4 Steps to a successful SOX Audit you may not have considered

"Users have the opportunity to bypass the controls within the application to upload data not just into the application itself but into the fabric of Financial reporting"

The Sarbanes Oxley Act was passed in 2002, and while nothing new, continues to create headaches for organizations that are required to comply, even after all these years!

Reports Complete and Accurate?

The SOX Audit.

A successful SOX Audit results in a clear sign off that Financial Reporting to investors, shareholders and the markets can be trusted. Going back to 2007, just five years after its passing the effects were felt:

During 2006 there were 1,786 financial restatements, compared to just 452 during 2001 -one year before SOX's passing. See this Compliance Week article.

In some respects that number might seem to be a problem, but the reality is that SOX showed early on that this regulation would enforce better business. SOX Compliance is perhaps a result of being able to report to the markets, and that having SOX Control is a form of check mark for creating trust with stakeholders.

Here at Seecuring we have assisted both publicly traded organizations and those that are private, for those that are private the driver is the need to raise investment or future plans to go public. In many cases, private organizations have realized the benefits of following SoX Compliance to create the same level of trust as their public counterparts. Great governance is a great way to build bridges as organizations grow.

The following are areas that we have identified as becoming more of a challenge for customers beyond the standard requirements for SoX Audits and SoX Compliance as a whole:

1. Validating changes to vendor delivered reports and output.

In order to create financial reporting output many organizations rely on the delivered reports from the vendor's ERP application. Quite often the specification of these reports are aligned with the type of Financial Reporting needed for Publicly Traded companies to provide. This makes reporting easy, as you have delivered, pre-canned reports that many other customers are using.

However, what happens when a vendor changes one or more of these reports in an update? How do you know what the impact will be on your reporting if the vendor has changed the output?

A key consideration during your application's upgrade (a frequent process for Cloud applications) is to review and test changes to the vendor's reporting methods, particularly anything that is delivered - have they changed? what is the impact? The risk we are trying to avoid is that the reports being relied have changed and may have an impact on how reporting is presented. The last thing you need are errors and misstatements based on a simple change.

2. Application configurations in control analysis.

When reviewing internal controls and particular areas such as Segregation of Duties the vast majority of audits focus on the transactions. Can a User Enter and Approve a Transaction?
But what about users that can configure transactions and then run them? It sounds obvious but most are not looking at these types of controls. The reason is down to the fact that configurations are not reported on as part of Financial Reporting, the transactions themselves are. Should a user be able to configure Journal Entry process and then run them, what happens if they configure a transaction to error or for personal gain, then reset it once fraud has been committed? Configurations within the Applications in scope for audit should be segregated and effectively controlled. We also recommend that auditing be switched on for these low volume high risk processes

3. Delivered configurations for Finance and Accounting analysis.

In all the applications we have tested, customers used some or all of the delivered security and configurations from the vendor. This makes sense from a need to get implemented quickly or the reliance on the idea that the vendor has an understanding of how business processes should work. The flipside to this is that vendors are not qualified/vetted compliance/audit professionals. The reality is that many of these configurations are over provisioned, users granted access to these Roles are given more than what should be granted. Accounts Receivable roles be given the opportunity to create and maintain transaction along with approve them. You may be surprised at the simplicity of a risk like this being incorporated, but it happens and is happening in the most prominent applications on the market.

4. Data upload as a weakness.

ERP Applications provide a controlled environment for entering and maintaining financial transactions, backed up by functionality such as workflow approval. The process flows by themselves represent an opportunity to establish the ways in which Financial data is handled and approved.
Data upload has been the process of choice for getting from on-premises applications into Cloud applications. The ability to upload data from your legacy systems to the new one is a great way to shorten the process of cutting over from to another.
For your efforts related to SoX Compliance data upload presents something of a challenge. The reason is that many new applications that are cloud based offer the ability to upload data without approval or any kind of staging. Journals for example can be uploaded into many applications without approval! Users have the opportunity to bypass the controls within the application to upload data not just into the application itself but into the fabric of Financial reporting and potentially alter the outcome of organization performance.

Don't just take our word for it

The PCAOB and various audit organizations are starting to shift their focus to incorporate some of the developments mentioned in this article. Regardless of whether your organization starts to accomodate some of these points, you may not have a choice down the road...

Effective Controls

If you are utilizing the delivered Security and Configuration within your Applications, there is a good chance you have Segregation of Duty violations. Seecuring will assist you with establishing and reporting on the issues you have through to helping remediate the issues (which usually represents the biggest and most time consuming aspect of implementing internal controls). Specifically, Seecuring delivers:

We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.

Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.

To discuss your requirements, you can schedule a call with us:

Contact Us


Understanding Role Delegations in Oracle ERP/HCM Cloud

Continue Reading...

Fraud and Data Loss - one and the same?

Securing the Financial Close