SOX Professionals Group

Hi all, 

I'm looking for a few insights in how you all report your SOX findings to management/board of directors/audit committee.

Currently, if a control breaks down, we're reporting it to our SOX Committee (management) and Audit Committee, even if the breakdown didn't have financial impact.

For instance, a user was granted access to a SOX system without a provisioning ticket.  The access was warranted by his/her role, but the control requires a provisioning ticket.

There's no actual impact in this finding, but the control broke down.  I hate taking these types of findings to executive management, but given that the control that mitigates the risk didn't operate, we feel that it's a deficiency.  Are you taking a similar approach, or would you classify this type of finding as a "near miss" or an operational issue that isn't a SOX deficiency?

Thanks!

In your example, I recommend first concluding whether it was a SOX control deficiency or not.  It sounds like there was a breakdown in the access provisioning control process.  Depending on root cause and your population/sample size, there may be the ability to rationalize it as an isolated exception and not a control deficiency (in consultation with your auditors).  If you do conclude a deficiency, the next step is the impact assessment where you then determine if there was financial impact.  When reporting to the Audit Committee, the amount of detail in discussion and supporting materials could be weighted based on the risk/impact of each deficiency.   For example, summary numbers for low risk/impact deficiencies and detailed discussion (issue, impact, remediation) on higher risk/impact deficiencies.  

------------------------------
Nick Tobkin
Director of Cybersecurity
Target

Original Message:
Sent: 10-30-2023 12:44 PM
From: Darren McCombs
Subject: SOX Finding Reporting Questions

Hi all, 

I'm looking for a few insights in how you all report your SOX findings to management/board of directors/audit committee.

Currently, if a control breaks down, we're reporting it to our SOX Committee (management) and Audit Committee, even if the breakdown didn't have financial impact.

For instance, a user was granted access to a SOX system without a provisioning ticket.  The access was warranted by his/her role, but the control requires a provisioning ticket.

There's no actual impact in this finding, but the control broke down.  I hate taking these types of findings to executive management, but given that the control that mitigates the risk didn't operate, we feel that it's a deficiency.  Are you taking a similar approach, or would you classify this type of finding as a "near miss" or an operational issue that isn't a SOX deficiency?

Thanks!

------------------------------
Darren McCombs
SOX Compliance Manager
First Busey Corporation
------------------------------

Thanks for the response.  To your point, in the example above, we expanded the sample to deem the issue isolated.

Other examples would be (we're a bank) in regard to loan approvals.  The control is automated system routing for proper approval. The routing is based on manual inputs, which are often wrong; however, the loans are manually routed to the right person 95% of the time.  There is often no actual financial reporting impact because even though the automated control fails, the loans receive proper approval under policy due to informal processes.  So, we report SOX findings because the control isn't reliable. 

I think in most cases my brain leans toward the thinking that, the control is the mitigant to the risk of material misstatement, so if it breaks down, even though the uncovered finding didn't impact financial reporting directly, the control has a gap in operating effectiveness.  One of our external auditors said this week that they wouldn't report a SOX deficiency because the breakdown that we found didn't impact financial reporting....so I'm just trying to reconcile that.  There are many times that I don't want to take a small finding to management, but I also don't want to underreport where work needs done to better cover the risk, if that makes sense.

------------------------------
Darren McCombs
SOX Compliance Manager
First Busey Corporation

Original Message:
Sent: 10-30-2023 02:03 PM
From: Nick Tobkin
Subject: SOX Finding Reporting Questions

In your example, I recommend first concluding whether it was a SOX control deficiency or not.  It sounds like there was a breakdown in the access provisioning control process.  Depending on root cause and your population/sample size, there may be the ability to rationalize it as an isolated exception and not a control deficiency (in consultation with your auditors).  If you do conclude a deficiency, the next step is the impact assessment where you then determine if there was financial impact.  When reporting to the Audit Committee, the amount of detail in discussion and supporting materials could be weighted based on the risk/impact of each deficiency.   For example, summary numbers for low risk/impact deficiencies and detailed discussion (issue, impact, remediation) on higher risk/impact deficiencies.  

------------------------------
Nick Tobkin
Director of Cybersecurity
Target

Original Message:
Sent: 10-30-2023 12:44 PM
From: Darren McCombs
Subject: SOX Finding Reporting Questions

Hi all, 

I'm looking for a few insights in how you all report your SOX findings to management/board of directors/audit committee.

Currently, if a control breaks down, we're reporting it to our SOX Committee (management) and Audit Committee, even if the breakdown didn't have financial impact.

For instance, a user was granted access to a SOX system without a provisioning ticket.  The access was warranted by his/her role, but the control requires a provisioning ticket.

There's no actual impact in this finding, but the control broke down.  I hate taking these types of findings to executive management, but given that the control that mitigates the risk didn't operate, we feel that it's a deficiency.  Are you taking a similar approach, or would you classify this type of finding as a "near miss" or an operational issue that isn't a SOX deficiency?

Thanks!

------------------------------
Darren McCombs
SOX Compliance Manager
First Busey Corporation
------------------------------

Hi all, 

I'm looking for a few insights in how you all report your SOX findings to management/board of directors/audit committee.

Currently, if a control breaks down, we're reporting it to our SOX Committee (management) and Audit Committee, even if the breakdown didn't have financial impact.

For instance, a user was granted access to a SOX system without a provisioning ticket.  The access was warranted by his/her role, but the control requires a provisioning ticket.

There's no actual impact in this finding, but the control broke down.  I hate taking these types of findings to executive management, but given that the control that mitigates the risk didn't operate, we feel that it's a deficiency.  Are you taking a similar approach, or would you classify this type of finding as a "near miss" or an operational issue that isn't a SOX deficiency?

Thanks!

------------------------------
Darren McCombs
SOX Compliance Manager
First Busey Corporation
------------------------------