SOX Professionals Group

 View Only
Expand all | Collapse all

Walkthroughs and Testing Timelines - External Auditors

  • 1.  Walkthroughs and Testing Timelines - External Auditors

    Posted 04-20-2023 01:57 PM

     Hello,

    Question for the group, when does your external auditors come in to perform SOX testing?  We are a large non-accelerated filer.  Also, does your company experience double walkthroughs - one with your SOX department and then again with the external auditors?



    ------------------------------
    Rena Harris
    SOX Compliance Manager
    Investar Bank
    ------------------------------


  • 2.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 04-21-2023 10:48 AM

    Hi Rena,
    My current company is an accelerated filer, but still under the protection of Emerging Growth Company - so we are not technically SOX until 1/1/2024. Our external auditors review interim work in September/October to do walkthrough discussions for any changes and get a feel for any early issues and then in January/February to do their substantive testing.  Historically we have done double walkthroughs but that is changing. I am doing walkthroughs in May, and documenting a test of one for every control within our Workiva tool. Our external auditors can review and if they need more information we will have focused conversations with business owners - but not a full walkthrough cycle.

    My last company is a large accelerated filer. We had external audit doing walkthroughs in July jointly with internal audit, and initial SOX control testing in August. Then they did substantive testing in January. They relied on very little testing by our IA group.  I hope that is helpful.



    ------------------------------
    Amanda Nino
    VP/Internal Control Manager
    Coastal Community Bank
    ------------------------------



  • 3.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 04-21-2023 11:12 AM

    Thanks Amanda!  This helps.   Currently Internal Audit performs our testing and I am responsible for everything else.  I will continue to work on having our external auditors perform joint walkthroughs.

    My last company is a large accelerated filer and external audit did joint walkthroughs with the SOX team.  I think this way is much more effective and efficient.




    ------------------------------
    Rena Harris
    SOX Compliance Manager
    Investar Bank
    ------------------------------



  • 4.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 02-28-2024 02:59 PM

    Late to the party, but thought I'd share some of the best practices I've implemented. Typically, we like our external auditors (EA) to begin the procedures in May. That would be when they kick off walkthroughs and tests of design (TOD). The walkthroughs are attended by all groups, IA, EA, and SOX. At that point in time, any needed changes to narratives, process flows, etc., would be captured and triaged by the SOX team. OE testing would come right after TOD, typically kicked off during June/July for interim testing, and so on.

    Hope that helps.



    ------------------------------
    Raymond Rengifo
    Director - SOX Compliance
    Tredegar Corporation
    ------------------------------



  • 5.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 05-14-2024 10:13 AM

    I requested this approach from our EA, and it did not happen. My team is doing the walk throughs and TOD now, and recording them. We will share the recordings with EA and IA and the TOD is documented in Workiva, which both groups have access to. IA performs the OE testing at 6/30 for Low risk, 9/30 for Moderate and High, and at 12/31 for High Risk.  Our EA currently performs interim in November and then Roll forward in January. Not ideal timing.. but I will have to push for significant change in 2025.



    ------------------------------
    Amanda Nino
    VP/Internal Control Manager
    Coastal Community Bank
    ------------------------------



  • 6.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 05-14-2024 10:23 AM

    That is interesting. Higher risk areas should be tested earlier in the year to ensure issues are identified early enough so that they can be addressed with sufficient time. Low risk areas could be tested later in the year (although we do have the same timeline for all controls). I suspect the auditors are taking the approach you mentioned because you are not required to be SOX compliant (based on your previous comments above). I'd push for WTs early/mid May with all teams attending so there is no additional burden to process/control owners. At the end of the day, you (the client) have expectations that need to be met by the auditors (as long as they make sense). Get buy in from your CAE.



    ------------------------------
    Raymond Rengifo
    Director - SOX Compliance
    Tredegar Corporation
    ------------------------------



  • 7.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 05-14-2024 10:51 AM

    Funny you should say that.. mid year last year, after my first reply - we were informed by legal counsel that the date was incorrectly calculated and we were a SOX bank as of 1/1/2023... 2023 was a mad scramble and I am still recovering from the amount of work, hours, blood, sweat and tears that went into year end. 

    All controls, key and non key are evaluated during walkthrough, and all controls identified as Key are tested for design and a sample of one is documented as evidence.

    We take the low risk controls out of the mix as quickly as possible -  there are few and its the approach I feel works best. 

    Moderate and High risk controls are tested covering 1/1 - 9/30 giving adequate coverage, allowing a quarter for remediation if needed, as well as some flexibility in our approach to workload distribution. 

    High risk controls are then tested through 12/31, and all controls (including low and moderate) require a management confirmation at YE that the controls have not changed, are operating as intended, and they attest to their effectiveness. 

    I feel this is a true risk based approach, and our auditors, Audit Committee and Management support the approach. 



    ------------------------------
    Amanda Nino
    VP/Internal Control Manager
    Coastal Community Bank
    ------------------------------



  • 8.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 05-15-2024 03:32 PM

    Thanks everyone for the great input.  I am still trying to get out auditors to perform combined walkthroughs.  We just started walkthroughs, but our auditors can't attend again this year.  They will be performing their walkthroughs in late Oct.  It is very frustrating, they are claiming a lack of resources.  However the IT auditors can attend our walkthroughs therefore IT controls get just 1 walkthrough.  



    ------------------------------
    Rena Harris
    SOX Compliance Manager
    Investar Bank
    ------------------------------



  • 9.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 05-16-2024 07:17 AM

    We have approximately 90 SOX walkthroughs.  We have a group within Finance that owns the SOX program and a group within internal audit that performs the walkthroughs and the testing of all controls.  I manage the internal audit group.  We collaborate with our external auditors and the finance sox group to complete all SOX work.  the SOX Audit team performs about 90% of the walkthroughs for both our external auditors and finance/management.  All 3 teams attend the meetings and collaborate on changes to controls and testing attributes.  We have required our external auditors to complete the majority of our SOX walkthroughs  (approving them) by 6/30 each year.  This way any deficiencies can be remediated and tested before filing.  We have  a handful of walkthroughs that don't get completed until 9/30 or 12/31 but that is because they are annual controls performed later in the year.  We had to fight hard to get them to agree to the 6/30 deadline and every year they try to change it, but we tell them that they have to be completed by then. 



    ------------------------------
    CareyParks-Musil
    Assistant General Auditor
    ------------------------------



  • 10.  RE: Walkthroughs and Testing Timelines - External Auditors

    Posted 05-14-2024 10:03 AM

    We do joint walkthroughs with our external auditors. We schedule the meetings and generate data requests, and invite the auditors to ask questions throughout the walkthrough for design. Occasionally they request further data following the walkthrough if any additional files or evidence is needed. The walkthroughs take place mid-May through June for the Business Process side, and June and July for the ITGC side. Testing begins immediately after the walkthrough for that associated area, and our deadline for controls which our external auditors rely upon our testing is generally 9/30, with the rest of interim testing due 10/31. 



    ------------------------------
    Paige Testerman
    Lead Auditor
    Evergy
    ------------------------------