Thinking outside the SOX: Why it is important to document your review
June 21, 2019
When I talk to my clients one question keeps on coming back: “Why are my auditors always asking me for evidence of my review?”.
Before I try to respond to this (very good) question, let’s take a step back. Review controls are very common in any SOX programme: a control operator prepares a document and another control operator reviews it. Review controls are important because they are almost always part of control activities covering significant risks, business processes and/or judgmental areas. Typical examples include the goodwill impairment assessment or a business combination analysis. If something goes wrong with the controls, the impact on the entity’s financial reporting is likely to be significant.
My clients sometimes think that it is solely an auditor issue. This is not the case, as the SEC has highlighted. SEC rules for companies’ SOX programmes are aligned to the PCAOB requirements for auditors:
- Up to management to design and operate the review controls effectively; and
- Up to the auditors to test these controls appropriately.
After this (rather long) introduction, what are the SOX programme quick wins on review controls that you could implement?
- Involve your auditors early in the process. Misunderstanding and lack of clarity are not our friends. You should have a discussion in plain English (so says a Frenchman) with your auditors to explain how you perform your review and what evidence is available. You will gain a common understanding of what is there and what potential gap exists. I use this method with several of my clients and it is very efficient. My advice is to start this discussion early in the SOX programme certification cycle.
- Give yourself credit for all the good work you are doing. When you perform your review, you ask questions, you identify errors, you ask for follow-up items. These provide evidence that your review is performed appropriately. You should take some time to document and prove that you are doing all this good work. It will also help your CEO and CFO to be confident they can sign their SOX certification.
- There are several types of evidence that you can provide. We all know that a sign off is not enough to prove that an effective review took place. But there are plenty of examples of what good looks like including:- Intermediate versions of the documents you reviewed;
- Minutes of meetings;
- Emails asking questions or providing explanations; or
- Proof that you identified errors in your review.
- Aim for the right and precise evidence rather than providing a lot of random documentation. As I explained before, the idea is to have the right control activities at the right place and to demonstrate that you performed a set of control activities that are precise enough to cover the risks you identified. Remember we want SOX programmes to be efficient. Sometimes less is more.
I am convinced that review controls are here to stay. Management and auditors have different and independent roles to play on this topic but, ultimately, the aim is to continue to provide all stakeholders with confidence that financial statements are presented in accordance with the financial reporting framework.