This article is part two of a three-part series written in partnership with SOXHUB, recognizing the 15th anniversary of the Sarbanes-Oxley Act.
This year, the Sarbanes-Oxley Act turned fifteen. Since the landmark law passed in 2002, audit testing procedures have reached new heights with the evolution of testing methodologies, incorporating data analytics, developing new interpretations of “best practices,” and continued changes within the regulatory landscape. While this audit evolution has brought a positive impact to the financial integrity of companies, this has also come at a great cost to the organization and its people.
As shown in Protiviti’s “2016 SOX Compliance Survey:
- SOX audit hours continue to go up
- Co-sourcing relationships are on the rise
- Control counts continue to increase
- External auditors continue to ask for more documentation
To this day, organizations and audit teams are continuously reminded to meet aggressive budgets, identify testing efficiencies across every facet of an audit, and maintain high quality. Meeting such high expectations is difficult for even the most veteran auditor, let alone the new generation of auditors who have joined the profession post-SOX.
How can audit teams strive to improve the efficiency of their SOX programs while staying within budget and accommodating the latest industry regulations and standards? More importantly, how can audit teams free up time and resources in their SOX programs so that they can focus on adding more value to their organizations?
Auditors who can implement any one of the following strategies: reducing the number of key controls, spend time training team members on both technical and soft skills, and those who leverage technology to improve the audit workflow, should yield both improved control coverage and lower costs.
Strategy 1 - Reduce the count of key controls
Organizations face countless risks on a daily basis. Audit teams often address these risks by applying a brute-force approach and simply creating a new control whenever a new risk is identified. Inadvertently, each new control is often classified as "key" without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts and “scope creep”.
A control is deemed a non-key control if the potential impact to the financial statements upon its failure is deemed immaterial and if that failure cannot cause the entire process to fail. Conversely, a control is deemed key if it addresses a risk of material misstatement, a high risk, or both a control objective and an assertion. These controls must operate effectively to provide reasonable assurance that the risk of material errors will be prevented or timely detected.
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk?
It’s not uncommon to find inexperienced auditors testing controls that address low risk assertions without conducting a mature risk assessment of their environment. Simply assessing the risk level of a control at the account level may lead auditors to add unnecessary steps into their audit cycle, eating away at their limited budgets and timelines. By understanding the risks affecting the financial reporting process, audit teams can better prioritize and focus their efforts on key controls. Further, when audit teams fail to perform regular controls rationalization procedures, this can result in significant over-testing because no analysis has been performed to identify redundant controls that mitigate the same risk.
In some cases, audit teams failed to identify a high-risk key control downstream in a process simply because they didn’t understand the process flow end-to-end. Often the auditor is ill-informed or limited on time and will test controls in the same manner as prior years to simply avoid drawing attention to themselves. Such oversight could have been resolved if the team developed and analyzed a quality flowchart and discussed the matter internally amongst themselves.
As prescribed by the PCAOB’s Audit Standard 5 (AS5), a risk-based audit approach dictates that companies and their auditors focus on areas of high-risk. As a best practice, audit teams should make an effort to plan and perform a recurring risk assessment and controls rationalization exercise annually. Doing so can help train team members to better understand their organization while identifying opportunities to reduce the scope and focus attention on areas that matter most.
Strategy 2 - Train audit teams
With the new Revenue Recognition and Lease Accounting standards taking effect soon, many audit departments have been bolstering their team's skills with targeted, technical trainings. However, technical training alone may not be sufficient to build balanced audit teams, as the team members themselves may have development needs beyond audit and testing procedures. After all, is it not the goal of every team manager to leverage everyone’s skills and natural talents to maximize their chances for success?
We’ll first look at the need for performing a skills assessment, to determine a baseline between team members. Audit teams must continually review and revise the links between skills, performance, and training programs. To identify the most important skills for team members’ roles and to understand what skills they currently lack, the manager should consider conducting a skills gap analysis. Picking the right metrics is the key to creating real value from training. Often, organizations will assess their current performance against industry benchmarks:
- What is the typical number of testing hours for an organization our size?
- What is the typical count of controls for an organization our size?
- What are the top three training courses being discussed by the Big 4?
However, publicly shared metrics may not be relevant for your specific organization and culture. Each audit team should consider measuring the impact of its training programs through non-traditional metrics, such as:
- Number of meetings (and follow-up meetings) performed with a process owner?
- The average number of days to receive a PBC item?
- Evaluating the number of hours each auditor spends on testing a control?
These metrics can be useful in determining where audit staff are struggling to build rapport with their process owners, or having difficulty in completing a test due to the inherent complexity of the environment. Inexperienced managers take for granted the effort each auditor must face when working with a busy control owner, and end up spending unnecessary hours calming people’s nerves or rectifying the team members mistakes.
Regardless of how technical or complex a process may be to the auditor, professionalism and emotional intelligence are critical areas each auditor can further develop. More attention should be paid to human interactions, improved communication and etiquette, bridging cultural differences and geographies, and building empathy with the audit audience. A best practice for audit teams pursuing better relationships with business units and process owners is training their managers to provide real-time coaching and feedback sessions, and sharing examples of ideal client interactions. Junior auditors need examples and lessons gathered from real-life experiences, not just best practices shared in a training video.
The following is a list of “soft skill” topics each auditor should incorporate into their testing routine. Mastering these topics can lead to better relationships with the business, which can lead to quicker handover of evidence and more meaningful conversations, especially during walkthrough procedures.
- Effective Critical Thinking
- Communication and Negotiation Skills
- Interviewing Techniques
- Leadership Skills
- Relationships and Interpersonal Skills
- Succession Planning
- Understanding and Applying Emotional Intelligence
Strategy 3 - Leverage technology
There are two clear technology components of every audit function: Microsoft Excel and Email.
Microsoft Excel was released in 1987 (Happy 30th Birthday, Excel!). Throughout this time, the lowly spreadsheet has evolved to be more than just a bookkeeping tool. Over time the simple spreadsheet has morphed into a workflow staple, due in part to its ability to link data across different documents and automate basic workflow tasks. Accordingly, modern audit projects require more attributes and details about a control than in years past. Whether it’s documenting the completeness and accuracy of evidence, or validating the integrity of a key report, testing procedures have evolved beyond simple attribute ticking and tying. The modern spreadsheet can handle this robust testing process; but, the spreadsheet lacks speed, efficiency, and consistency.
However, to keep up with the ever-growing list of testing requirements, audit teams have accepted MS Excel to be the cornerstone to their testing program. And, with the ever-increasing number of spreadsheets floating through the organization, shared network folders or a cloud-based collaboration tools have been introduced to help coordinate the information while organizing the staff.
While this approach is manageable for teams of 3 or less, once audit teams exceed 3-4 people, version control issues become dramatically more complicated and much more time consuming to resolve. From past experiences as an audit manager, if one member of the team fails to make a timely edit or forgot to make updates across all test sheets, the downstream ripple effect would cost managers hours and hours of cleanup. Unfortunately, this painstaking cleanup process often goes unreported to the client and the budget is sacrificed.
So, why are teams still leveraging the spreadsheet? The answer: familiarity.
Given the complex nature of modern audit programs, audit data points often have a many-to-many relationship when it comes to risk and control mapping. Some examples include: risks that appear across multiple processes or business units, audit issues that impact multiple controls or processes, and COSO principles mapping to many controls.
The solution is to leverage an underlying database as the foundation of the audit program. Audit software constructed upon purpose-built database structures can allow auditors to quickly pull or push information to and from a database, and have those results cascade throughout the entire audit program instantly. This is far more efficient than the spreadsheets-based environment, where a control testing update would require making edits across several standalone spreadsheet files. In addition, for annual audit results to be used year over year, a spreadsheet cannot handle the large volumes of data. No amount of spreadsheet automation can compete with the speed, accuracy, and scalability of a database solution.
The good news is, as the industry has evolved, technological innovators have risen to the occasion. It is up to audit teams to understand their pain points, prioritize their organization’s needs, then carefully research the right solution to meet those needs.
The success of SOX in re-establishing investor confidence and improving internal control over financial reporting speaks to its lasting importance. There are high expectations and rules mandated year over year by regulatory bodies and external auditors. Now, the public and shareholders have come to expect a solid controls environment with every public company.
These high expectations have made quality, in-depth testing no longer an option - it’s a requirement for a company to operate successfully. However, striking that balance between quality testing vs. limited budget and staffing remains a puzzle every organization must solve.
As mentioned earlier, by reducing the total count of controls and focusing only on high risk, high impact areas of the business, audit teams can cut down on unnecessary testing procedures and unburden themselves from the monotony of repeating the same process year over year.
Secondly, training should go beyond regulatory and technical audit topics. Each auditor is a liaison to the business, and an ambassador for the compliance function within your organization. Train them, mentor them, and help them become a welcome member of the organization. The return on investment will go well beyond the results of a controls test.
Finally, audit technology has caught up with the demands of the audit world. However, there is an over-saturation of older, over-engineered solutions in the market. Be aware of the technology and its underlying platform. A well-made solution increases the opportunity to minimize unnecessary administrative tasks and can automate repetitive updates which are of little value to the company.
Consider the three strategies outlined, and help your audit teams unburden themselves from unnecessary expectations and focus on delivering the most valuable and cost-effective results to their organization.