Internal controls pre-test
All public companies require a signed auditors' opinion about the level of their SOX processes and controls and whether or not material defects have been found. Some let the auditors do the work themselves and provide the opinion. I have used in the past an outside consultancy firm to come in and pre-test all of our processes, so that when the auditors come, I can be rest assured that no material deficiency will be found and also to be able to expect any findings. This extra step has of course a cost (monetary as well as time consuming exercises for the finance team). I would like to understand what other companies have been doing and if people think this is a worth while exercise.
As Patrick mentioned you can go for a Global Internal Control department, to ensure the quality of the responses and to ensure through testing of the different controls, that they are in place and functioning properly (monitoring).
Alternatively, this testing task could be handled by your internal audit department, on selected high risk processes and/or controls, which would certainly decrease the bill by reducing specialized consultants.
Depending on your Internal Control level of maturity and your system (ERP) standardization, you may opt for starting to upgrade as much controls as possible to have them system based, and just performing selected testing on the exceptions daily/weekly identified by the system reports created for that reason.
You can form an internal team for overall quality check of your finished marketed products along with benchmarks. As a process collect benchmarks and your products from different parts of market. The internal quality check team will check for product and packaging defects in both benchmarks samples and your product. Comparing the data statistically will be enough to provide a way of reducing defects in your products against benchmark.
Thanks for the question Joel! You can try the "middle way", implement an internal SOX-department, which enjoys a high independence. If it is a local company, SOX would directly report to CFO, if it is a local entity, SOX could report to local CFO and to global SOX Officer. Such a setup is similar to the Compliance-department. The tasks of this internal group would not only be limited to the regular testing, but furthermore they can support other functions in keeping up the quality of their processes and guidelines, this would also include pre-testing and as expert, explain the other functions how the controls work and want they want to measure. If other departments get a better understanding about SOX controls, quality will raise.
In my opinion, It is certainly worth the cost and exercise (I would suggest to research ahead and find a qualified, reputable firm to engage). This can provide an additional layer of comfort that the SOX processes and controls are safe and sound prior the auditors come in for the their audit work. As mentioned, while there is a cost associated with this, but I think it is worth the extra cost to save some potential liabilities and extra costs that might occur later on.
Hi Joel, I consider that no one else than the management of the company can identify better the key risks and consequently the key controls. I would engage a consultant to assist on the method and the framework for defining the key controls and I would invest in a tool to support the process mapping and act as a document depository. A temptation that needs to be avoided is to go overboard with defining many controls as “key”. Avoiding that and introduce automation as much as possible will reduce the burden of the testing.
In terms of structuring the testing process I have seen different models such as:
A. Internal Audit (or external consultant) perform the test: Internal audit performs the SOX testing on controls defined as key by the control owners.
Pros: Independence, efficiency due to auditing expertise
Cons: Cost, seen by the organization as another audit, perception that the controls are owned by internal audit and not by the functions.
B. Finance owns the test: Finance owns the testing and ensures this is performed by independent to the control owner internal resources. In this scenario you can have finance organizing ad hoc testing teams that are testing controls ensuring that the tester is independent from the control owner. The testing teams can get resources from other functions too but are led by a finance expert. In multinational companies you can have different countries exchanging testing teams to reinforce independence.
Pros: Cost, finance as the controls gatekeeper owns the testing, opportunity to identify improvements, development of employees in this process, cross functional awareness
Cons: Burden for finance, independence, resources needed
C. Combination of the above by having an Internal Controls function that organized the testing using finance and other as resources and reports to Finance leadership.
Hi Joel, looks like to you got the answers you need above. Just to throw in my two cents, it boils down to budget and resources. This is totally a worthwhile exercise. The key things would be to nail down what your key controls are and have your resources focus in on those, whether internal or external. And potential work with you auditors for some level of reliance on your work. If you can do that you can save some auditor dollars to using for you 'pre-testing'.