ZenGRC

Simply Powerful GRC

SOX

How the COSO Framework Helps You Comply with SOX

· ·

In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control-Integrated Framework. COSO is an organization that aims to improve organizational performance and corporate governance through effective internal control, enterprise risk management, and fraud deterrence.

COSO is a joint initiative of five private-sector organizations: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

To implement the COSO internal control framework, you need to assess the new framework’s five components, i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities, as well as its 17 principles against your current internal control system, and make any necessary adjustments.

Auditors evaluating your internal control over financial reporting (ICFR) will judge it against the COSO standard. When even one of the 17 principles doesn’t function properly, a “major deficiency” exists, which is a “material weakness” under the Sarbanes-Oxley Act (SOX) Section 404.

Sarbanes-Oxley Act

That means if you don’t enforce the principles of the COSO framework, you could be violating the requirements of the federal Sarbanes-Oxley Act. The United States Congress passed the Sarbanes-Oxley Act (SOX) in 2002 to help protect investors and the public from fraudulent financial reporting by corporations. 

The Sarbanes-Oxley Act of 2002 aims to ensure that companies with public shareholders accurately represent their financial state so that their investors can better understand the risks. As such, the Sarbanes-Oxley Act mandates greater auditor independence, enhanced corporate governance, documentation of internal controls, and improved financial disclosures. 

To comply with the Sarbanes-Oxley Act, you must have the correct internal controls in place to ensure your financial data is accurate. All your financial and business transaction records and data, including electronic records and messages, are subject to audit. In addition, the networks and devices you use to transmit and store pertinent documents must also comply with the Sarbanes-Oxley Act.

The Sarbanes-Oxley Act applies to:

  • Every publicly held American company,
  • Any international company that has registered equity or debt securities with the U.S. Securities and Exchange Commission (SEC),
  • Any accounting firm or other third party that provides financial services to either a publicly held American company or an international company that has registered equity or debt securities with the SEC.

Private companies can also adopt SOX-related guidelines to decrease liability costs, guarantee capital, and engender public goodwill. In addition, if a private company anticipates that it will be acquired by a public company, adopting SOX regulations can be critical. That’s because lending institutions and investors may be more apt to support a company if they perceive that the organization employs strong governance practices.

Prepare for SOX Compliance

The first thing your IT manager should do to prepare your company for SOX compliance is to understand the sections of the Sarbanes-Oxley Act that have specific implications for data management, reporting, and security. 

Section 302

This section relates to your financial reporting. The Sarbanes-Oxley Act requires that your CEO and CFO certify that all your financial records are complete and accurate. That means they’re required to confirm that they accept personal responsibility for all internal controls and that they have reviewed these internal controls in the previous 90 days. These internal controls include your information security infrastructure so you can ensure that you’re enforcing high-security standards.

Section 404

This section provides additional requirements for monitoring and maintaining the internal controls that pertain to your accounting and financials. Section 404 mandates that you have an outside firm conduct an audit of these internal controls every year. The independent auditor determines how effective your internal controls are and reports the findings to the SEC.

A SOX compliance audit measures how well your company manages its internal controls. While the Sarbanes-Oxley Act doesn’t mention information security specifically, internal control is considered as any type of protocol that deals with the infrastructure handling your financial data. 

Penalties for SOX non-compliance

Formal penalties for SOX non-compliance can include fines, removal from listings on public stock exchanges, and the invalidation of the insurance policies of your directors and officers. Under the Sarbanes-Oxley Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of up to $5 million and up to 20 years in prison.

COSO Framework

Although the COSO framework can benefit any company, it’s particularly relevant for public companies that are subject to Section 404 of the Sarbanes-Oxley Act. Most of the public companies that have to comply with Section 404 of the Sarbanes Oxley Act have used COSO’s framework to implement internal controls and evaluate their effectiveness.

The COSO framework is built around these five interconnected components:

  1. Control environment: The set of standards, processes, and structures that provide the foundation to enable your company to carry internal control across your organization.
  2. Risk assessment: The process for identifying and assessing risks associated with achieving your organization’s objectives.
  3. Control activities: These actions help ensure that your company carries out the instructions issued by management to mitigate risks. These directives can include reconciliations, verifications, authorizations and approvals, segregation of duties, and business performance reviews.
  4. Information and communication: This is the flow of information that’s required to support your internal control function. This includes upstream and downstream communication within your organizations and with external parties, such as suppliers, customers, shareholders, and regulators.
  5. Monitoring: The ongoing evaluation of the performance of your internal control system over time.

Your internal control system is considered effective only if all five of these components and the relevant principles are “present” and “functioning.” That means your organization has to design and implement a system that incorporates these components and principles. 

In addition, your organization also must ensure that these components and principles operate together in an integrated way and “continue to exist in the conduct of the system of internal control to achieve specific objectives,” according to the COSO framework.

The principles of the COSO framework recognize that investors and other stakeholders demand greater transparency and accountability. Therefore, the framework includes: 

  • Details about the need to consider potential fraud when you assess your risks,
  • Information about the impact of information technology on your business processes and reporting, and 
  • Details about non-financial and internal reporting as well as financial reporting.

The COSO framework allows your directors and leadership to exercise judgment in designing, implementing, and adhering to the internal controls that are appropriate for the company and its operating environment.

COSO also provides 87 “points of focus” across the 17 principles to help you design, implement, and monitor internal controls. The points of focus are specific things you need to consider when you evaluate whether the controls over a COSO principle are present and functioning. For example, there are four supporting points of focus for the principle “The organization demonstrates commitment to integrity and ethical values.” The four points of focus are:

  • Sets the tone at the top,
  • Establishes standards of conduct, 
  • Evaluates adherence to standards of conduct,
  • Addresses deviations in a timely manner.

Bottom Line

Making the transition to the COSO framework can take time, so it makes sense to start the process as soon as you can. Begin by becoming familiar with the 17 principles and other guidelines, including the 87 points of focus. Then, assess the state of your internal control system and create a plan to correct any weaknesses. 

SOX compliance means more than just passing an audit, as your company can benefit in other ways by implementing the relevant data governance procedures.

For example, SOX compliance initiatives can help you improve internal control over your financial reporting and also drive continuous improvement.

And along with helping you reduce the risk of fines and other penalties, you can use SOX as a framework for:

  • Auditing existing IT infrastructure, identifying inefficiencies, redundancies, and extra controls,
  • Streamlining reporting and auditing processes, increasing productivity, and reducing costs, and 
  • Managing security risks more effectively and responding more rapidly if there’s a security breach.

Even though the COSO framework wasn’t specifically created for the Sarbanes-Oxley Act, the guidelines of the COSO framework satisfy SOX requirements. Consequently, many auditors use COSO to audit for SOX compliance. 

Essentially, COSO helps you protect your data, especially your financial information, from tampering and unauthorized changes of any kind.

SOX Management Review Controls

· ·

The Sarbanes-Oxley Act of 2002 (SOX) designates management review controls (MRCs) as one of the required internal controls. MRCs are the reviews of key financial information conducted by a company’s management to assess its reasonableness and accuracy. They are a key aspect of a public company’s internal control over financial reporting (ICFR).

Examples of these SOX management reviews include:

  • Review of reconciliations
  • Review of journal entries
  • Trigger events
  • The work supporting an estimate
  • Budget to actual variances

Management review controls are more complex than other controls since they require the examination of combined results as opposed to individual transactions. They involve comparisons of recorded amounts with associated projections based on knowledge and experience related to the business.

This is the case because conclusions during the review are often based on historical documents and reporting that provide the necessary context to the reviewer. Being more than a simple yes or no confirmation means this type of internal control is more subjective and less clear cut. Consequently, a simple signoff by management after a review is no longer sufficient documentation to satisfy an internal audit or one performed by an external auditor.

In fact, due to the risk involved, the Public Company Accounting Oversight Board (PCAOB) requires detailed documentation of each MRC. Such documentation enables auditors to understand what historical information was evaluated, and what was discussed or considered to arrive at an approval.

The level of detail required by auditors and PCAOB inspectors has become a point of contention by companies. Of course, companies want to avoid a material misstatement, especially in financial statements submitted to the Securities and Exchange Commission. But how much documentation is enough?

An Example Situation

Let’s look at bank account reconciliation performed by an accounting clerk as an example. They see the account balance on the general ledger and the balance on the bank statement are different because there’s activity that happens between month-end and when the bank statement arrives. The clerk must reconcile the difference between the two.

The review portion of the control is when the corporate controller reviews that bank reconciliation and approves it. It used to be enough for the controller to simply initial or sign off on it as reconciled. Now, since the management review control evolved, a simple signature isn’t sufficient. Documentation for this MRC must dive into the details of the review process and how the controller decided to approve it.

The documentation is supposed to guide a third party, an auditor, through the same process as the controller to reach the same conclusion. The challenge is trying to document the detailed activities that lead to the conclusion that everything is okay. Or if it’s not okay, documenting the rejection process as well as the resolution process. It’s somewhat like analyzing what a person’s approval and signature actually mean.

A More Complex Situation

A tax provision is another example, adding a bit more complexity. The books are closed and everything is complete. Then the tax team goes in to do a provision for income taxes. They figure out how much the state, local and federal tax estimates should be. They discuss their confidence in the estimates and all the things they’ve done to resolve it. Then there’s a meeting to review and sign off on it, where the VP of Taxes approves the final journal entry to book the provision for taxes.

In the past, that journal entry with the VP’s signature was sufficient documentation of the review. But today, MRCs require meeting minutes. These minutes must include the topics discussed, any potential conflicts or disagreements as well as how they were resolved and how they arrived at the approval conclusion.

The Dilemma

Financial accountants don’t particularly like auditors reviewing the details of their thought processes around something like a tax provision because there is judgment involved. It’s the disclosure of their entire thought process and how they arrived at the acceptable tax numbers.

Typically, the data is confidential and they must expose the reasoning behind considering option A versus option B. Auditors might not agree with their decision. That’s the dilemma with MRCs-they often involve judgment calls. Providing the auditors with the details of the thought process and the activity so they reach the same conclusion of approval or rejection: that’s the real challenge.

Presenting these details allows auditors almost to be a fly on the wall, sitting and watching over someone’s shoulder so they understand what transpired during the meeting to draw their final conclusions.

Plus, auditing isn’t even part of the MRCs. This documentation is prepared so the auditors have some frame of reference to understand how approval decisions are made. This is why accounting and management don’t like it. They believe that these meetings are confidential, where judgments are discussed that auditors may not agree with.

The last thing they want is to have auditors in those meetings. Of course, a lot of this depends on the audit firm too. Some of them push to sit in on one of these meetings, in person, to actually witness the process. Because, although there are meeting minutes, probably with enough information, they may not include every single detail. And when an auditor sits in, the openness in the meeting is often dialed back.

It’s a Balancing Act

So, providing all these details to auditors around how these judgments are made creates a lot of conflict and anxiety. The anxiety of how much to document to satisfy the auditors so they can see a detailed process exists, that a signature isn’t simply being put on the dotted line. This, as opposed to being completely transparent, which may not be in the best interest of the company. It’s a real balancing act!

Why Documentation of MRCs is Required

Of course, the reason detailed documentation of MRCs is required is because of situations where there is actually no process in place. For example, imagine a corporate controller signing off on people’s permissions to access the entire accounting system so they can do their jobs.

The problem is they have access to do everything, including processes they don’t need to do their job. This makes it easy for them to create delusion and fraud if desired. When an auditor asks the controller about signing off on all these approvals, it becomes evident they haven’t been reviewing the need for employees to have all this access-the controller feels it’s too much information to review.

In this case, the controller’s signature is more like a rubber stamp that could be used by anyone. This is an example where there is no control activity, just the appearance of one.

So, what if an incident occurs in this case? The controller would say they approved it and followed the letter of the law. But, they didn’t follow the spirit of the law. That creates risk for an auditor who’s given an opinion that everything is fine and then says that the control activity is working appropriately.

When something bad happens, like somebody committing fraud or stealing millions of dollars from the company, this control failed. That reflects badly on the auditors, as well as the company, and creates audit risk, because investors expect the audit opinion to be valid. There’s conflict and anxiety here from both sides, and you can see why.

Automation Helps

Anytime you’re dealing with financial information, building a system to reconcile and approve things certainly reduces the burden of documentation. Systematizing the process allows you to automatically document all actions taken, making it easier for an auditor to retrace the steps taken and confirm the control works.

However, there will always be judgment involved in MRCs because of the nature of the information and processes being approved. Automation helps ensure the accuracy of financial information used to formulate these judgments while saving time for everyone involved.

SOX Compliance and Private Companies

· ·

The Sarbanes-Oxley Act is a U.S. federal law; all public companies doing in business in the United States must comply with the regulation. SOX compliance activities include identification and testing of internal controls over the financial reporting process and submitting specific financial certifications within quarterly and annual reports to the SEC.

The majority of the Sarbanes-Oxley Act requirements only apply to public companies doing business within the United States. However, some portions of the SOX regulation apply directly to private companies, including the penalties for destroying, falsifying or altering records and documents, and the penalties for retaliation against whistleblowers.

Privately held companies considering or preparing for their initial public offering (IPO), or looking for ways to increase their competitive advantage may benefit from implementing a SOX compliance program. A strong internal control environment can improve efficiency during due diligence processes should an acquisition by a public company be on the horizon. Additionally, the company would be better prepared for initial public offering activities if internal control frameworks and risk assessment activities have already been implemented by the company.  

Regardless of acquisition or IPO activities, some private companies have decided to implement compliance programs which cover applicable SOX requirements in order to enhance corporate governance, establish or improve internal controls and strengthen their financial reporting processes.

An Automated Approach To SOX Testing

· ·

The Sarbanes-Oxley Act of 2002 implements regulations on publicly traded companies. In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) after a series of public scandals by large corporations such as Enron Corporation, Tyco International PLC, and WorldCom that led to a stock market plummet only a few months before the 2002 elections. The legislation intended to quell public fears of corporate misconduct and to require greater accountability by management and Boards of Directors for financial reporting. However, Sarbanes-Oxley turned into a larger and more complex piece of legislation than initially planned due to the integration technology in creating financial statements.

What is SOX Compliance Testing?

Sarbanes-Oxley compliance requirements fall into several different areas. Within the discussions of corporate responsibility and governance, some information security issues exist. Despite feeling overwhelmed by SOX compliance, organizations using automation can focus best on what pertains to them. Thus, SOX testing should center on those areas most important to your organization.

What is the PCAOB?

SOX established the Public Company Accounting Oversight Board (PCAOB) and imposed restrictions on public accounting firm auditors including independence standards. Since SOX views IT controls as the foundation for financial reporting controls, the auditing standards incorporate IT assessments as part of the regulatory requirement.

The PCAOB standards, however, offer little to help individual IT practitioners. The audit requirements specifically note the importance of using a risk-based, individualized approach to establishing controls. Therefore, unlike ISO 29001 or PCI DSS, SOX controls remain primarily individualized.

What benefits does COSO provide?

In the Committee of Sponsoring Organizations of the Treadway Commission (COSO) established the COSO framework to address areas of compliance such as information security controls, control environment, risk assessment control activities, information and communication and monitoring. In 2017, COSO updated its enterprise risk management (ERM) framework to address changes in the risk environment. The COSO update intended to helps align performance strategies to risk modeling. Since COSO and its framework act as the lynchpin for any SOX compliance program, reviewing the COSO Framework’s suggestions provide insight into compliance steps.

How do organizations establish internal controls?

The first step to appropriate SOX scoping involves performing a risk assessment focused on the organization’s ITGC. To appropriately assess risk, organizations must start by determining the purpose of the assessment. Each control should be evaluated based on confidentiality, integrity, and/or availability then defined with the risk criteria/parameters.

Establishing an internal control means reviewing an organization’s landscape. Not all areas need to be SOX compliant, thus focusing on areas of highest risk ease the burden of creating a program. Organizations, therefore, must find those areas within their IT landscape with the most significant threat and develop individualized controls to mitigate the risk involved.

How organizations engage in meaningful control objectives

Control owners must incorporate control awareness to understand not only how the controls work but why they matter and where they fit into the big picture. Thus, auditors want executives to recognize that the SOX assessment matters to the organization’s financial success otherwise the internal controls lose value.
Documentation, therefore, becomes essential. The executive suite must be able to articulate their decisions for acceptance, transference, mitigation, or denial of risk. They cannot explain their reasons for control choice if they do not understand its impact on their financial and reputation risk.

Why SOX compliance testing matters

Identifying risks and establishing controls under Section 404 only begins the long process of compliance. Effectiveness requires gathering evidence that controls work. Although the material misstatements may concern CEOs, CISOs and ISOs worry more about control failures.

Control failures that risk misstatements in financial reports should be those tested most strenuously. These controls, therefore, require more testing and more documentation. For example, access control failures make organizations vulnerable to misstatements in financial reports. Thus, they need more testing.
Continuously reviewing access controls becomes more overwhelming as organizations scale. A manageable review for 100 employees becomes more burdensome at 1000 employees. Therefore, automated role-based access controls provide companies a semblance of assurance that individuals will have the least amount of access needed to do their jobs. However, a single access control may not mitigate risk for sensitive data. Therefore, incorporating additional data access controls such as multifactor authentication may be necessary. While the SEC does not require automation, removing manual processes also acts as a control alleviating human error.

These controls and control testing require documentation that internal stakeholders must share across the organization.

How automating SOX testing documentation streamlines audits

Audits require a constant flow of information and documentation between internal and external stakeholders. ZenGRC’s SaaS platform provides organizations with multiple tools to enable efficient SOX audit tracking.

Internally, the ZenGRC platform allows organizations to map controls across frameworks to maintain consistency. For example, HIPAA compliance and SOX compliance both require user-access controls. However, while SOX controls focus on financial reporting, HIPAA focuses on privacy. Therefore, when a HIPAA compliant organization needs to become SOX compliant, the company needs to evaluate any control gaps. ZenGRC’s ability to map controls across multiple frameworks, regulations, and standards provides insight for organizations who want to implement additional compliance requirements.

Meanwhile, external auditors require proof that an organization has tested controls while compiling documentation in an easy-to-access single location. ZenGRC provides a single source of truth enabling streamlined audit information gathering. Rather than reaching out to multiple stakeholders who access information based on their roles, organizations using ZenGRC’s role-based authorization platform allows workforce members access to information they need to do their jobs. These authorizations enable compliance managers access to the IT department’s documentation but limit their ability to make changes. Not only does this maintain the data’s integrity, but it eases cross-departmental communication and saves time.
Finally, the ZenGRC risk heat maps provide easy-to-digest risk analyses that allow the Board of Directors to meet their oversight requirements. When the Board of Directors can articulate their decisions, they can prove to auditors and regulators that they have met their due diligence requirements.

Automating SOX control testing means more than automating the controls, it means automating the documentation that proves the controls work.

For more information about how ZenGRC enables agile compliance, schedule a demo.