#38 | Best Practices for SOX Kick-off Meetings
It’s always great to apply the effective and best practices for SOX Kick-off meetings. It’s not just a meet and greet meeting, it’s the opportunity to set the expectations and alignment with the project team and the client to be able to launch or improve a SOX project successfully.
We will cover the best practices of holding a kick-off meeting for SOX 404. The agenda items are:
- Communication frequency & channel
- Expected changes in testing procedures
- Update of control changes
- Areas of enhanced focus
- Timeline & deadlines
- Audit Committee involvement
- Source data for testing
- Expectations between client and auditors
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Kick-Off Meetings
I recently got an urgent call from one of our long time clients. The sign off date had been delayed at the last minute. Why? It turns out that external auditors were testing transactions in Q4 and they weren’t able to find enough samples in Q4 and had to expand the testing to include the whole year. The client was upset because the auditors were doing additional testing that our client was not used to. The files were stored offsite and had to be retrieved which delayed the whole audit process.
How can we avoid these last minute mad dashes to the finish line? Have a thoughtful kick-off meeting at the beginning of each year. Discuss things upfront with your auditors, particularly the IT auditors. That’s where we find a lot of disconnect because the audit firms have two separate teams and oftentimes, the finance side is very much aligned but the IT team is not.
Hold kick-off meetings with the SOX team, internal audit team, external auditors and management to proactively discuss the agenda items below.
Communication frequency & channel
The theme here is “communicate, communicate, and communicate”. You have to decide on the frequency and channel of the communication. How often do you meet? In person, email or call in for updates? Weekly? Monthly? Every 2 months? Who should be included?
Expected changes in testing procedures
What are the auditors doing differently this year? Has the timing changed? What do the auditors need and WHY? What was acceptable last year may not be enough this year. How can we plan for it?
Update on control language
It is important that we communicate to the auditors any changes in controls themselves or the control descriptions so that they can change their test procedures.Or maybe it’s theSOX auditors who need to change things.
Areas of enhanced focus
For the external auditors, what are the areas of enhanced focus this year? What new SEC or PCAOB guidance recently passed that we need to plan for? This is a conversation so that as the company, we can see if the areas of enhanced focus apply to us. We can help educate the auditors why it does or does not apply to us.
Timelines & deadlines
Timelines and deadlines are very critical. Ensure that we put together the timelines in advance and share it with the auditors. We want everybody to be aligned and working together. Make sure that the auditors reserve staffing to match our timing. This ensures that the quarter-end and year-end is not a rush job with lots of headaches.
Audit Committee involvement
When the audit committee meetings occur is very important. It sometimes dictates when certain tasks are due. We make sure that the right materials are sent to the audit committee the week before the audit committee meeting happens. Ideally, we are coordinating and summarizing information two weeks before the audit committee meeting so that there aren’t any surprises when we send it to the audit committee.
Source data for testing
During these kick-off meetings, it is important to understand the sources of data used by the auditors, including the IT auditors.It could be key reports, spreadsheets or systems. What’s the objective of tests? Where is data being pulled from?
We had a case of over-testing because of this lack of clarity. The IT auditors requested a report of journal entries posted, same as last year (SALY). What the client sent was a list of all system and manual journal entries posted. The disconnect happened because the company had switched from Oracle to NetSuite. The Oracle report that the auditors used in the previous year had filtered out ‘system generated’ journal entries. This year, the auditors had selected many samples that did not meet their criteria and had to re-select more samples.
Expectations between company and auditors
As with any relationship, setting clear expectations up front can save us a lot of headaches. After we send the PBC (prepared by client) request to the auditors, when can we expect a response? What is the turnaround time? When can management realistically commit to sending the requested information? 2 days? 5 days?
Finally, document the conclusions that we reached in the kick-off meeting and send a summary to everyone who attended. It’s a good reminder of what was discussed in case new team members join the project. It’s also a good CYA (cover your ass).
Summary
To recap, we discussed ways to ensure a SOX audit goes smoothly. Holding a productive kick-off meeting is one of the key ingredients. The agenda for the kick off includes:
Leave a Reply