What is SOX?
The Sarbanes-Oxley Act of 2002 (SOX or Sarbox) became public law on July 30th, 2002, as a result of the early 2000s financial scandals (Enron, Worldcom, etc). Its purpose is to protect investors through improving the veracity of disclosures from publicly traded companies.
SOX is comprised of 11 titles, or sections. They range from the creation of the Public Company Accounting Oversight Board (PCAOB) to corporate/criminal fraud accountability. In this post, we’ll be focusing on Title IV: Enhanced Financial Disclosures. Specifically, we’ll look at Section 404 and how it relates to end user computing (EUC) applications such as spreadsheets.
Sarbanes-Oxley (SOX) Section 404 basics
Section 404 requires firms to provide an internal control over financial reporting (ICFR) report with each annual filing. The report should include:
- Statement of management’s responsibilities in maintaining suitable ICFR control framework and processes
- An ICFR assessment attested by a registered public accounting firm
SOX Section 404 compliance
Aside from establishing management’s statement on ICFR, Section 404 doesn’t go into specifics on the “how.” Instead, we can examine guidance from the Securities and Exchange Commission (SEC) and specifically the PCAOB’s ICFR auditing standards.
Auditors look for any material weaknesses in the company’s ICFR. Even one material weakness means that the controls are ineffective.
Auditors will trace financial statements back through the flow of transactions, looking for any weak points within the financial reporting process. Any implemented controls that address these weaknesses will be identified. Auditors may also perform a walkthrough, following company processes (including IT systems) when looking for sources of misstatement.
While this explanation is far from comprehensive, it illustrates the idea that everything in your financial reporting process is under scrutiny. For most organizations, that also means their spreadsheets and other end user computing (EUC) applications are in scope.
Management of public companies assess the effectiveness of ICFR
Public companies’ auditors attest to & report on management’s assessment
Any spreadsheet directly or indirectly used in the financial reporting process falls under a company’s SOX compliance program
How SOX Section 404 applies to EUCs like spreadsheets.
The role of EUCs in financial reporting
EUCs are flexible, powerful tools that allow end users to create purpose-built applications and models. Common EUC applications include Excel spreadsheets, Access databases, Python scripts, and R scripts. Developing an EUC application doesn’t require IT resources, allowing end users to forecast and analyze data quickly.
These applications play a big role in companies’ financial close and regulatory reporting cycles. For example, they are often used for:
- P&L
- balance sheet
- cash flow
- financial modelling
- budgeting
- forecasting
- account reconciliations
- and more
While tech-forward orgs use dedicated software for these functions, EUCs are still frequently used somewhere in their financial reporting process. In fact, ninety-eight percent of companies consider spreadsheets critical to their financial reporting processes. It’s no wonder Microsoft Excel spreadsheets are ubiquitous in most organizations.
Yet, eighty-eight percent of all spreadsheets contain formula or data lineage errors. This leads to the inherent risk EUCs have due to:
- Lack of built-in controls
- Human- generated nature mean errors are inevitable
Public companies, or companies aiming to go public, are facing increasingly complex SOX environments. They must manage lawmakers, regulatory pressures, financial and reputational risks, and the company’s valuation. Financial reporting plays into all these factors and any issues can have far-reaching consequences.
Where things can go wrong with your EUCs
Errors and process deficiencies are often the key causes of an EUC-related significant deficiency or material weaknesses in ICFR.
Human errors can cause:
- Material misstatements
- Misinformed decision- making
- Incorrect investments
Process- related deficiencies often result in:
- Lack of defined EUC management policy
- Failure to effectively apply controls specified within the policy
- Failure to demonstrate year-over-year improvement
The repercussions of these errors and process deficiencies can be costly and damaging.
Errors within a value at risk (VaR) spreadsheet contributes to a $6B+ loss.
SOX 404 compliance for spreadsheets & other EUCs
The first step in addressing SOX 404 compliance for EUCs is to establish a framework or policy. A SOX framework should be segmented into three key parts:
- Identify: Identification of critical EUC files
- Inventory: Build, maintain, and evidence a comprehensive EUC inventory
- Control: Manage EUC risk by applying file-level controls
Additionally, analytics on all three components should roll up into audit and management reporting.
Identifying EUCs
Governance teams must evidence that they have located each EUC application that supports the financial reporting process. Any EUC that directly feeds, supports, or validates a company’s financial reporting process are within scope. While user identification can be effective, it is not enough. You must be able to answer, “Are you sure you’ve found everything?”
Inventorying EUCs
Build and maintain a central inventory to track the lifecycle of key financial EUCs, e.g., where they are saved and managed. The inventory should associate key data elements against each file to understand and evidence ownership, supported business process, and risk profile.
You should utilize standard assessment metrics to define the risk profile of each EUC. This, in turn, helps dictate the internal controls that should be applied, and ownership of those controls. Furthermore, you must annually attest that the inventory is up-to-date and valid.
EUC Controls
Assess a file’s integrity & data lineage to ensure it’s fit for purpose and free from errors— including logic, data, and calculation errors. Then apply access, version, and change management controls— ensuring the controls are consistently applied to all critical files. If any significant changes are made to a file, ensure they are reviewed and approved.
- Access Control: Track the individuals who open/ modify critical files to ensure only authorized users are making changes.
- Version Control: View all historical versions of the file and access these files when necessary.
- Change Management Control: Evidence effective review and approval controls around material change.
SOX compliance software
Once a SOX policy is established, you should consider enabling the policy through technology. Dedicated SOX compliance software helps to ensure that end users take responsibility for policy compliance. Good software should not get in the way of leveraging the ease and flexibility of EUC applications.
SOX compliance software should also be scalable across the enterprise. It should have the flexibility to meet the unique requirements of each company’s financial reporting process. For example, an organization with multiple subsidiaries may need a solution that works across different shared drive structures.
Next Steps
Learn how to create or enhance an existing SOX policy with our Best Practice Guide. It provides best practices for establishing or enhancing a SOX policy for spreadsheets and other applications that support financial reporting processes. Additionally, it provides details on how technology can be leveraged to enable and automate your policy.
The Definitive SOX 404 Policy Guide
This guide provides best practices for establishing or enhancing a SOX policy for models and end user applications used in financial reporting processes.
