Sarbanes-Oxley: Creating a Successful Compliance Program

Emilie Gawronski – Risk Management

The Sarbanes-Oxley Act of 2002 (SOX) has created a challenging process for many companies, especially during the first year of compliance. The Act imposes a new set of standards, establishes corporate responsibility, and requires executive management to certify whether or not the company’s internal controls are functioning. Without a good roadmap outlining the necessary steps, businesses may find themselves getting lost and taking unnecessary detours along the way.

Steps of Sarbanes-Oxley Compliance

This article lays out a foundation for a straight forward, effective, and efficient five-step process that will help your company achieve a successful first year of SOX compliance.

Steps of SOX Compliance
  • Starting the project.
  • Risk assessment and scoping.
  • Documenting internal controls.
  • Compliance testing.
  • Evaluating and reporting.


Step One: Starting the Project

As with any large-scale project within an organization, effective oversight of the SOX compliance project is critical. First and foremost, senior management must establish the appropriate tone, demonstrate commitment to the project, and emphasize the importance of internal controls. The company should identify a project owner—such as a compliance officer—to manage the project. This person will monitor the project on a day-to-day basis and, with management’s help, will ensure that all company personnel fulfill their responsibilities.

The company must also consider what sort of tools will be used during the project. One option is to track and perform compliance testing using Microsoft Excel and Word files. These programs are generally available to most organizations, but were not designed specifically for this use and will require the compliance officer to invest valuable time maintaining the files. To increase efficiency, you may want to use a workflow tool that is designed to manage compliance efforts. Costs for these applications can range from nothing (when packaged with a service provider) to hundreds of thousands of dollars. But the increased efficiency of using this type of system to track and test controls generally outweighs the associated costs.

Step Two: Risk Assessment and Scoping

Laying out a project plan ahead of time ensures that the overall process will run smoothly. Your project plan will consist of the following elements: risk assessment, evaluating the scope of the project, creating a testing timeline, and coordinating compliance testing among internal team members and external auditors.

A focused risk assessment is the first step in a strong compliance effort. In 2007, the Public Company Accounting Oversight Board issued Accounting Standard 5 (AS5) for auditors. This guidance emphasized the importance of the risk-based approach, which allows auditors to focus on only those controls that address identified financial risks. After determining materiality (typically based on revenues, income or net assets) it is important to identify the complex areas of the company’s business that are subject to material risk and to reduce (or even eliminate) efforts on the routine, immaterial, or low-risk areas. If the organization has multiple locations, consider transactions at each location and determine which should be within the scope of the project.

Internal Risk Assessment Factors
  • Identify significant accounts and disclosures by considering quantitative and qualitative factors such as materiality, complexity, volume of activity, and fraud risk.
  • Identify significant business processes and map accounts and disclosures to those processes.
  • Identify relevant financial statement assertions for each significant account and disclosure.

The next step is determining the scope of the project, which involves evaluating the nature, timing, and extent of testing that will be needed. Sample sizes should be determined and scheduled over the upcoming testing timeline. Identify testing resources and consider their independence and objectivity to maximize possible auditor reliance on your test work. Auditors may want to rely on test results but have strict independence requirements that they must adhere to. Also, consider any service organizations that are currently used to determine if a SAS70 Type II report over the service provider’s internal controls will be required.

The company’s external auditors will play a large role in the overall project. The compliance officer and other senior financial executives—for example, the Controller, Vice President of Finance, or CFO—should participate in an open dialogue with the external auditors from the very beginning of the project, and should keep those communication lines open. It’s helpful for the company to understand the process from the auditor’s perspective.

Step Three: Documenting Internal Controls

Next, the company should further identify risks at the individual business process level. The goal is to identify only those risks that could materially impact the financial statements and ensure that each risk is mitigated by a control. Documenting a company’s internal controls often leads companies to discover gaps in the control environment; in other words, you may find that certain risks are not currently being mitigated by a formalized control or process. These gaps will need to be addressed by designing controls using the company’s existing processes.

The company should document the internal controls that it uses for its financial, information technology general computer, and company-wide entity processes. Note that certain controls are more effective than others; for example, detective and automated controls are typically very powerful and can cover more risks than individual transactional-level controls. You may want to contract a SOX specialist for advice on which controls would be most effective for your company in order to minimize the burden of implementing unnecessary controls and maximize efficiency.

Step Four: Compliance Testing

Each documented control must be evaluated to determine whether it is operating effectively. Organizations can utilize the SEC Interpretive Guide for Management as a guideline (see Testing can include inquiry, observation, examination, or re-performance procedures to gain comfort over whether controls are functioning properly. When making your testing schedule, allow sufficient time to perform remediation procedures should any exceptions arise. After any problem areas have been addressed, retest the failed controls to determine if they are effective.

Step Five: Evaluation Process

On an annual basis, management must evaluate all exceptions and categorize them into one of three categories: control deficiencies, significant deficiencies, or material weaknesses. Significant deficiencies are required to be reported to the Board of Directors and material weaknesses must be disclosed in the annual 10K. Top material weaknesses include: a lack of segregation of duties, lax accounting and disclosure controls surrounding complex or unusual transactions (often including the tax controls), incompetency or inappropriate training of accounting personnel, and inadequate financial close procedures.

Best Practices and Pitfalls

A well-run compliance project can alleviate stress, minimize cost, and create efficiencies. Following is a list of the top five best practices and pitfalls relating to SOX compliance:

Top 5 Best Practices

  • Perform a focused risk assessment to highlight only those areas that could result in a material weakness.
  • Create effective analytical controls—such as a strong budget vs. actual review—and integrate the controls into the company’s regular close procedures.
  • Implement automated controls to effectively minimize manual transaction-level controls.
  • Encourage open communication between management and the company’s external auditors.
  • Streamline the testing process: Utilize a single sample of transactions to test multiple controls at once, use electronic document storage to allow for auditor retesting and ongoing tracking, and coordinate testing with auditors to facilitate efficiencies.

Top 5 Pitfalls

  • Executive leadership sets a poor example by failing to communicate or to establish the appropriate tone.
  • A company does not appoint a compliance officer (or otherwise delegate responsibility) to ensure that the project is managed on a day-to-day basis.
  • The SOX compliance process is started too late to allow for remediation and retesting, resulting in exceptions for evaluation at year end.
  • Complex or new transactions (acquisitions or new contracts, for example) occur during the year without new risks and controls identified, resulting in exceptions at year-end.
  • No one individual is clearly responsible for a company’s business processes.