From our experiences, we have seen our customers seek efficiency in the following areas:

• Documenting assessment programs (templates)
• Testing and rating their controls and documenting procedures
• Documenting internal audit observations and communicating them to the SOX team
• Management ‘reassessing’ risks on their Assessable Units

Efficiency can be attained in the above areas by streamlining your processes.

The question is  – How do you gain that efficiency?

First and foremost, Reduce Overlap

Though not a new concept, overlap remains both a management and a cultural issue for many companies. It is in the management’s best interest to identify the overlaps in documentation of testing procedures, where the execution happens and reduce these as much as possible. The cultural silo’d approach was based on a legacy requirement with SOX and Audit execution and is slowly being recognized as an inefficient operational function. Flexibility is still key however, due to notable exceptions such as code of conduct rules and the like.

For the SOX-folks: Learn to engage your Auditors and brainstorm options.

It is alright that the control objectives and procedures are not spelled out exactly how they would like it. That can be refined. Audit terminology always requires clarifications and it is of best interest for the SOX team to clarify objectives upfront, validate them and not to make assumptions. Allow for this type of collaboration to document the test procedures and brainstorm on effective execution. Reusing steps and procedures from templates will help with speedy documentation.

Secondly, Share results

If Audit is helping you with SOX test procedures, perhaps they should also conduct the tests. They understand the test procedures and have a good understanding of the SOX control objectives. In many cases  the SOX coordinator’s primary focus is centered on the final rating of the controls and observations raised by the Audit team. The diagram below best describes how you can leverage Auditors testing your controls and using those results to complete your assessments.

The third step is to automate data availability for planning

Once audits are completed, it is important that the impact of residual risks are reflected in the ranking of the assessable unit. Access to this information during the actual ’scoring’ process is key to improving and reducing errors in the planning process.

BPS as a solution helps in creating the efficiencies mentioned above by providing the following capabilities:

• Reduces overlap in documentation by using Assessment Templates that are shared across the SOX and the Audit teams. The SOX team can use this feature to run SOX Assessments and the Audit team can use this as one of their Audit Programs.
• Publishing test results and observations to other interested parties is another BPS functionality that is key in reducing resource overhead. The SOX team can review the test results, coordinate collecting management responses and participate in the observation remediation workflow. BPS’s workflow and integrated risk management solution helps with the observations being assigned and acted upon by different teams on different audits and assessments.
• Scoring based on automatically available data for non-remediated observations and associated risks is a feature that Audit planners use in BPS during their periodic planning.

We are looking forward to your comments on this post and how you have recently improved your Audit and SOX processes within your company.