Navigating GRC and Audit

 Baselining Controls for More Efficient SOX Compliance

 

By: Christopher Fox


 

AuditNet® is excited to kick-off this new column “Navigating GRC and Audit.” Chris Fox of CA will be sharing his thoughts on GRC best practices and shedding light on the role auditors will play as GRC continues to rise in importance in the enterprise. Chris has had many years of international experience in the systems and processes areas and has assisted in writing books on Sarbanes-Oxley and Basel II. He is also a member of the task force which developed OCEG’s GRC Capability Model (Redbook II) and is one of the expert contributors to CobiT 4.1.

 

In the current economic environment, all sectors of business are being asked to maintain their present performance levels and even to do more with fewer resources and budget. This is particularly true with respect to program s like Sarbanes-Oxley compliance. If the baseline of controls for your SOX program have been stable over the last two years, it is reasonable for executive management to challenge the program team to identify some reasonable cost savings this year (think Lean!). This situation can be used by your team as a positive initiative to review your systems for greater efficiencies.
 

To address this challenge, the team should assess the compliance environment that they have successfully developed over the last years and consider how it can be leveraged. Here’s what I’ve seen as typical for a large number of organizations:

  • Key controls have been identified at the COSO control activity level and the current plan for coming years is to continue to test these key controls as presently documented
  • A baseline of controls for the above have been developed, which recent history indicates that the system is stable and all of the controls are working satisfactorily
  • There are no significant changes to the controls expected to be introduced in the coming year
  • Internal audit has moved away from direct SOX testing, however the current key controls are tested as part of the regular audit cycle.

So, given the above situation, how can we expect to reduce the cost of this program? One of the most obvious approaches is to look for opportunities where we can reduce testing without losing effectiveness.

 

To do this, we should look first at our areas of strength and take advantage of that. In the above example, this includes a proven baseline of controls. If we have a strong foundation of a baseline, we can build upon it.
 

Let’s look at a scenario of existing controls in a hypothetical accounts payable process for a business with, say, 10 branches. Currently, the reconciliation of accounts payable at each branch is a key control and the supervisory review of the reconciliation is the monitoring control. In this scenario, there have been no control issues identified during SOX testing and the internal audit group tests the detailed reconciliation during their periodic audits.
 

We note that as part of preparing the month-end reporting package for head office, the branch [1] signs off that the reconciliations have been prepared, [2] produces performance indicators including the ageing of reconciliation both by dollar and number of items, and [3] explains any negative performance trends.
 

Also, we note that [4] the head office reviews the management package and [5] reviews the results and explanations of variances with each of the branch management. When the consolidated accounts are prepared, [6] variance analyses are prepared and explanations for fluctuations are obtained. Finally, [7] the internal audit group does their periodic audits of the branches.

If the company has 10 branches, you can see the number of tests being done at all 7 levels of controls is significant.
 

In many companies, the reconciliation (actions 1, 2, and 3 above) would be the key control, and the various reviews (4 and 5) would be monitoring controls, with the review of the reconciliation (6) being the key monitoring control.
 

This is the point where we can leverage our baseline which we worked so hard to achieve! A more efficient approach would be to rely on [a] the baseline and [b] the internal audit confirmation that the baseline controls remain effective and thus move the key controls higher up the control hierarchy.
 

Depending on the history of the implemented controls, such as the work performed by internal audit in assessing and advising on the branch management package (processes and tools), a new control composition could be:

  • the branch management package as the key control with the monitoring control now as the head office review, or
     
  • the head office review could be the new key control and the monthly review of the financial statements and consolidated management reports would be the key monitoring control

In either case, when you use the x10 factor involved with the number of branches, there would be a dramatic reduction in SOX testing costs, and a lot of work could be performed at the head office rather than making branch office visits. If the change in control is documented in the above context of a stable baseline with internal auditing verifying that situation, the company can make a strong case with their external auditors that the key control was still at the control activity level.
 

So, the assertion of the above example is that your compliance and internal audit teams can leverage all the hard work they have done over these last years to establish a stable and accurate control baseline, to start to achieve some significant bottom-line benefits to your business by reducing SOX testing activities. This incremental (and leaner) approach can be very powerful, since it maintains a stable baseline while continuously improving the testing processes.

 

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®