Menu Close

#36 | Part 1 – Tick Tock Setting the SOX Clock

We will be learning how to build an annual project timeline for SOX 404 compliance. In this session, we dive into a lot of details on how we build a project timeline and the rationale behind it. We answer questions like:

  1. What does the annual SOX timeline look like?
  2. What key activities & processes to include in the timeline?
  3. When should we do the risk assessment?
  4. When should we do the COSO 2013 framework mapping?
  5. When should we do reports & spreadsheets testing?
  6. Should we include Audit Committee meetings?
  7. Should we include external auditors?

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

What does the annual SOX timeline look like?

SOX 404 Project Timeline
Fig. 1 – SOX 404 Annual timeline

Here is an annual SOX 404 project timeline assuming the year-end is December 31.  If your year-end is different, you can shift the months to meet your circumstances.

We have a column on the left listing the major activities that we have to do for SOX. The top row is listing of the months and weeks within the month.

SOX 404 month listing

We started with February 2016 and extended it to February 2017. The reason we start SOX planning around February or March because January is one of the busiest times for accounting teams. You are closing out the previous year, wrapping up the financial statement audit, wrapping up the SOX audit, preparing10Ks, preparing press releases, and preparing for board meetings, so you don’t have time. By the time all of that is done, most companies start planning in March.

SOX 404 processes Timeline
Fig. 3 – Processes column timeline

What key activities & processes to include in the timeline?

Let’s go down the list of activities that we need to do. We have the basic risk assessment and planning, COSO 2013 framework mapping, equity process, order-to-cash, financial close and reporting, fixed assets, HR payroll, IT general controls, entity level controls, procure-to-pay, tax, treasury. What’s missing on here is an inventory cycle.

If your company has inventory, you would need an inventory process. If your company has large construction projects (maybe you’re in the construction industry), you will need construction management or construction project financing because those are key processes.

Let’s walk through the logic of how we laid out certain activities to happen during certain months. Here is  a colorful legend of activities.

SOX 404 Project Timeline
Fig. 4 – SOX 404 Annual timeline legend

This looks like a fruity-tootie type of colored Gantt chart because we have color coded it to see when the activities are happening. Dark blue is the documentation, green is walkthrough, etc.

When should we do the risk assessment?

We kick off all SOX 404 projects with a risk assessment and planning which is why it is the first item. In previous training sessions, we discussed starting with a top down approach. So, you want to do the materiality and risk assessment first so that you can plan out which processes and which controls to focus on instead of over-doing the work.

The risk assessment usually takes about a week or two. The activity itself doesn’t take a whole two weeks. You want to reach out and talk to your management team. If you’re the controller preparing this or you’re the SOX director preparing this, you want to talk with the controller and CFO to make sure that the risks that you’ve assigned make sense.

When should we do the COSO 2013 framework mapping?

The next part is the COSO 2013 framework mapping. If you are already a public company, you’ve done your COSO 2013 mapping because it was required to be adopted in 2013 or 2014. But if your company new to SOX compliance or getting ready for an IPO, this is an activity that you’ll need to do.

SOX 404 COSO framework Mapping
Fig. 5 – COSO 2013 framework mapping

Now, why do I have COSO way up the end in June here?

The reason is efficiency.  If we map controls to the COSO 2013 framework in February or March, before the processes and controls are final, we risk having to re-do the work if the processes change.  Doing the COSO mapping in June allows us to step back so that you have a holistic view of where all the controls fall in the 17 principles.  In June, you may find some holes and there’s still time to implement them.

When should we do reports & spreadsheets testing?

We included report and spreadsheet testing in the timeline so that we remember to schedule it. There is more of an emphasis now on testing reports so we plan for this before it becomes a rush job for IT.

Should we include Audit Committee meetings?

Notice in our timeline that we built in a placeholder for the audit committee meetings. The reason is that audit committee meetings typically happen 4 times a year.  About a week before that audit committee meeting, management will need the results of our testing/progress. So it’s good planning to build the audit committee meetings into the timeline so we know if it’s coming up. We would need to send our slides before the deadline.

Should we include external auditors?

The short answer is yes, include the external auditors. We put it on our timeline to remind ourselves to talk with them about the risk assessment, our documentation and our testing results.

To recap, today we covered building the SOX project timeline and the rationale for:

Leave a Reply

Your email address will not be published.

Share This

Copy Link to Clipboard