Charlene Garland from Gappify Inc. shares some high level SOX 404 tips.
Question: What are some trends you are seeing regarding IPE (Information Provided by Entity)?
Answer: One item that I’ve noticed with the clients that I work with is just all around documentation. Control owners need to be diligent about documenting how they get comfortable with the completeness and accuracy of information that is used within their key controls. So it’s two-fold: 1) whoever is preparing the controls needs to maintain evidence of how they got comfortable with the data so if it is a report, for instance, maybe they take a screenshot of the report parameters and 2) on the reviewer’s side they need to document how they are getting comfortable over the information that they are reviewing. The challenge for a lot of companies has been to understand exactly what the requirement is and also to educate the control owners about what type of evidence they need to maintain for audit purposes.
Question: What are some of the SOX evidence trends that you are seeing?
Answer: Related to IPE’s, I just mentioned screenshots of the report parameters that would be taken by the preparer of the control. On the reviewer side, they also need to demonstrate how they got comfortable with the data so what we are seeing is either reviewers re-performing the report exports and providing their own report parameters, making sure control totals and date ranges match the original report that was run by the preparer, or they will put review comments in the Excel file or if there is another way that they track comments. The reviewers will document details of what they looked for, such as making sure the date range was correct and that other report parameters were accurate. So this is a lot of additional documentation that individuals are not necessarily use to, but this is something that has been scrutinized more by auditors. Everyone is trying to get to a point where it just becomes second nature versus this thing that is a big question mark.
Question: One SOX tip for 2018?
Answer: Overarching, based on my experience working with various clients over the years, is really for SOX Directors, managers and leads to communicate regularly with the organization, specifically with the control owners. It’s helpful for those directors, managers or leads to send reminders to control owners to provide updates in key processes and reminders about the type of evidence that will be reviewed during testing. They can also ask questions about documentation or justification around thresholds that are being used, which is another popular SOX topic. Communication about the SOX process and what is expected is helpful for employees to realize how important it is for controls to be properly maintained because employees also have their day job and there is often not a priority put on SOX. Having that constant communication and exposure to the SOX team re-emphasises that this is something that the company takes seriously and is required for public companies. This is something that is important for process owners to put at the top of their priority list. So my tip is just to make sure there is a good communication line and that process owners understand the importance of internal controls. This will hopefully set everyone up for a successful SOX audit.