As the number of in-scope entities in a SOX program grows, so does its complexity. “Mega-SOX” programs — many of which have 10 or more in-scope entities — can create organizational and logistical challenges for internal audit teams, making it more difficult to ensure compliance across the business.
In this episode of AuditTalk, learn how four internal audit leaders — moderator Yulia Gurman (Executive Director of Internal Audit and Corporate Security, Packaging Corporation of America) and panelists Kenneth Garofalo (Director of Internal Audit, Lydall), Luis Padilla (Senior Director, Head of Internal Audit & SOX, Encore Capital Group), and Michelle Wahlen (Vice President of Internal Audit, Post Holdings) — successfully manage their Mega-SOX programs, including:
- Determining what controls are in-scope for SOX compliance when you have 10+ in-scope entities
- Testing approach and strategy when you have 1,000+ in-scope controls.
- The involvement of external audit in determining what processes / controls are in-scope, and ways to increase their reliance strategy
- Using data analytics in the planning and testing phases of a SOX program
Watch the full video or skip ahead to the topic you’d most like to see, and read the highlights below!
How do you determine what controls are in-scope for SOX compliance when you have 10+ in-scope entities?
Luis Padilla: “There are multiple ways of determining what controls are in-scope, especially whenever you’re going through IT controls, business process controls, or entity-level controls. You first have to determine which entities are in scope, and the method you use for one company may not be the right method for another company… A major holding company may define their components as a group of companies. If your company has 100 or 200 companies under its belt and you are that holding company, you may just group them by control environment. We could define a component differently here as a group of companies that share a control environment, general ledger, or network. So, how do you define your entities and your controls in-scope? It’s much more a tailored exercise to your specific type of company.”
Ken Garofalo: “When sizing up a company, you have to consider the quantitative metrics that are relevant for your industry and your type of company. Some examples could be sales, gross margin, operating income, total assets, et cetera. Once you have your company sized up, you can break it into tiers, helping to determine what’s in scope and what’s not. On that quantitative assessment, you can layer in qualitative things such as people capabilities and tenure within your auditable entities, IT systems, control history, and so on. You give more definition through using a tier structure when managing the entities and controls that are going to be within the scope of your SOX testing program.”
Michelle Wahlen: “When you’re looking at the breadth of your company, I know I’ve been in situations where we have a lot of individual entities that are very similar in size and may contribute to that scope percentage in a similar way. The tendency is to always pick the largest one. I would encourage all of us to think a little bit more about not only other risk factors, but also how do we rotate a bit and make it so that we are providing management a little more coverage year to year, instead of taking the easier path of choosing the same companies or entities on a year to year basis.”
How significantly does control scoping change year over year, in your experience?
Luis Padilla: “I would say year over year is a severe understatement. The reality is more like month over month or week over week. As the business adapts, certain processes or systems are decommissioned, certain new systems come online, and you have to be agile these days to bring that system in line. If you’re waiting until next year, you’re not being agile enough for the current environment. You have to be on top of it right now. This is one of the best uses of data analytics for scoping because you can see which accounts are picking up activity and which accounts are decreasing in activity.”
What is the involvement of external audit in determining what processes / controls are in-scope, and what is their reliance strategy?
Michelle Wahlen: “We all know that we need to involve our internal auditors early and often throughout this process. As we are executing acquisitions, even in the middle of a year, we’re talking with our external auditors about what impact that might have on the future, just to start the conversation early — but I do think it’s internal audit’s responsibility to always come with a point of view. Always come with your homework done, having thought through what you believe will work for your company, and what your management is comfortable with. Have a rationale for that. A healthy dialogue is always encouraged.”
Luis Padilla: “Working with external audit is a key success factor for any SOX program. You want to encourage external audit to use the work of internal audit and to take a controls reliance approach. You also want to make that process smooth and easy for the external auditor, the internal auditor, and the business that you’re auditing… Coordinate with the external auditor on sampling methodology, minimum sample requirements, even attributes all the way down to the control level. Does your external auditor need more attributes tested? Can you internally request that information for them? Something that is great in AuditBoard is that you can give your external auditor the ability to add document requests in the platform. Whenever you request information for a control, both internal and external audit requests go out at the same time. Users provide documents into the platform directly — there’s a timestamp, who entered it, who provided it.”
When you have 1,000+ in-scope controls, are you re-performing and inspecting all controls to evaluate design and operating effectiveness? Are there techniques you employ to provide assurance controls are operating as expected?
Ken Garofalo: “I think it’s important to size up every company and develop tiers to help tailor the approach and manage the level of work when you have 1,000+ in-scope controls. By putting the entities into tiers, you can then define your testing approach by tier. For example, for top tier entities you take a full scope and test all the key controls related to that entity. The next tier down, it may be a targeted approach depending on materiality of certain account balances. For the third tier down, you may say we can rely on our entity level controls, account fluctuation analysis, monthly operating reviews, periodic financial statement, balance sheet, reviews that the corporate teams may do — there’s a lot of different ways to slice and dice this, but it’s important that you do that up front because it’s a key way of managing the overall testing effort.”
Michele Wahlen: “I think efficient use of technology is one way to reduce the testing effort when you have a lot of controls in scope. One key is to keep it simple with a consistent methodology across all of your in-scope entities. You can end up with a lot of different internal audit people, geographies, and cultures across the various companies and countries that may be in scope. When you have testing templates available in AuditBoard and utilized the exact same way, when you have consistent risks and consistent controls that are applied across your organization — that not only helps internal audit, but it helps external audit too with thatreliance strategy and with the comfort of knowing that you have an effective control environment.
How are data analytics being used in the planning and testing phases of your SOX program?
Michelle Wahlen: “Anytime you’re able to utilize data — whether it’s only from your consolidation tool or if it’s from your ERP system — to get the data and be able to run the analytics to see coverage quickly and pull out materiality makes that process so much faster.“
Luis Padilla: “If you have an audit software tool, you have data on your own audit function and how those controls are performing. Now that you know how they performed in the prior year, prior two years, prior three years… you can say, “If this control has never failed in the last three years, and this is a lower risk control, do I need to submit this control to the same rigor of testing as a control that failed last year and is a higher risk control?” Probably not… you can use the data that you have available to tailor your testing methodology in coordination with your external auditor, and in coordination with your audit committee.”
Ken Garofalo: “When we talk about using data analytics as part of your testing phase, there are some common data analytics that can probably be used across all companies. One area where I’ve used it before is manual journal entries. Controls over manual journal entries exist across many companies. There’s different data analysis that you can run on manual journal entries or even dollar entries, entries with unusual account combinations, or entries that are booked on weekends or at non-working hour times. There’s a whole series of analytics that you can do that are fairly commonplace and not too difficult to run on a recurring basis once they’re set up.”
Looking for an even deeper dive into managing Mega-SOX programs? Watch the related on-demand webinar. Stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences!