Today, we cover the Top 10 SOX trends in 2016. We want to share what we see working with multiple clients and various Big 6 auditors.  At the end of each year, our team gets together to share lessons learns and see how we can proactively help our clients plan for upcoming year.

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

In this post, we talk about areas of increased focus by the SEC and the PCAOB. The PCAOB regulates audit firms so their guidance impacts what and how the external auditors do things. This in turn impacts our SOX clients.

  1. Cyber Security
  2. Increased Focus on System Controls
  3. Complications during System Implementation
  4. More Report and Spreadsheet Testing
  5. Detailed Entity Level Controls
  6. System Segregation of Duties Analysis
  7. Statement of Cash Flows Controls
  8. More Related Party Disclosure Controls
  9. Management Review Controls
  10. Minimum Documentation Standards

 

1. Cyber Security

Cyber security for SOX 2016
Fig. 1 – SOX cyber security 2016

Cyber security is very sexy right now.  Many people associate cyber security with just IT systems.  That is true but at its core, cyber security is about business risk management. The bad guys now have more electronic tools. Here are some ways that our clients are fighting back:

  1. System access
  2. Governance and risk management programs
  3. Security monitoring incident management programs
  4. Security awareness training
  5. Threat and vulnerability management programs
  6. Patch management process
  7. Vendor risk management system
  8. Data classification program

 

2.   Increased Focus on System Controls & ITGC

SOX system controls
Fig. 2 – SOX Focus on System controls

Because of cyber security issues, the auditors are now looking at system controls and general IT controls even closer than before. They are:

  • Reviewing controls to make sure they have accurate descriptions
  • Testing to make sure it’s operating effectively
  • Checking if controls mitigate risks
  • Performing additional testing

 

3. Complications during System Implementation

SOX Complications during system Implementation
Fig. 3 – SOX Trends in complications during system implementation

For our clients who are putting in new systems, they increased focus on the accuracy and completeness of the data migration.

When you are upgrading a system like Oracle 11i to R12, user profiles are given new functionalities.  Do you have a process in place to make sure that the user profiles are still appropriate in the new system?

 

4. More Report and Spreadsheet Testing

SOX report and spreadsheet testing
Fig. 4 – More SOX report and spreadsheet testing.

Another thing that we’ve seen this past year is more report and spreadsheet testing.  For instance, you are using Oracle, there will be key reports like the AR aging or the trial balance that will be tested.  Some of them are easy to get from the system but others may be harder if the system is customized.

There is more focus on electronic audit evidence or IPE(information produced by an entity).  This means that the auditors are asking how the information was generated.  You have to be able to prove that the source data generated is accurate and complete.

 

5. Detailed Entity Level Controls

2016 SOX Entity Level Controls
Fig. 5 – 2016 SOX Trends in Detailed Entity Level Controls

Remember the COSO 2013 framework? We mapped controls to the 17 points of focus and principles.  Since 2015, we are seeing more requests to expand the level of detail in the control language to ensure the description covers the 17 points. If you haven’t refreshed your COSO mapping or looked at some of the language around entity level controls, you may have to do that in 2016.

 

6. System Segregation of Duties Analysis

System Segregation of Duties Analysis
Fig. 6 – SOX 2016 System Segregation of Duties Analysis

Auditors are talking about segregation of duties analysis for systems.  It is important to complete the segregation of duties analysis early in the year so that you can identify the gaps early. This will give you enough time to fix things and avoid a mad scramble at the end of the year.

Many of our clients have proper segregation of duties and have done the analysis. Unfortunately, they forget to write a summary once they are done. In those cases, when the auditor comes back we not be ready.  So, write a short memo on the analysis and add your conclusion.

 

7. Statement of Cash Flows

SOX 2016 statement of cash flows
Fig. 7 – trends in SOX 2016 statement of cash flows

In 2015, our clients saw auditors asking about controls around the statement of cash flows.  Expect this to be part of the normal process in 2016.  If you haven’t made the change yet, consider doing it this year. Because it is not typically system generated, you have to ensure you have the proper controls over how the statement of cash flows is prepared.

There are three areas of questioning by the auditors:

  • Information
  • People
  • Timing

 

8. More Related Party Disclosures

2016 SOX Related Party Disclosure controls
Fig. 8 – 2016 SOX More Related Party Disclosure Controls

Another hot and heavy issue in 2015 that we see continuing in 2016 is related party disclosures. You want to make sure you have controls around related parties, transactions, and appropriate disclosures.  The new PCAOB standard also requires more audit procedures from the auditors.  We know that as soon as the auditors have additional procedures, it impacts us.

 

9. Management Review Controls

SOX 2016 management review controls
Fig. 9 – Trend in SOX Management Review Controls 2016

This has been around for 2 or 3 years now.  It’s the enhanced level of details in narratives to include more criteria for the MRCs or management review controls.  Auditors are making sure you have specific dollar thresholds for reviews and asking “what’s your review criteria”? Our clients are also classifying management review controls as high, medium, or low based on the complexity of review and the amount of judgment involved.

 

10. Minimum Documentation Standards

SOX 2016 Minimum Documentation Standards
Fig. 10 – Trends in SOX 2016 Minimum Documentation Standards

Back in 2004, control owners had to sign off and date everything they reviewed. Over time it got a more lax.  Now I see the trend is back and you have to sign off and add the date.  It’s no longer acceptable to write just “Approved”.  You have to document that you have looked at the assumptions or asked the questions to ensure everything has been addressed. And you have to keep evidence of the follow up questions too.

Summary

To recap, here are the top 10 trends that our SOX clients are focused on in 2016:

  1. Cyber Security
  2. Increased Focus on System Controls
  3. Complications during System Implementation
  4. More Report and Spreadsheet Testing
  5. Detailed Entity Level Controls
  6. System Segregation of Duties Analysis
  7. Statement of Cash Flows Controls
  8. More Related Party Disclosure Controls
  9. Management Review Controls
  10. Minimum Documentation Standards

 
watch video in youtube

 

If you found this post helpful and
want to receive the next segment
sign up for blog