SOX

There are many costs related to compliance with regulatory bodies. Clearly Sarbanes-Oxley is one of the greatest drains on compliance resources most public companies encounter.

Many sections of SOX are now considered basic best practices, such as the rules regarding Board of Directors and Audit Committee independence or loans to executives. In addition, many companies have found the process of documenting the internal control environment very eye opening – many processes and polices that were believed to be working efficiently didn’t exist at all.

Our experiences at Milo Belle have also shown that a number of companies are undergoing a scaled back SOX project for strategic purposes. Sometimes that is due to the company eyeing an IPO, other times it is because the company wants to position itself as a viable acquisition target. Regardless of the reason, it allows us to pick only the sections and principles of the act which will most benefit the company, and pay little attention to the rest.

We believe our risk-based approach, combined with our dedicated group of SOX consultants, significantly lowers the burden of SOX on companies. Every project undergoes a control rationalization process in order to reduce the total number of control activities that will be documented and tested.

In addition, our professionals are either internal audit or SOX consultants – that is what they do. Unlike many firms, we do not pull people in to projects when tax season is over or when they have some free time between audits.

Milo Belle’s Six Phased Approach To Compliance

The six phases of the Milo Belle Master Project are Scoping and Planning, Assessing Project Design, Analyzing Controls, Testing, Remediation and Monitoring.

Phase I Project Definition
Scoping and planning begins with people. The company appoints a project sponsor and steering committee. The sponsor assigns a project director and project manager. The team defines roles, responsibilities and reporting relationships and establishes the Project Management Office (PMO).

The first task of the SOX PMO is to identify PMO resource requirements and process owners within your company. SOX and internal control training strategy is developed and delivered to fieldwork staff and process owners.
The PMO designs processes to address project quality assurance, project data management, control deficiency ranking and resolution and team communication management.

The PMO ensures there is a clear understanding of key business timelines and the expectations of the external auditor.

Phase II Scope & Planning
In Phase II, the project team assesses materiality and performs an overall risk assessment. An extract of prior year-end financial data is the basis for a materiality calculation and definition. Materiality aids in determining the level of documentation and testing. In addition to a qualitative measure, quantitative measures are used to gauge the project financial scope. The risk assessment consists of several focused interviews with key members of management to identify the main areas of risk throughout the organization.

Based on the results of materiality calculation and the risk assessment, the project’s scope and approach, which includes a detailed project plan, is determined and presented to the appropriate committees.

Phase III Identify & Document
The team interviews process owners, flow-charts processes, and writes supporting narratives. The documenter populates the Control Objective Matrix (COM) with the related sub-processes and control descriptions.

The COM is the primary work paper that documents the risk assessment process. At the end of this phase, the COM maps processes to their related controls.

The project manager firms up the work plan and the financial statement scoping is ready for presentation to the Steering Committee. If necessary, the project manager incorporates the Statements on Auditing Standards Number 70 (SAS 70) requirements in to the plan to ensure resulting project documentation satisfies those requirements.

After controls are mapped in the COMs, a review of each control in context facilitates classification of each control as either primary or secondary.
The team collects evidence to populate the COM and to prepare for an assessment of the effectiveness of the primary controls.

Phase IV Testing
Once the documentation of COM’s completed (as well as other formats, as defined in the scope and approach), test scripts are written for the appropriate control activities. The test script serves as a guide to assist in validating the control activity as it was described and documented.

The fieldwork staff, with the assistance of process specialists, executes the approved test plans. Test results are analyzed and control gaps and deficiencies are identified for remediation. The tester documents deficiencies in a tracking document, the “Gap Tracker.”

Phase V Gap Tracker
Once potential deficiencies are identified, they are entered into Milo Belle’s proprietary remediation tracking system – the Gap Tracker. As the process owners are notified of deficiencies, they are tasked with identifying and implementing remediation plans. Based upon the remediation plan schedule, re-testing is scheduled and, if necessary, process documentation and test plans are adjusted to reflect the new process. Each deficiency is tracked in the GAP Tracker until re-testing verifies controls are operational.

Phase VI Monitoring
Compliance and control effectiveness are continuously monitored after initial assessment. This enables management to assert and certify, as required by SOX Section 302, that they are responsible for establishing, maintaining and regularly evaluating the effectiveness of internal controls.