We have approximately 90 SOX walkthroughs. We have a group within Finance that owns the SOX program and a group within internal audit that performs the walkthroughs and the testing of all controls. I manage the internal audit group. We collaborate with our external auditors and the finance sox group to complete all SOX work. the SOX Audit team performs about 90% of the walkthroughs for both our external auditors and finance/management. All 3 teams attend the meetings and collaborate on changes to controls and testing attributes. We have required our external auditors to complete the majority of our SOX walkthroughs (approving them) by 6/30 each year. This way any deficiencies can be remediated and tested before filing. We have a handful of walkthroughs that don't get completed until 9/30 or 12/31 but that is because they are annual controls performed later in the year. We had to fight hard to get them to agree to the 6/30 deadline and every year they try to change it, but we tell them that they have to be completed by then.
Original Message:
Sent: 05-15-2024 03:32 PM
From: Rena Harris
Subject: Walkthroughs and Testing Timelines - External Auditors
Thanks everyone for the great input. I am still trying to get out auditors to perform combined walkthroughs. We just started walkthroughs, but our auditors can't attend again this year. They will be performing their walkthroughs in late Oct. It is very frustrating, they are claiming a lack of resources. However the IT auditors can attend our walkthroughs therefore IT controls get just 1 walkthrough.
------------------------------
Rena Harris
SOX Compliance Manager
Investar Bank
Original Message:
Sent: 05-14-2024 10:50 AM
From: Amanda Nino
Subject: Walkthroughs and Testing Timelines - External Auditors
Funny you should say that.. mid year last year, after my first reply - we were informed by legal counsel that the date was incorrectly calculated and we were a SOX bank as of 1/1/2023... 2023 was a mad scramble and I am still recovering from the amount of work, hours, blood, sweat and tears that went into year end.
All controls, key and non key are evaluated during walkthrough, and all controls identified as Key are tested for design and a sample of one is documented as evidence.
We take the low risk controls out of the mix as quickly as possible - there are few and its the approach I feel works best.
Moderate and High risk controls are tested covering 1/1 - 9/30 giving adequate coverage, allowing a quarter for remediation if needed, as well as some flexibility in our approach to workload distribution.
High risk controls are then tested through 12/31, and all controls (including low and moderate) require a management confirmation at YE that the controls have not changed, are operating as intended, and they attest to their effectiveness.
I feel this is a true risk based approach, and our auditors, Audit Committee and Management support the approach.
------------------------------
Amanda Nino
VP/Internal Control Manager
Coastal Community Bank
Original Message:
Sent: 05-14-2024 10:23 AM
From: Raymond Rengifo
Subject: Walkthroughs and Testing Timelines - External Auditors
That is interesting. Higher risk areas should be tested earlier in the year to ensure issues are identified early enough so that they can be addressed with sufficient time. Low risk areas could be tested later in the year (although we do have the same timeline for all controls). I suspect the auditors are taking the approach you mentioned because you are not required to be SOX compliant (based on your previous comments above). I'd push for WTs early/mid May with all teams attending so there is no additional burden to process/control owners. At the end of the day, you (the client) have expectations that need to be met by the auditors (as long as they make sense). Get buy in from your CAE.
------------------------------
Raymond Rengifo
Director - SOX Compliance
Tredegar Corporation
Original Message:
Sent: 05-14-2024 10:12 AM
From: Amanda Nino
Subject: Walkthroughs and Testing Timelines - External Auditors
I requested this approach from our EA, and it did not happen. My team is doing the walk throughs and TOD now, and recording them. We will share the recordings with EA and IA and the TOD is documented in Workiva, which both groups have access to. IA performs the OE testing at 6/30 for Low risk, 9/30 for Moderate and High, and at 12/31 for High Risk. Our EA currently performs interim in November and then Roll forward in January. Not ideal timing.. but I will have to push for significant change in 2025.
------------------------------
Amanda Nino
VP/Internal Control Manager
Coastal Community Bank
Original Message:
Sent: 02-28-2024 02:59 PM
From: Raymond Rengifo
Subject: Walkthroughs and Testing Timelines - External Auditors
Late to the party, but thought I'd share some of the best practices I've implemented. Typically, we like our external auditors (EA) to begin the procedures in May. That would be when they kick off walkthroughs and tests of design (TOD). The walkthroughs are attended by all groups, IA, EA, and SOX. At that point in time, any needed changes to narratives, process flows, etc., would be captured and triaged by the SOX team. OE testing would come right after TOD, typically kicked off during June/July for interim testing, and so on.
Hope that helps.
------------------------------
Raymond Rengifo
Director - SOX Compliance
Tredegar Corporation
Original Message:
Sent: 04-20-2023 01:56 PM
From: Rena Harris
Subject: Walkthroughs and Testing Timelines - External Auditors
Hello,
Question for the group, when does your external auditors come in to perform SOX testing? We are a large non-accelerated filer. Also, does your company experience double walkthroughs - one with your SOX department and then again with the external auditors?
------------------------------
Rena Harris
SOX Compliance Manager
Investar Bank
------------------------------