Companies can follow these tips to create more effective Sarbanes-Oxley (SOX) self-assessment and monitoring procedures that help management correct issues and weaknesses before auditors arrive.
Use Automated Dashboards
Views in the form of dashboards, team sites summarizing performance, real-time financial reporting, and team document sharing have created an explosion of information that before would have taken manual analysis, reconciliations, meetings, and human follow-ups. Consider whether your SOX program is still relying on manual work while the users in your organization are running the business with these more automated views.
Consider Leveraging Automated Alerts
Companies are using software to create automated alerts when an error is identified, or a step in a process was missed, and artificial intelligence engines are being used to perform analysis and identify variances. Companies that are automating their processes should consider whether they can rely on such technology as an essential SOX control.
Use Self-Monitoring Programs
Some processes are either so complex or so important to get right that companies have been doing their sampling (or “testing”) of their processes before a formal SOX assessment. In the past, the approaches used for these programs and the required evidence may have differed from auditors’ SOX requirements.
Those differences meant that these programs were not relied upon for SOX purposes. Scope differences also were a reason this work was not used. However, a small adjustment in the scope or type of procedures can often result in one effort providing the monitoring and SOX control evidence.
Start from Scratch Again
A great way to understand how management runs the business is not to look first at the documented controls before but to start over. Ask key personnel how they know that their process is working. For example, asking the accounts payable department how they ensure that the accounts payable file are complete (without referring first to old SOX documentation) can identify key elements or processes excluded from SOX documentation.
Consider replacing SOX-only Processes
Other manual testing processes that are only required for SOX may continue to be enforced but provide no other value for the company. Further, excessive manual documentation may be retained for a SOX assessment that isn’t useful for business operations. Perhaps some of these procedures can be replaced with evidence that is already produced for other business purposes instead of a “SOX-only” procedure.
Invest time to Save Time
It takes an investment of time to look for existing monitoring processes and automated sources of control evidence. However, once even a few of these are identified, the time saved by not requiring side documentation efforts for SOX can be significant. The improved linkage between the basis for management’s SOX program and the underlying processes that management is directing will further strengthen management’s awareness of its control health on a timelier basis.