SOX Reset 2014
RISK BULLETIN |
In recent years, a laundry list of guidelines – COSO 2013, COBIT 5, PCAOB Alert No. 11 and new AICPA SOC reporting guidelines – was issued that deals with an increased emphasis on internal controls over financial reporting. As a set, this series of releases highlights the need for a newly re-focused evaluation of internal controls to maintain efficient ongoing compliance.
"The Sarbanes-Oxley [SOX] Act authorizes the PCAOB to inspect registered firms for the purpose of assessing compliance with certain laws, rules, and professional standards… [and] the PCAOB regularly inspects those firms that issue audit reports opining on the financial statements of issuers."1 Their recent release of "Alert No. 11: Considerations for Audits of Internal Control over Financial Reporting," show their heightened focus on accounting firms' audit techniques for SOX 404 attestations. As a result, audit firms are challenging their own approach in these areas.
By virtue of their recent Alert, the guidelines are calling for:
- Greater testing of system-generated data and reports that support downstream controls
- More thorough documentation mapping of "all relevant assertions of the significant accounts and disclosures"1 to the controls identified
- More substantive testing to evidence the auditor's understanding of reviews performed over a control's effectiveness, including evidence as to a reviewer's competence
- Increasing the level of control design testing and documentation to more thoroughly evidence the auditor's level of comfort that controls are designed to adequately address their stated objectives
Firms will also be looking at this year's update by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") to its original Internal Control – Integrated Framework first introduced in 1992. This new COSO iteration addresses changes to a company's control environment since its original release over two decades ago. Examples include:
- The ways in which they manage corporate governance
- The effects of technology and globalization on the many facets of compliance
- The speed at which investors expect decisions to be made
- And the interconnectedness of risks across the enterprise
COSO 2013 has specifically documented expectations of a company's control environment (i.e., principles – similar to control objectives put forth by the AICPA in their guidelines for Service Organization Control (SOC) reporting). While these principles may not drastically impact the audit techniques used at the process control level, they will have a larger influence for areas that were often tested, for SOX purposes, through lower level audit techniques (e.g., inquiry and observation). Areas such as entity-level controls, fraud mitigation, and, to a lesser extent, IT general controls will probably see the greatest changes in the degree of controls tested and the techniques employed in that testing. As a result, audit firms have been adjusting their approach to testing for SOX compliance within their publicly traded clients.
Beyond PCAOB inspections and the new COSO standard, other items impacting SOX assertions include:
- Introduction of Control Objectives for Information and Related Technology framework version 5 ("COBIT 5") to update IT governance requirements and unify COBIT with other major IT-related frameworks.
- AICPA Service Organization Control ("SOC") Reports is gaining wider acceptance and getting more focus by the AICPA peer reviewers calling for a greater integration of process risk and control considerations. This focus is coupled with stronger evidence that the external auditors have fully understood and considered each SOC report's control objectives and testing procedures when designing their own testing regimen.
The work for some companies may be further complicated due to the separation between what the company documents as their controls for SOX purposes and what may be occurring day-to-day. This separation reflects such items as:
- Process changes that occur in the normal course of business but are not being reflected in the SOX documentation in a timely manner
- Companies' efforts to rationalize originally excessive SOX control sets, which over time resulted in a growing chasm between risks and remaining controls
- Other organizational priorities reducing the emphasis on SOX testing in general by several key stakeholders (i.e., audit committees, management, internal audit and the financial statement auditors).
Given these matters, we expect to see a major refresh of SOX in the coming year. Risk-aware companies can start the assessment process now, in case this renewed focus, particularly at the entity-level controls, results in the need to remediate some of these controls.
So what does this all mean? In our view, successful compliance is becoming more and more of an enterprise-wide demand. Risks should no longer be segregated into separate, unconnected silos – financial reporting risk, reputational risk, operational risk. Rather, the risks should be viewed holistically, as interconnected parts of corporate risk that should be viewed together.
Additionally, as technology integrates into business processes, so IT controls should also be integrated into companies' internal control framework. That integration would reflect the holistic view of addressing risks.
Spurred by the most recent PCAOB inspections, COSO and COBIT revisions, and the rising significance of SOC reporting within the context of the internal control framework, organizations will need to commit a new diligence to the unification of controls.
The combination of the new COSO standard and other influences will result in more stringent control testing (i.e., control-based testing vs. observation and inquiries) in many areas. For example:
- Increased testing may be needed on controls for which sample sizes or documentation requirements, for example, had previously been reduced
- A heighten focus on entity-level and fraud mitigation controls may cause audit firms to require significantly more detailed control documentation and testing regimens in order to establish reliance
- Further efforts may be needed within business processes to connect both automated and IT-assisted manual controls to business risks and their supporting manual controls
- Audit firms may adjust their methodology to require greater re-performance of testing samples
The full impact of this trend toward unified compliance is not yet known. Still, a more enterprise-wide focus toward strategic governance should emerge. All framework updates and revisions have shown the need for more substantive consideration of the inner workings of internal controls, rather than a focus on the result of the control's performance. While this might seem like a step backward to many and it may carry undesired costs, what we expect as a reset of SOX in 2014 may help tighten gaps between the original intent of the SOX control governance legislation and today's audit environment. The result will be a greater correlation between risk governance and changes in today's business environment.