Sarbanes-Oxley (SOX) was enacted in 2002 and, at the time, companies and their auditors were not entirely clear about the requirements. As you would expect, companies generally tended to be conservative in their application of the SOX requirements resulting in the identification of a potentially excessive number of risks and controls, some of which were not directly financially relevant and/or material to the company’s financial statements.
Since the inception of SOX, Holtzman Partners has been helping public companies with evaluation and testing procedures to support management’s assessment in Item 9A on their Form 10-K. In 2004, one of our first SOX projects involved assisting Cisco Systems (in San Jose, California) with the development of its SOX process and, during that project, we helped develop a streamlined, risk-based approach to identification of risks and controls. We then rolled out this approach to the Austin market and, even after all of the revised SOX guidance published since 2004, this approach is still the basis for our SOX services today.
Using our SOX approach as a basis and considering all current requirements of the Public Company Accounting Oversight Board (PCAOB), we have performed “SOX Optimization Reviews” for a number of companies. The overall purpose of these reviews is to ensure that the controls identified and tested for SOX are those that management believes are appropriate based on the risks associated with the company’s financial statements issued in public filings with the SEC. These reviews may be performed in conjunction with the implementation of a new ERP or other financial system.
Key aspects of a successful optimization project:
- management support for the project – to ensure that participants in the process are fully engaged and understand its importance to the organization
- top-down risk assessment – to focus SOX efforts on areas of highest risk to the company’s financial statements
- materiality considerations – to understand which accounts and processes are significant to the SOX effort (including supporting the conclusions reached in the risk assessment)
- process owner involvement and ownership – to identify and fully comprehend the risks associated with each process and the controls that they deem to be “key” to ensuring that those risks are addressed
- involvement of the company’s auditors – to help ensure that the conclusions reached by management are consistent with the auditor’s conclusions
Our role in the SOX Optimization Process is to serve as a facilitator in challenging the process descriptions and identification of controls (including those deemed to be key). This facilitation may include some or all of the following:
- engaging with the process owners to fully understand the processes (including the risks and controls) that they believe are essential
- benchmarking key controls against expected controls from Holtzman templates for each process
- updating the process descriptions so that they are properly descriptive but succinct enough that they focus on areas of importance
- working with the company’s auditors to understand what they believe are the areas of highest risk and their requirements to allow for full reliance on the company’s SOX procedures
- developing plans to test the key controls identified in a manner that maximizes the overlap between tests (including population selections)
The results from each Optimization Review may vary depending on a number of factors. In general, we believe that companies have developed a more comprehensive and fully-vetted SOX evaluation process focusing on areas of highest financial statement risk. Further, process owners more fully understand their risks and their role in ensuring the financial statements are properly stated. Also, we have generally noticed that the number of controls (and testing) required for SOX compliance have been reduced, resulting in lower annual (recurring) SOX compliance costs.
If you believe that your company could benefit from a SOX Optimization Review, we’re happy to discuss our SOX Optimization process with you and share insights that we’ve gained from projects completed to date.