Designing a controlled environment is a balancing act. We design controls to mitigate risks knowing the limitations of the control owners and the tools and environment with which they have to work. In the SOX world, we balance residual risk against the impact and likelihood of a SOX control deficiency. If the impact of the deficiency is enough to deem it a “significant deficiency” or a “material weakness,” then it has to be disclosed in the financial statements — which affects stock price, reputation, scrutiny over operations, and the workload for auditors.
Control owners have been caught up in the “great resignation,” and the positions remain open longer while companies are cutting costs to remain profitable during times of inflation. Now more than ever, the balancing act is challenging. The good news is that there are proactive steps you can take to reduce the number of control deficiencies at your organization.
1. Understand Tone at the Top
The first strategy you should take is to understand your organization’s tone at the top related to risks and controls. Some leaders tend to treat controls as a necessary evil (extra work) or an afterthought. Others set the bar impossibly high, creating a culture of fear that can lead people to hide information. Changing the tone at the top and the control culture can have the single biggest impact on the number and severity of control deficiencies in your organization. To start changing the culture, make a concerted effort to ensure your control owners understand the impact or “why” behind their responsibilities.
2. Review Control Design Precision
Designing controls is not something you can do once and walk away. The level of risk and control precision must be reviewed on a regular cadence — as well as when a process has changed or a new risk emerges — to ensure the risk is mitigated, and in line with the organization’s risk appetite. For example, as the threat of cyber attacks increases, the use of a manual access review may need to be replaced with a more robust, automated identity management control to adequately mitigate the risk with the level of precision the organization requires. We should also consider if mitigating controls are needed, especially when controls are changing, and new control owners are getting up to speed.
3. Assess Current Control Performance
We spend so much time on control documentation for a good reason: we must be clear on how a control process works. Control owners sometimes change, and this turnover leads to performance slipping and control processes falling through the cracks. Having up-to-date training programs and documentation is crucial for new control owners to learn how to operate a control process so this does not happen. We should also assess our manual controls for automation opportunities. Automation solutions are more user friendly, and we should take advantage of bots to automate routine control activities to take the burden and error potential off the control owners.
4. Implement Modern Connected Risk Technology
Managing your SOX function requires a modern technology solution. Working in siloed spreadsheets and documents leaves too many chances for information to become stale. Effectively maintaining process and control documentation, survey results, risk assessments, testing documentation, and evidence collection means implementing connected risk technology accessible by the right stakeholders. As a result, tone at the top, risk design review, and control processes become part of organizational culture, engaging stakeholders throughout the business and preventing control deficiencies.
Improve Visibility to Reduce Deficiencies
The four strategies mentioned above facilitate moving away from manual project management to monitoring and mitigating risk. Once the pieces are in place, we can focus on our insights from real-time status updates through reports and dashboards. For example, if a quarterly key control has any issues, we will know sooner and have all the necessary information to address the deficiency as quickly as possible. Using strong SOX management software adds visibility into the process that helps you deal with deficiencies as they arise. Leveraging connected risk management technology to monitor organizational risk and SOX compliance in a user-friendly, fully integrated solution will put your organization on a solid path to prevent control deficiencies.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.