV-05
Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
Weight 50%
Result
The walkthrough for each control is captured in both projects:
Define test plans
Test plans identify how you will test the control. You can define test plans to specify the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.
Before you launch into testing the effectiveness of controls, you need prepare a test plan that identifies how you will test each control. You want to define the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.
REV-03Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
Testing MethodInspection
Total Sample Size25
Test Steps / Test Attributes
Confirm there is an appropriate segregation of duties.
Confirm accounts receivable balances.
Compare details of cash receipts with journal entries and corresponding bank deposit slips.
Trace bank transfers and perform cash cutoff tests to ensure that appropriate transactions are included in financial statements.
Compare cash balances with forecasts and budgets.
Result
The test plan for REV-03 is captured.
Evaluate control effectiveness
Evaluating control effectiveness involves documenting detailed testing results, and specifying whether or not the control passed or failed. Once you have finished evaluating the effectiveness of the control, you can markup portions of text and link to evidence, such as policy or procedure manuals, regulations, SLAs/SLSs, and contracts.
Tip
To avoid manual scoring of control effectiveness, you can use Assessment Drivers to automate different control assessments. You can link a metric created in the Results app to a control assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.
Now that you have evaluated control design, and prepared a test plan that defines how you will test each control, you need to evaluate control effectiveness to determine the residual risk, or how much risk remains after controls have been put in place.
You test the operational effectiveness of each control in both the Canada - SOX Review 2018 and Brazil - SOX Review 2018projects, and capture the following information:
Operating effectively
Exception(s) noted
Project
Risk
Control
Control Attributes
Q1 Testing
Q2 Testing
Q3 Testing
Q4 Testing
Canada - SOX Review 2018
REV-R.01: Untitled Risk
REV-03
Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
Weight 30%
REV-04
Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
Weight 20%
REV-05
Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
Weight 50%
Brazil - SOX Review 2018
REV-R.01: Untitled Risk
REV-03
Description Cash receipts are reconciled to the bank statement and underlying invoices by the Accountant to ensure accurate, complete and consistent recording in the appropriate accounting period. The Controller reviews the reconciliation and approves the related journal entries.
Weight 30%
REV-04
Description Shipments occurring shortly before or after the end of an accounting period are reviewed by the Controller to ensure complete and consistent recording in the appropriate accounting period, including review of the related invoices.
Weight 20%
REV-05
Description The Controller performs a reconciliation of revenue for the period and compares it to the revenue activity reported by department. Any large variances are reviewed and investigated as required.
Weight 50%
Result
Testing results associated with the control are aggregated to the framework for reporting purposes:
Capture deficiencies and actions
You can capture and assign flagged deficiencies for remediation throughout the compliance review process, and delegate deficiencies to control or issue owners to update the status and related action plans. You can also assign actions to any stakeholder for easy tracking, evidence capture, and resolution.
Since Q4 Testing for Control REV-03 failed in the Brazil - SOX Review 2018project, you need to note the exception by logging a deficiency. You also want to create a specific follow-up measure that is associated with the identified deficiency, and assign it to the appropriate staff member.
You document the following deficiency and action in the Brazil - SOX Review 2018project:
Issue
Title/Headline Inadequate segregation of duties
Description Segregation, or separation, of accounting duties means dividing the tasks so that different people are handling transaction processing, data recording, financial statement preparation and auditing. Relying on one person to handle all the accounting functions could lead to poor internal controls, accounting fraud and misappropriation of company assets.
Owner Accounting Manager
Issue Type Deficiency
Date Identified Date
Severity High - Serious audit observation that leads to financial loss
Published Published
Action
Title Enforce the segregation of duties and / or implement compensating controls
Owner Accounting Manager
Description Ensure that the accounting department is organized in a way that achieves adequate separation of duties. When duties cannot be separated, implement the following compensating controls:
Handle all exception reports at the supervisory level
Implement role-based access control in IT systems
Due Date Date
Status Opened
Priority High
Result
The deficiency and action are captured. At a later date, Audit can review the remediation plan, and document retesting results to determine whether or not the deficiency has been truly remediated.
4. Report on internal controls
Reporting on internal controls is important to the executive branch of the business and often results in critical demand from Controllers, VPs, and even the CFO. At any time during the project cycle, you can generate reports to provide information to executives and the board for regulatory reporting purposes. You can also broadcast custom reports on a scheduled basis to track remediation and lagging indicators.
Tip
There is a variety of default one-click reports available to download in the Projects app that evolve automatically as the project progresses. For example, the Test Plan report can be downloaded to determine whether a project is supported by valid sampling methodology, identify heavy manual testing, and create efficiency gain opportunities. For more customized reporting options, organizations can use the Reports app.
You need to provide detailed control testing status information to your PMO. The report should include control testing progress for both projects (Canada - SOX Review 2018 and Brazil - SOX Review 2018), including control attributes, effectiveness evaluations, and control test preparer sign-offs. You also want to provide the opportunity to filter control testing data based on project or effectiveness scoring.
First, you copy the Control Testing Details report template, and modify the report as needed. Then, you save and activate the report. Finally, you broadcast the report via email to the appropriate recipient on a specified schedule.
Result
The report is shared with the specified recipient on a recurring schedule. Broadcasting a report is an effective way to share data with other people on a recurring basis. If you need to target different audiences, you can set up multiple broadcast schedules for a single report.
What's next?
Learn how to automate a SOX 302 certification program
The Projects and Results apps can be used to efficiently conduct self-assessments, deploy 302 certification requests, and ensure fair distribution of responsibility across internal control stakeholders.
See an example
Designed appropriately
Exception(s) noted
