At ZR Consultants we have been responsible for implementing SOX programmes for a number of international blue-chip clients at competitive prices. With widespread discussions around the topic of UK SOX potentially becoming a reality, as well as the number of US acquisitions in the UK increasing, we thought it would be worthwhile sharing the lessons we have learnt over nearly two decades of delivering SOX programmes:
Do Not Leave it Too Late
SOX is a time-sensitive deliverable and which requires various activities to be carried out at specific times during the financial year. This includes scoping, design effectiveness review and testing, operational effectiveness and more importantly remediation of any issues identified during testing. Having a robust plan with clear milestones in place is critical to the success of any SOX programme. When US SOX first came out a number of clients left it too late and were suddenly faced with significant deficiencies at year-end.
Do Not Underestimate the Impact on Your Business
The impact on your staff can be significant; suddenly they will find themselves having to work in new ways and ensure evidence is adequately retained when operating their controls. They will also need to be able to answer numerous questions from auditors. At ZR Consultants we work closely with the business in its entirety to ensure this transitional period is as painless as possible. We have delivered numerous initiatives to address the cultural challenges that SOX presents.
Remediate Any Issues as Quickly as Possible
You have until the end of your financial year to remediate any issues identified. However, this does not mean that you ought to leave matters to the last month of the year, as any remediation must be allowed time to mature and then be re-tested. You also need to ensure that you have enough samples to evidence that the control, once fixed, is now operating effectively. For example, if you have a December 2020 year-end and a monthly control fails, then the latest it can be remediated by is October as it will need to have operated at least two times (November and December samples) before it can be tested to prove it is now working.
Clearly Define Roles and Responsibilities
The roles of all your staff involved in SOX will change dynamically. As a result, it is crucial that roles must be clearly defined. Our SOX Experts generally assign the roles of process owners, control owners and control operators. We also provide training and issue regular communications to remind colleagues what each role entails. Finally, we issue regular communications prior to the commencement of each major cycle of SOX, explaining exact requirements, milestones and deadlines.
Identify an Independent Programme Sponsor
It is important that the programme sponsor holds an adequately senior position in the organisation (e.g. CEO, CRO etc.) and is independent of operating the processes being tested. A common concern we have come across is that most organisations believe SOX should be owned by the finance team. Historically, however, we have frequently found that the majority of issues identified generally are owned by the finance functions, leading to a potential conflict of interest. This manifests particularly in awkward conversations when informing the Head of Finance (who is also your project sponsor) that the controls in his or her area are failing.
Define Your Materiality
This is crucial in order to identify the processes and businesses that need to be in scope for SOX. It is critical that this is agreed with your external auditors from the start. Also clearly define (preferably in a fully documented SOX methodology) how you plan to rate any issues you identify. For example, an issue identifying an error of £2,000 is not going to have a significant impact on your financial statements and therefore will not warrant the same level of escalation and priority. At ZR Consultants we generally put these in buckets of low, medium and high, as well as creating an additional bucket for process improvements. Each bucket defines the levels of governance, priority and scrutiny required.
Ensure Robust Action Plans
When issues are identified, ensure you enforce the need for robust action plans that are regularly tracked and reported on. The number of times we have been presented “woolly” plans is unbelievable and it is our job to ensure we push back on them immediately. Plans should clearly state WHAT we plan to do, WHEN we plan to do it by, and WHO will be responsible for what. Plans must also be challenged to ensure that they are in fact completely fixing the issue identified.
Implement a Governance Structure
It is important that you implement a clear structure which delineates how you plan to monitor progress. We also recommend setting up a forum attended by empowered decision makers, where issues and risks can be escalated. Our SOX experts have consistently chaired various Steercos and ensured packs are targeted and to the point. This enables stakeholders to rapidly see where we are in relation to our milestones and identify where the programme needs their support.
Avoid an Excessive Number of Key SOX Controls
Another common mistake we have seen is that businesses are led to believe that every control they can identify needs to be a SOX control. SOX is all about preventing a “material misstatement to the financial statements.” Therefore, it is essential to identify the right SOX controls that are able to detect and prevent such a material mis-statement. We have previously taken over large-scale SOX projects where we have reduced the number of SOX controls from over 600 to 400 and in one case from over 300 controls to 60 controls. Such reductions have been implemented with the agreement and approval of external auditors and senior management. From our experience the cost per SOX control can be anything from £1,500 to £5,000+.
Let Your Internal Audit (IA) Department do the Job They Were Brought in to do
Another common theme we have encountered is where businesses decide to use their internal audit departments to deliver SOX. Whilst there are a number of synergies between SOX and IA, there are an equal number of differences. SOX is inherently about material misstatement and therefore the approach and requisite processes can differ vastly from the traditional audit approaches of IA departments. SOX also involves project managing, IT testing and remediation. As such, it can become highly challenging and technical, thereby requiring support from a solid SOX partner. Additionally, if IA team is focussing on SOX (which is very demanding) there will be an inefficient trade-off against internal audit hours.
The above is by no means is an exhaustive list. We have successfully helped many organisations overcome many challenges over the years, including IPE’s (information produced by entities), ITAC’s (IT application controls), ITGC’s (IT general computer controls), scoping in the right IT systems, management reviews and SOD (segregation of duties) and many many more.
If you have any further questions or simply wish to chat with us about your needs, then please feel welcome to contact us.
Contact our Director, Zeshan Raja, directly on:
UK Mobile: 07968 443 471