SOX Compliance

SOX Testing: A Step-by-Step Guide

In the early 2000s, financial fraud at several large and seemingly successful companies, including Enron, Tyco, and WorldCom, shook the economy and undermined public confidence in corporate financial statements. The Sarbanes-Oxley Act of 2002, commonly referred to as SOX, reflected a bipartisan congressional effort to address the root causes of those financial scandals.

The Sarbanes-Oxley Act addressed several themes, including increasing oversight of the accounting profession with the Public Company Accounting Oversight Board (PCAOB), establishing new standards to preserve auditor independence, reconfiguring audit committees, and requiring enhanced financial statement disclosures.

SOX Section 203: The Corporate Responsibility for Financial Reports and Section 404: Management Assessment of Internal Controls require businesses to include an Internal Control Report with all financial reports. This report must state that management has implemented internal controls and assessed the internal control structure for accuracy and effectiveness.

To make this assertion, the company must engage in SOX testing. SOX testing isn’t just mandatory for publicly traded companies—Section 302 requires both public companies and private companies to maintain internal controls and test these controls at least annually.

If this requirement is new for you, or you simply want to update your internal controls, we’ll guide you through the SOX testing process.

What Is SOX Compliance Testing?

SOX compliance testing is like a health check for a company’s internal controls over financial reporting.

As part of the SOX testing process, the CFO and other finance executives—with the help of the internal audit department and external auditors—assess the company’s internal controls and test them to ensure they’re working as intended.

What Is the Purpose of the SOX Testing Process?

The purpose of SOX testing is twofold: ensuring accuracy in financial data and preventing fraud. While not foolproof, testing internal controls annually helps assure investors and stakeholders that the financial information they receive is trustworthy. This process also helps protect the company and its managers and directors from legal repercussions related to financial misstatements.

The 4 Steps of SOX Testing

Most companies use four stages of SOX testing as part of a SOX compliance audit.

Step 1: Initial Assessment

SOX testing begins with an initial assessment. Here, the company maps out process walkthroughs, documenting the key areas and controls within the company’s financial reporting process.

The company usually documents these walkthroughs with flowcharts, narratives, or both.

During this initial assessment, the compliance team also assembles evidence to show that the control activities that are supposed to happen are actually happening. If the SOX compliance team notes any shortcomings during the initial assessment, it can assemble an action plan to correct the deficiency.

Step 2: Interim Testing

The next step in SOX compliance is interim testing. Around the midpoint of the company’s fiscal year, the SOX compliance team performs SOX controls testing to ensure the shortcomings noted during the initial assessment phase have been addressed, and key controls are operating as expected.

The team may note any changes to roles, technology, or business processes that require redesigning internal controls or updating the related documentation.

Step 3: Year-End Testing

As the company’s fiscal year draws to a close, the SOX compliance team performs a final round of testing. This is an opportunity to retest any controls that weren’t functioning as required during the initial assessment or interim testing phases and ensure that any remediation actions the company took to address those shortcomings were effective.

This is a critical phase because the company reviews the internal controls in the context of the full year’s data.

Step 4: Testing by Independent Auditors

Finally, it’s time to turn SOX compliance testing over to a third party: the independent auditors. An external audit team does its own testing and provides an unbiased review of the internal auditors’ work.

The review of internal controls will look into the following:

• Access controls – physical and electronic controls, such as secure passwords and multi-factor authentication
• Cybersecurity – services and hardware to prevent a data breach
• Change management – records of what was changed on the network, when it was changed, and who made the change
• Backup procedures – backup systems must be in place to protect sensitive data

External auditors help ensure that every step of the process meets the stringent standards of SOX compliance. If they raise any concerns, the internal auditors must address them immediately and explain any mitigating controls or process modifications the company will implement to protect its financial records and assets.

SOX Testing Recommendations

SOX controls testing can be time-consuming and expensive, but it’s essential to help the company maintain SOX compliance standards and ensure the internal control structure functions as intended.

The following recommendations help ensure your compliance procedures pay off.

Execute a Fraud Risk Analysis

First, conduct a thorough fraud analysis. This involves scrutinizing areas of the organization and its financial reporting procedures for any potential fraud risks.

Consider both internal and external fraud risks.

Examples of internal fraud risks include embezzlement and asset misappropriation. Remember the fraud triangle, which outlines the three conditions that lead to higher instances of internal fraud: motivation, opportunity, and rationalization.

Some examples of external fraud risks include vendor fraud and data breaches. Your IT department can be a valuable resource to help identify external fraud risks and the internal controls in place to help ensure data security.

Your fraud risk assessment can help you formulate a comprehensive risk governance and management plan.

Internal and External Audits

The partnership between internal and external auditors helps identify non-compliance red flags and spot potential areas for improvement before they become a problem.

The internal audit team offers a centralized source of information on the effectiveness of the organization’s control environment. They can also add value to the external audit by participating in meetings with the independent auditors, helping them identify the internal controls related to financial statements, and providing documentation to support SOX control testing. In many cases, their risk management efforts help reduce the cost of an external audit.

Manage Key Controls

Reduce the number of key controls you need to test. Many audit teams mistakenly believe all important controls are key controls. However, key controls are a set of internal controls that, if tested and found to have operating effectiveness, give sufficient assurance that the company has an adequate internal control structure and is SOX compliant.

For example, an organization might have 100 controls over a certain area of financial reporting but carries out five of those controls toward the end of the process. Those five controls confirm that the other 95 controls worked, and there are no other reconciliation problems or other errors. If the five final tests find little or nothing requiring correction, those five controls alone might be enough for your key control set.

If you identify every internal control in your workflow as a key control regardless of its actual significance, the number of key controls you need to test becomes unmanageable, and it creates more work for your audit team and the external auditors.

The SOX Act doesn’t mandate that companies use specific controls. Instead, it requires organizations to design and implement their own controls—often using a control framework. Using a SOX compliance checklist can help ensure your company follows best practices and SOX compliance requirements when designing internal controls over financial reporting.

Streamline Your SOX Compliance Audit with FloQast Compliance Management

SOX compliance testing can be a stressful, time-consuming, and expensive process. But it doesn’t have to be. By following these steps and recommendations and leveraging the automation capabilities of SOX compliance software, you can ensure your organization’s financial statements are accurate and reliable, building a foundation of trust with stakeholders.

Schedule a demo of FloQast Compliance Management to discover how streamlining financial controls together with the Close can help your company achieve real-time, audit-ready compliance. Remember, SOX testing isn’t just about compliance or corporate governance; it’s about safeguarding your company’s financial integrity.

Stefan van Duyvendijk

Stefan van Duyvendijk is the Accounting Operations Evangelist at FloQast. Previously, Stefan served as the Corporate Controller for Kodiak Cakes, a private equity owned, leading consumer packaged food company, and as a Controller for Skullcandy, a multinational headphone CPG. These positions followed his five years at KPMG. His experience includes ASC 606 implementation, reduction of financial close timelines, accounting operational improvements, business combinations, financial statement audits, SOX audits and implementation, management reporting, debt, treasury, and systems integrations/implementation.