SOX Testing: A Step by Step Guide
What Is SOX Testing?
SOX testing is the process whereby a company’s management evaluates the internal controls exercised over financial reporting. The Sarbanes-Oxley Act of 2002 (SOX) mandates that a company establishes internal controls and tests those controls to ensure they are operational and effective.
SOX is a US federal law that covers all public companies conducting business in the US and some private companies. It is meant to have a positive effect on the reliability and accuracy of financial statements. It also aims to protect investors from fraud in accounting practices. In this way, more responsibility is placed on corporate governance.
SOX compliance testing relates mainly to Section 404: Management Assessment of Internal Controls and Section 302: Corporate Responsibility for Financial Reports. All yearly financial reports must have an Internal Control Report, which outlines that management is accountable for the “adequate” structure of internal control. The effectiveness of this control structure must also be assessed by management.
Any faults or flaws in these controls have to be reported. Registered auditors from outside the organization must acknowledge the accuracy of the assertion made by the company’s management, namely that the internal accounting controls are active, effective, and operational.
What’s the SOX Testing Process?
Here are four stages of SOX testing used by most companies undergoing SOX compliance processes.
1. Initial Assessment
The team begins by carrying out process walkthroughs. The walkthroughs are typically documented as a flowchart, narrative, or both. Following this, the SOX team puts together evidence to show that the control activities did take place.
The documentation is used to assess control design and to test their operating effectiveness. Any shortcomings are noted, and action plans are initiated so corrections can be made.
2. Interim Testing
At approximately mid-year, the SOX team carries out an additional round of testing to make sure the At approximately mid-year, the SOX team carries out an additional testing round to ensure the shortcomings were addressed and that the SOX controls continue to operate as needed. In this round, the team evaluates whether or not any additional changes took place that could require redesigning any of the controls or updating documentation.
3. Year-End Testing
Close to the end of the year, the final internal round of the SOX controls testing occurs. The SOX team also The final internal round of the SOX controls testing occurs close to the end of the year. The SOX team also takes this opportunity to retest any controls that displayed shortcomings earlier in the year. In addition, they must establish that the remediation steps were effective. Year-end and interim testing are mainly forced on measuring operational effectiveness.
4. Testing by Independent Auditors
The last stage of the SOX testing process is carried out by a third party. The external auditors are brought in to further validate the effectiveness of the SOX controls. Organizations hire an external audit company so that independent auditors can evaluate the controls.
The external auditors abide by objective SOX testing requirements and perform independent testing. Any concerns they raise must be dealt with by the SOX team and management speedily, with explanations of mitigating controls and process modifications.
Related content: Read our guide to SOX audit
Best Practices for SOX Testing
Use Fewer Key Controls
The number of key controls can increase and become unmanageable over time. This results from audit teams creating new controls to address each emerging risk and often classifying them as key controls regardless of their actual significance. Thus, it is important to distinguish between key and non-key controls, keeping the number of key controls low.
Controls should only be classified as key if their failure would result in a material impact—if they address higher risks or risks of material misstatements. In order to identify and prioritize key controls, audit teams need to understand the potential risks involved in the financial reporting process. They should perform control rationalization procedures regularly to identify which controls are redundant.
According to the Audit Standard 5 (AS5) of the Public Company Accounting Oversight Board (PCAOB), audits should focus on high-risk areas. To identify priority areas and reduce the scope of the audit, audit teams should conduct risk assessments and control rationalization procedures on an annual basis.
Establish Efficient Teams
It is important to understand the skills and weaknesses of team members in order to ensure a team is efficient. Interpersonal issues and a lack of rapport between auditors and process owners can also impact efficiency.
Assessing the capabilities of a team depends on having appropriate metrics. You can refer to industry benchmarks to determine the appropriate number of hours an organization of your size should put into testing or the number of controls you should use.
Other metrics you can use to assess your organizational processes include the number of meetings with process owners, the time it takes to receive PCB items, and how long it takes to test a control.
Managers can help teams by coaching them by providing feedback sessions. Staff should be trained in soft skills such as critical thinking, communication and negotiation, interpersonal and leadership skills, and emotional intelligence.
Use Audit Tools
SOX testing can be made easier by leveraging the right audit technologies. Auditors often use Microsoft Excel, but other database tools may be more effective. Audit projects today often require a larger number of details about controls, and a spreadsheet doesn’t offer the necessary speed and efficiency.
Spreadsheets can become unmanageable for larger teams, with version control presenting a major challenge. The downstream impact of a simple error can cost hours of cleanup, which can also affect the budget.
Databases serve as a better foundation for an audit program, even compared to automated spreadsheets. Auditors can leverage purpose-built databases to view information instantly. The tools available to audit teams are constantly evolving, so it is important to understand the specific audit needs of an organization to select the right solution.
Related content: Read our guide to SOX compliance software
Automated SOX Testing with PathLock
Preparing for a SOX audit can be a stressful, expensive, and time-consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous control monitoring can ensure that you are always tracking your compliance, so there are no major surprises when the audit season comes around.
In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly to your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls and pinpoint and quantify the financial impact of any risks. Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.
Financial Impact Prioritization
Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions.
Pathlock’s catalog of over 500+ rules can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.
Real-time Access Mitigation
Pathlock allows users to quickly investigate and respond to potential risky transactions by reviewing access, de-provisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time.
Pathlock’s out-of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place, such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more.
Lateral SOD Correlation
All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross-application SODs between financially relevant applications.
Continuous Control Monitoring
Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation.