It is hard to believe that the Sarbanes Oxley Act of 2002 is 20 years old this year. SOX processes have matured, and many organizations have been able to streamline SOX testing. It is not unusual to find an organization which is testing hundreds of SOX controls. SOX is considered a large expense by many organizations with no relief in sight. A key driver of the expense is the numbers and types of key controls.
How Many Key Controls Are Enough?
The answer is, “It Depends.” The 2021 State of the SOX/Internal Controls Market Survey conducted by the SOX and Internal Controls Professional Group, says the average number of key controls for companies with a) $700 million in revenue was 242, and b) $5 billion or more was 536. The overall reported average was 300 controls. Yet, I have worked with companies with over $5 billion in revenue who have less than 125 key SOX controls.
The study goes on to assert that the number of key controls is driven by revenue and, if you do not have the number of controls similar to what was reported in their study, you must have gaps in you key controls. I disagree with both of those assertions. So, if revenue is not driving the number of key controls, what are the key drivers?
The report does state that control rationalization has the largest impact on decreasing the number of key controls. I consider this insight to be one of the best pearls of wisdom from the survey.
When SOX started in 2002, many organizations used a bottom-up approach documenting all processes in detail and testing everything. They wanted to make sure they were doing enough to meet the vague SOX guidance. When they arrived at a point where they were testing hundreds of controls and their testing was blessed by their Public Accounting firm, they said wonderful, we will let well enough alone. As mergers happened or new systems/processes were added, more controls were added. This approach has resulted in large SOX expenses for companies with no end in sight.
Organizations who have fewer controls started with or moved to a top-down risk-based approach. This starts with looking at the organization’s control environment beginning with the entity level controls and tone at the top. When you have solid entity level controls and an ethical tone at the top, the overall risk becomes lower for the organization.
The next step in a risk-based approach is to assess the impact that processes within the organization have on the financial statements. Only processes that may result in a material misstatement of the financial statements is within the SOX scope. For example, if you are a retail operation and shrinkage is considered a large risk for the organization, should you include the processes and controls to reduce shrinkage within the scope of SOX? The answer is no, unless they are a control, such as whistleblower requirements, which are a SOX requirement. One may argue that if shrinkage is not controlled, the company may go bankrupt. That may be true, but as long as the financial statements are reporting the true financial state of the organization, they comply with section 404 of SOX. The key for an efficient risk-based approach is to not lose sight of the fact that the only risk you are looking at is the risk of a material misstatement.
Once you have identified the processes that could result in a material misstatement, you must identify the key controls within the process. The following are some items to consider when selecting key controls.
- If you have strong entity level controls and have assurance of adequate qualified staffing, one can rely upon the oversight controls. Generally, oversight controls are less frequent, occurring monthly or quarterly. These types of controls are preferred since they are generally less expensive to test.
- If there are strong information technology controls, one can rely upon automated controls which usually only need to be tested once.
- Look for processes that can be normalized. That is, if different types of invoices or locations use slightly different processes for approval and recording, work with the process owners to create one control that is the same but may be performed by multiple people. This then becomes one control with only one test sample.
These are just some of the ways to perform control rationalization. If you are interested in learning how control rationalization can benefit your organization, contact Elaine Nissley, Principle in charge of the Internal Audit & Management Consulting segment at McKonly & Asbury.