This article is part two of a three-part series written in partnership with SOXHUB, recognizing the 15th anniversary of the Sarbanes-Oxley Act.
This year, the Sarbanes-Oxley Act turned fifteen. Since the landmark law passed in 2002, audit testing procedures have reached new heights with the evolution of testing methodologies, incorporating data analytics, and continued changes within the regulatory landscape. All the while, the cost of compliance continues to rise.
As shown in Protiviti’s 2016 SOX Compliance Survey:
SOX audit hours continue to go up
Co-sourcing relationships are on the rise
Control counts continue to increase
External auditors continue to ask for more documentation
As a result, audit teams are being asked to do more with less. The question then becomes, how? And, importantly, how can audit teams free up time and resources in their SOX programs so that they can focus on adding more value to their organizations?
Here are a few strategies to try: reduce the number of key controls, invest time in team training, and try new technology to improve the audit workflow. These strategies can help both improve control coverage and lower costs.
Key controls have a way of growing unyielding over time. Audit teams often address emerging risks by simply creating a new control whenever a new risk is identified. New controls are often classified as "key" regardless of their true impact, which adds to the ever-increasing count of controls.
By understanding the differences between key and non-key controls, internal audit teams can combat this form of “scope creep.”
A control is deemed a non-key control if the potential impact to the financial statements upon its failure is deemed immaterial and if that failure cannot cause the entire process to fail. Conversely, a control is deemed key if it addresses a risk of material misstatement, a high risk, or both a control objective and an assertion. These controls must operate effectively to provide reasonable assurance that the risk of material errors will be prevented or timely detected.
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk?
Assessing the risk level of a control at the account level may lead auditors to add unnecessary steps into their audit cycle, eating away at their limited budgets and timelines. By understanding the risks affecting the financial reporting process, audit teams can prioritize true key controls. Audit teams should perform regular control rationalization procedures to identify redundant controls that mitigate the same risk.
Learning process flow from end to end can help identify high-risk key controls downstream in the process. Auditors should ask teams to develop and analyze a quality flowchart and discuss the matter internally to aid auditors in identifying redundancies.
A risk-based audit approach focuses on areas of high-risk according to the PCAOB’s Audit Standard 5 (AS5). As a best practice, audit teams should plan and perform recurring risk assessment and controls rationalization exercises annually. Doing so can help team members identify opportunities to reduce the scope and focus attention on areas that matter most.
An efficient team leverages its members’ skills and natural talents to maximize their chances for success. Therefore, a great place to start is with skills assessment to understand the strengths and weaknesses of the existing team.
Picking the right metrics is the key to this process. Current industry benchmarks can be your guide:
Number of testing hours for an organization our size
Typical count of controls for an organization our size
Top three training courses being discussed by the Big 4
Also, consider smaller-scale metrics that apply to your organization’s process.
Number of meetings (and follow-up meetings) performed with a process owner
Average number of days to receive a PBC item
Number of hours each auditor spends on testing a control
These metrics can be useful in determining where audit staff are struggling to build rapport with their process owners, or having difficulty in completing a test due to the inherent complexity of the environment.
These metrics can also identify interpersonal problem areas. Professionalism and emotional intelligence are critical tools for auditors. Auditing can happen more efficiently when more care is paid to human interactions, etiquette, bridging cultural differences, and building empathy with the audit audience.
Managers can provide real-time coaching, feedback sessions, and examples of ideal client interactions. Examples and lessons gathered from real-life experiences are often more powerful learning tools than best practices shared in a training video.
The following “soft skill” list can be a guide to identifying team members who excel at the interpersonal parts of auditing. Training in these topics can lead to better relationships with the business, which can lead to quicker handover of evidence and more meaningful conversations, especially during walkthrough procedures.
Effective Critical Thinking
Communication and Negotiation Skills
Relationships and Interpersonal Skills
Understanding and Applying Emotional Intelligence
There are two technologies virtually every auditor uses: Microsoft Excel and Email. Consider moving from excel to a proper database tool.
Sing Microsoft Excel was released in 1987, the lowly spreadsheet has evolved to be a workflow staple. Its popularity is due in part to its ability to link data across different documents and automate basic workflow tasks.
However, modern audit projects require more attributes and details about a control than in years past. Whether it’s documenting the completeness and accuracy of evidence, or validating the integrity of a key report, testing procedures have evolved beyond simple attribute ticking and tying. The modern spreadsheet can handle this robust testing process but lacks speed, efficiency, and consistency.
While spreadsheets are manageable for teams of 3 or less, once audit teams exceed 3-4 people, version control becomes a major issue. If one member of the team fails to make a timely edit or forgets to make updates across all test sheets, the downstream effect can cost managers hours and hours of cleanup. This painstaking cleanup process rarely gets billed and can be disastrous to a budget.
The solution is to use a database as the foundation of the audit program. Purpose-built database structures can allow auditors to quickly pull or push information and see results cascade throughout the entire audit program instantly. Database tools are far more efficient than spreadsheets-based environments where a control testing update requires edits across several files. No amount of spreadsheet automation can compete with the speed, accuracy, and scalability of a database solution.
The good news is, as the industry has evolved, so have the tools available. Audit teams must understand their pain points, prioritize their organization’s needs, then find the right solution to meet those needs.
SOX remains important in re-establishing investor confidence and improving internal control over financial reporting. The public and shareholders have come to expect a solid controls environment with every public company. These high expectations have made quality, in-depth testing absolutely necessary. However, striking that balance between quality testing and a reasonable budget remains a puzzle every organization must solve.
Consider the three strategies above (reducing key key controls, building better teams, and using specialty technology) to help your audit teams unburden themselves from unnecessary expectations and focus on delivering valuable results to their organization.
Peter Yi is the Senior Manager of Product Solutions at SOXHUB, which offers a full suite of audit management solutions for SOX management, ERM, operational audit and workflow management. With over 13 years of Sarbanes-Oxley 404, internal audit and project management experience, Peter helps organizations identify efficiencies and manage complex audit programs.