The process for managing SOX deficiencies can often feel inefficient or overengineered. 

There’s the utopian ideal — and then there’s reality. In the utopian solution:

• First-line control owners and their managers are accountable for remediation activities for any issues or observations they need to address related to their SOX controls. This includes obtaining and assigning resources to implement remediation plans, communicating remediation status and closure, and training team members on what needs to happen going forward.
• A second-line SOX function:
  
  • Provides first-line control owners with guidance and coaching on developing a remediation action plan, making sure the proposed plan addresses the risks as perceived by the SOX team. 
  • Acts as an accountability partner to ensure remediation is being done in a timely manner and control owners have taken full responsibility to remediate the deficiency. 
• A third-line Internal Audit team provides independent assurance validating that the deficiency has been remediated as agreed to in management’s action plan.
• Action plans, dates, status reports, handoffs, and signoffs are tracked and documented in a single source of truth that provides all parties with ongoing visibility and transparency on remediation plans and progress. 

But as we all know, for most SOX teams, life ain’t that simple. 

For example, maybe they don’t have a second line. Maybe the SOX deficiency remediation process isn’t mature, happening 100% manually. Maybe the process happens across disjointed technologies that can’t share information. 

Whatever the case, SOX deficiency remediation in the real world is often more complicated. 

Recently, there’s been a lot of chatter in the Internal Audit Collective about SOX deficiencies and the practices teams use to close out deficiencies without any hiccups.

With such a great conversation happening, the Collective hosted a roundtable discussion with 15 SOX and Internal Audit leaders discussing the SOX deficiency remediation process, including roles, responsibilities, best practices, and why the process is so important.

To change things up, this week’s newsletter shares highlights from both the roundtable discussion and our ongoing forum conversations. And we’re gonna do this mailbag-style, asking/answering five key questions to help you manage your SOX deficiency process more effectively.

Question 1: How should I think about the SOX deficiency process if my company doesn’t have a second-line SOX function?

When the second line is missing, first-line control owners may push responsibility for remediating the SOX deficiency onto the third line — which means that Internal Audit could be perceived as doing management’s work. Leading practices for responding include: 

• Drawing clear lines separating SOX deficiency remediation roles. First-line management owns the controls and responsibility to remediate any control deficiencies, and third-line Internal Audit owns the control remediation framework — the process followed to achieve remediation. While roundtable participants acknowledge that the process remains collaborative, they constantly reiterate management’s responsibility for selecting the action plan, agreeing on a timeline, and working toward remediation, the third line is responsible for making sure the first line is hitting those milestones. 
• Establishing a 1.5 line. One Internal Audit leader shared that his team has a 1.5-line controls team that helps management triage any deficiencies and serve as an accountability partner. Anyone can identify and open the issue, but the 1.5 line works with management to input the information into AuditBoard, come up with and document a remediation plan, and then mark it as “pending remediation.” When the 1.5 line reports that it is “remediated,” the third line picks it up to perform retesting. 

Question 2: What are some ways to keep issue owners on track for timely issue remediation?

First-line control owners may promise remediation by a certain date — and then quietly put it on the back burner. 

When organizations don’t have second-line accountability partners in place, it often stays there, and the third line ultimately finds out remediation hasn’t occurred. Of course, even with a second-line team, SOX deficiency remediation efforts often lag. 

Many teams are finding ways to use their audit management system (AMS) to act as a virtual accountability partner. For example, some teams:

• Create clean, reportable, purpose-specific date fields. Customize your AMS with fields that track the dates that are most important for your team. For example, another leader shared that his team had Workiva create date fields tracking the date of failure, the date remediation was requested, and the date management expects the remediated control to be available for testing. The team can use those dates — plus information about the type of remediation (e.g., how simple or complex) — to gain visibility on and extrapolate the earliest possible date of remediation and likely retesting timeline. Another leader shared that her custom AuditBoard fields are target remediation date, action plan date (i.e., when management’s action plan has been completed), and target closure date (i.e., when retesting is complete). 
• Use the AMS to create a list view of open or upcoming issues. One leader’s team uses AuditBoard’s comment field to provide status report information (e.g., testing progress), and then uses the list view function to quickly see what’s been completed to date. While they can’t see that information in their dashboard view, the list view displays it — and they can also directly type into the comments field in the list view. The list view is also filterable, enabling individual team members to see the three or four issues that pertain to them. 

Question 3: What happens if I have one or more significant deficiencies or material weaknesses to remediate?  

The process of working with control owners should be similar, but there are new players you’ll need to work with — your External Auditors.

Because existing material weaknesses at year end must be communicated in the organization’s 10-K, you’ll need to work with your External Auditor to prove these deficiencies are remediated timely, and as expected. 

Recently on the forum, Collective member and Internal Audit Executive Jeff Wright shared his five-step process to successfully work with External Auditors to close out material weaknesses. He received a ton of positive feedback on his approach, so (with his permission) I’m sharing a genericized version here, along with some italicized notes providing background: 

1. Establish joint meetings with management and the External Auditor to lay out the revised remediation plans and gain consensus on scope, control objectives, and needed deliverables. Ensure that management provides the required periodic updates directly to the audit committee.
2. The External Auditor’s local office reviews/approves the remediation documents, sending them to their National Office to sign off on final clearance.
3. Internal Audit lays out draft memos outlining management’s scope, approach, process design, and Internal Audit’s supporting walkthroughs, test of design (TDE), and test of operating effectiveness (TOE) for the new process. (In this team’s case, the External Auditor was acceptive of this approach and actually provided feedback/guidance on TDE/TOE evidence.)
4. Internal Audit tracks the updated controls, remediation, and supporting testing to have the memo approved by year end. (The team’s goal had been to test the new controls in Q2 and Q3 have the External Auditor test them in Q4 so they would be remediated prior to year end. However, the External Auditor needed Q4 in their sample, so that plan did not fly.)
5. The material weakness undergoes year-end testing by the External Auditor to finalize testing results and memos. 

Many leaders chimed in echoing this guidance. The consensus was that successfully resolving material weaknesses with the External Auditor requires Internal Audit to proactively drive the process and communications and help ensure management accountability. 

Question 4: Is there anything else I should be doing to help remediate any of these issues?

Well, this isn’t the right question to ask. 

I’d recommend reframing this question: What can I be doing to prevent these issues from occurring, so that nothing NEEDS timely remediation?

Here are three things to consider to prevent such issues from occurring in the future:

1. Tone from the top. Do you have appropriate support from the AC Chair, CEO, and CFO? Are they setting the appropriate tone at the top to ensure that control owners understand (1) management and the audit committee’s expectations of what’s required of them and (2) that there’s low tolerance for control deficiencies?
2. SME positioning. Are control owners aware of who they can reach out to in order to ask questions and seek advice about strengthening controls? Does the SOX team (whether they’re second or third line) have a process to provide training that highlights that they’re there to provide advice, not just to “test controls”?
3. Better Controls Management. Can you leverage your AMS to not just store documentation for “tested” controls, but to enable control owners to store ALL of their controls documentation? That way, the SOX and Internal Audit teams can pre-review control work and identify/address potential control issues before management or external audit testing occurs.

Question 5: Why should I care about the issue management process anyway? This is an administrative process at best.

Au contraire mon frere.

Some of the best Internal Audit and SOX teams are leaning into the issue management process as a precursor to help them drive connected risk approaches in their organizations.

Why start with the issue management process? Because, as a SOX and Internal Audit leader:

1. You already have an issue management process in place. Adding more issues to an existing process will create efficiencies for the enterprise, as opposed to every second-line function having their own issue resolution process. Plus, if you’re in Internal Audit, you are already deemed “independent” from the business, making it an ideal process for you to manage.
2. You already have wide-ranging risk and controls subject matter expertise. You can provide guidance on how to improve any type of control, not just financial reporting controls.
3. You can offer better risk feedback and advice. With your awareness of the full range of enterprise issues and risk remediation plans, you’ll be better-suited to evaluate trends and root causes to help business leaders connect the dots on why issues occur. Plus, by evaluating issues in the aggregate, you’ll have a better appreciation of their impact on the achievement of organizational objectives and how key risks are being managed. 

The Big Takeaway: Insist on a System and Have a Process

As one Internal Audit leader summed up during the roundtable, every organization’s SOX deficiency remediation process will vary based on its available resources, inputs, and technologies; maturity; industry; risk profile; and other variables. 

The common thread running through any remediation process, however, is that you need some sort of system or framework that all three lines agree and adhere to. 

He said, “Issue management comes down to organizational clarity. How realistic is it that you’re going to be able to optimize any of this without systematization? You’ve got to stick up for yourself and acknowledge that it’s ridiculous to try to do all of this without a system. You’ve got to go to bat for your team and say, ‘This is what we need to function as an organization,’ and clarify roles and responsibilities. You can move forward from there.”