There are four key steps to keep in mind for a top-down approach to internal controls compliance:
- Reevaluate your organization’s current controls
- Reexamine and refresh your risk assessment strategies
- Compare your control strategies to the external auditor’s report
- Integrate your audits
Reevaluate Current Controls
Controls can directly influence the work and effort by audit firms; reevaluating the current controls and implementing a top-down approach can help cut down the length of your audit process. Less time means less impact on your organization and potentially less money.
The more detailed and precise you are when describing and documenting your entity-level controls, the greater the opportunity to minimize cost and impact.
For many reasons, audit firms have a natural tendency for testing more process-level controls in lieu of testing entity-level controls; either the audit team is unable to assess the entity-level controls, or they don’t understand how the entity-level controls operate at a level of precision necessary to prevent and detect material weaknesses.
This is critical when an organization seeks to reduce the number of process level controls, especially when entity-level controls can provide a needed-level of precision over financial assertions.
Process-level controls operate where most of the company activity occurs—such as a division, plant, or revenue cost center—while entity-level controls happen at higher levels in the organization.
Specifically, process level controls directly relate to a specific business cycle impacting financial reporting while entity-level controls focus on reviews that may cover one or more business units.
Reexamine and Refresh Risk Assessment
Reexamine your company’s risk assessment to reduce the number of control activities necessary to mitigate risks to material misstatements. Identify entity-level controls that address relevant risks operating at an appropriate level of precision.
Document the design factors of your entity-level controls so your external auditor can understand and use them.
Example design factors include:
- Competence of the person performing the control
- Frequency and consistency with which the control is performed
- Level of aggregation and predictability
- Criteria for investigation and follow-up
- Dependency on other controls
Consider completing your risk assessment on an annual basis. You might discover you can eliminate testing of controls over accounts that aren’t material by themselves, or in the aggregate, and cut costs as a result.
External Audit Comparison
Compare your SOX population of control activities to your external auditor’s population.
If the auditor tests more controls than your company, you could help your auditor identify the entity-level controls that prevent and detect material misstatements.
Evaluating your regulatory requirements and consolidating those controls can create opportunities to reduce the impact of audits and improve efficiencies within the organization, while creating greater line of sight to the controls that truly support regulatory needs.
Your company is ultimately responsible for defining controls and generating evidence to support the effective operation of those controls; the key is to ensure controls are precise and evidence demonstrates the precision.
Throughout the process, reference the Securities and Exchange Commission (SEC) guidance to optimize the evidence generated to support your 404(a) assertion. Optimization could reveal opportunities to reduce the cost and impact of SOX.
Organizations are integrating their controls audits by taking advantage of the SOX overlap with the following:
- System and Organization Controls (SOC) 1 testing
- SOC 2 testing
- National Institute of Standards and Technology (NIST) assessments
- Health Insurance Portability and Accountability Act (HIPAA) testing
- Financial Industry Regulatory Authority (FINRA) examinations
- North American Electric Reliability Corporation (NERC) testing
- Customer Identification Program (CIP) testing
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA) regulations