Five common pitfalls for new SOX filers (and how to avoid them)

How to avoid: This is the SOX compliance version of the “measure twice, cut once” idiom. Every ounce of effort you put in on the front-end to assess and scrutinize your organizational systems, processes and risks, from top to bottom, will likely save you a pound of trouble down the road. 

• Conduct a thorough, organization-wide risk assessment. 
• Perform a comprehensive financial statement risk assessment to identify your risks of material misstatements to the financial statements and map key control objectives and activities to address those risks. 
• Seek and obtain risk insights from a broad spectrum of stakeholders and ensure all perspectives are given proper consideration. 
• Confirm significant financial reporting elements, relevant assertions and control objectives. 
• Ensure an understanding of transaction flows from initiation, authorization, processing and recording/reporting, and confirm source risks of material misstatements within the transaction flows. 
• Identify significant Information Technology (IT) applications and systems that facilitate the transaction flows (including back-end IT systems that many end users do not interact with) and the relevant controls within those IT applications and systems. 

Quite simply, if you don’t know which risks you face, you can’t establish the proper controls to address and mitigate those risks. 

*For more detailed information about these steps — and a sample timeline — explore our SOX readiness roadmap on pages 4-5 of the brochure linked below. 

How to avoid: A good rule of thumb, when it comes to establishing your organization’s set of internal controls over financial reporting (ICFR), is to pursue quality over quantity (not that you must choose one over the other). But just because you have ample control sets across your organization does not mean those controls are well-designed and well-targeted to mitigate your risks of material misstatements to the financial statements. As you establish an appropriate internal controls framework for your SOX compliance initiatives, and as you begin to assign specific control owners, it is crucial to ensure the controls you are implementing are, in fact, addressing the risks you identified in the previous step by conducting in-depth, end-to-end process walkthroughs and control design workshops to fully understand and define the key activities intended to be executed by the control owner for each key control. 

And lastly, be sure to document your current processes and controls in ample detail to ensure consistency in operation and to minimize atrophy over time. This can be accomplished by utilizing risk and control matrices, process narratives and process flowcharts. When you are complying with SOX requirements, documentation is critical. 

How to avoid: Tying into pitfall #1 above, it is imperative that clear communication and education extends throughout your entire organization — especially to your control owners. Establish training programs for control owners to educate them on the importance of internal controls, the specifics of their roles and responsibilities and the organization-wide expectations to support the internal control environment through the proper execution of internal controls. Explain the criticality of thorough documentation and document retention and include education around change management and version control of key reports. 

Providing continuous education around key trends to incorporate into the internal controls framework and further supporting an ongoing understanding of what could go wrong in each process will help identify risks to the financial statements and promote a robust internal controls environment throughout the organization.  

How to avoid: Assuming your risk assessment, control framework and documentation processes are firmly in place, the worst thing you could do is … nothing. Especially early on, it is best to view your control environment — and its subsequent documentation — as evolving. This is not a “once complete, always complete” effort. Instead, you should constantly utilize your documentation to test, review and evaluate the effectiveness of your control framework to support continuous monitoring and evaluation of your control environment. 

Through constant and ongoing evaluation, you can identify potential new risks or control gaps, design and implement more effective controls, verify the efficacy of your current control framework and more. You can better design, review, approve and implement final solutions for control deficiencies. You can validate that the controls within the established framework are designed and operating as intended. You can identify opportunities for efficiency in your control environment. You can communicate documented progress and key results to control owners, managers, executive leadership, external auditors and beyond.