Find out how a properly structured SOX self-assessment program, the right controls, and automation can help ease the burden of ICFR.
Effective internal controls over financial reporting (ICFR)
Sarbanes Oxley (SOX) compliance is a heavy burden that falls on the shoulders of countless stakeholders and involves multiple departments, processes, and systems. But there’s a way to ensure a fair distribution of responsibility across internal control requirements.
When you create a properly structured SOX self-assessment program using automation, reporting will become faster and easier, assigning and following-up on tasks is simplified, and you can maintain a clear audit trail. Perhaps now’s the time to self-assess your self-assessment program and take control of your controls?
SOX jokes aside, here are a few tips to help capture your internal control activities and communicate changes more effectively across your organization.
Automating narratives and flowcharts
A SOX narrative illustrates how your controls fit into the greater business process and provides an understanding of whether or not your controls are worth keeping, or if new ones are required.
In many organizations, the narrative often appears in the form of a flowchart or a Word document. But problems arise when it comes to keeping those flowcharts updated or maintaining version control of numerous Word documents. And if the documents aren’t maintained, your internal controls very well may be failing, and you won’t know it until it is too late.
That’s why it’s important to constantly scrutinize your narrative and ask: How is the process working? Are my controls effective? Do I need more? Are there ones I can do away with?
Sounds daunting, right? But if you manage this process in a platform like ACL, the automation does most of the heavy-lifting for you. Start by first selecting and mapping the overall control framework that you want to observe. A common method is to segment SOX 404 requirements by process and sub-process, then involve the process owner, and work together to create a good quality and updated narrative at the process-level.
Many of these reports and flowcharts need to be updated quarterly—or on an interim and roll-forward basis—so automating the process will save you the headache of having to deal with version control and updated sign-off capture.
In ACL GRC, you simply create a hyperlink in your SOX 404 GRC project to the aggregate flowchart reports. This will automate the broadcasting, updates, and full narrative documentation across that workflow.
Now your organization can communicate and review updated flowcharts, narratives, and other process-related documentation, and you get those flowcharts flowing faster and add more time back in your day!
Assign controls and follow-up tasks
Many SOX compliance functions look to the business to take on some of the responsibilities around the design and testing of key controls. But how do you involve them?
In ACL GRC, unique user roles can be leveraged to prescribe specific access and responsibility to a control owner. So simple tasks like updating a control walkthrough, responding to request list items, or documenting control effectiveness test steps are able to be updated by the owners themselves.
Now the assessment of the controls are owned by the business, and you didn’t even have to chase them down for the updates.
Another perk of ACL GRC is that business owners can be tagged during the testing stages for the control in question. That means the compliance or audit owner gets good oversight of the testing phases and can easily relate to relative entities, deficiencies, and mitigation efforts that are in play.
Finally, within the ACL GRC SOX 404 system template, all of these control and testing updates are ready to be saved into your library at the click of a button—and can be reused as needed.
SOX 302 certifications and financial reporting is very important to the executive branch of the business and often results in critical demand from controllers, VPs, and even the CFO. To further complicate things, 302 roll-up reporting may need to be concurrently running across several business lines or subsidiaries.
Using the ACL GRC Results module, we can dedicate collections of 302 certifications and deploy certification requests via a GRC questionnaire. What better way to have simple questions answered (as well as capture signatures) than in a simple electronic survey?
Using this method, owners can ad-hoc respond to these questionnaires automatically through a dedicated email and web form. Once they finish clicking and attesting to the control(s), all of the results are saved back into the respective collection and await further review or escalation. By using a trigger, we can aggregate all responses and aggregate through potentially several levels of certifications. Triggers can be set on specific criteria and set to run every 302 quarterly period.
All along the path, we can see changes, comments, and attachments, resulting in a clear audit trail. A more advanced technique would be to create a specific SOX 302 Results storyboard that can aggregate multiple visualizations into a single commentary for management and executives.
Hopefully these techniques help our second and third line functions find efficiencies and relieve some unnecessary SOX headaches. As for the financial reporting teams, go knock their SOX off!
In this 26-page guide, we’ll look at how you can use technology to create a sustainable ICFR framework that will reduce the financial and resource burden of ICFR, while providing greater assurance over the reliability of financial statements.