Internal audit teams at companies preparing to go public face a tricky balancing act in their journey toward Sarbanes-Oxely readiness. Namely, how do you keep sight of the risk assessment forest through the documentation trees?
That is, documenting your internal controls is always going to be an important part of SOX readiness — but it’s not necessarily the most important part. The most important part is the risk assessment that management should undertake, to understand what its most material risks are.
And yet, far too often, internal audit teams get bogged down in the minutiae of cross-walking frameworks and documenting controls at the expense of taking the time to do a good risk assessment. They’re able to execute bureaucratically, pushing forward on controls testing and documentation to satisfy the demands of a framework; but if that work isn’t aligned to a collaborative, effective risk assessment — one that has structure, and is accepted by others across your enterprise — then you can’t be sure whether those activities are properly designed to reduce the risks your company actually has.
That’s the bad habit of SOX readiness that internal audit leaders need to avoid.
A Risk Assessment Requires People
A successful risk assessment identifies the transactions or disclosures most likely to lead to a material misstatement. That, in turn, helps executives to define control processes that would best reduce those risks; and to design controls that reflect how business operations really work. That’s how you get operating teams to embrace the controls rather than circumvent them so employees can do their “real” jobs.
All of that takes people working together. Specifically, the chief audit executive must work with the board, senior management, and leaders of the First and Second Line operating teams; and everyone must agree that this work is worthwhile.
For example, perhaps it starts with the chief audit executive stressing to senior management that a good risk assessment does more than prepare the enterprise for SOX compliance. It can also help to reduce the risk of fraud, boost cybersecurity, improve employee training, and ease compliance burdens on a host of other regulatory requirements. Plus, at a practical level, a good risk assessment helps you keep your focus on the most significant or material risks your organization has. That results in better decision-making, reduced errors, and less time spent on remedial work (which means more time available for finance and other teams to devote to key business objectives).
Once senior executives understand that a good risk assessment helps to build a more risk-resilient enterprise overall, they’re more likely to give you the support you need to win over leaders in the First and Second lines of defense. An assist should come from the board, too. For example, the audit committee should ask to see the formal risk assessment — one that involved the entire C-suite. (If the audit committee isn’t doing that, shame on them.)
None of this is to say that doing the actual risk assessment, and debating materiality and controls design with other business leaders, will be easy. Most companies going public won’t be subject to the internal control audits required by SOX Section 404(b), so there will be plenty of people arguing that the company doesn’t need all the internal controls you recommend right away.
Perhaps. But even without 404(b) requirements, management will still need to make assertions about its financial reporting under Section 404(a). If management asserts that everything is great without a thoughtful, comprehensive risk assessment, and then later experiences a misstatement or fraud or some other material meltdown, you might as well hang a “Please sue us” sign on the front door. A good risk assessment helps no matter what.
The bottom line is that too often, businesses want to compartmentalize the work of the SOX compliance team — but that just leaves compliance teams busy doing control documentation and tests. For a SOX compliance program that’s effective, you need a strong control environment. The cornerstone of a strong control environment is a risk assessment that has company-wide participation and support.
Getting a Risk Assessment Done
Even with an engaged and supportive management team, the actual doing of a risk assessment is not easy. Even a relatively small enterprise might be juggling multiple business units, complicated accounting policies, and numerous IT systems.
To identify the material risks in that operating environment and then build effective controls, internal audit teams will need tools to coordinate your work and provide transparency every step of the way. For example, you’re likely to need…
-
An ability to generate risk questionnaires quickly; but also to tailor those questionnaires for specific business units or operating teams.
-
A central repository for those answers so you’ll always have the fabled “single source of truth” about the data you receive.
-
Effective communication tools to coordinate and track conversations across time zones or geographic regions.
-
A mapping capability, to match existing controls you already have (say, from an ISO standard you’ve implemented) to other frameworks you’re using for internal control over financial reporting (typically the COSO internal control framework).
And these days, you might also want to try artificial intelligence tools. For example, AI could provide quick summaries of the answers to your risk assessment questionnaires or of conversations you have in virtual team meetings. It could synthesize the findings of previous audit reports to help you understand risks that haven’t been mitigated yet.
All of that is to say there is a lot of minutiae in controls documentation and testing. You can lose sight of the risk assessment forest through the documentation trees. That will not do any favors for your company, your internal audit team, or even your career.
So one half of SOX readiness is the “people challenge.” That includes engaging everyone in a formal risk assessment, and getting your own team thinking about whether the risks identified and controls suggested make sense. SOX compliance isn’t just about going through a checklist; it’s about bringing curiosity to the challenge of making your organization’s operations more resilient to risk.
The other half of SOX readiness, however, is the "capabilities challenge” of internal audit having the right tools and processes to guide the enterprise through that risk assessment.
A savvy internal audit leader will lean into both challenges, and make the case that a formal risk assessment is the heart of the project — one that can’t be short-cut, but also one that will pay off immensely over the long run of life as a public company.
About Matt Kelly
|
|
Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.
Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.
Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.
|
#SOXPro#ProcessImprovement#ControlsManagement#InternalAudit#SOX