Reduce Risk and Drive Enhanced Decision-Making: Importance of Key Reports in SOX 404 Assessments

An EG Point of View 

Data and report accuracy & completeness has never been more critical. 

Data – its use and reliability - are critical to good decision-making in managing business performance. Increasingly heavy reliance on complex technology infrastructures and systems has led to a similar increased focus on the accuracy and reliability of the underlying data used in business operations and the corresponding execution of key internal control activities related to the data. To that end, system-generated data in the form of reports has become a regulatory focus in both financial statement audits and internal controls over financial reporting (ICFR) assessments, since inaccurate and/or incomplete data could lead to material misstatements. In fact, one of the biggest areas of concern noted from the Public Company Accounting Oversight Board (PCAOB) review of external auditor firms has been inadequate validation of information (data) used in the operation of controls. No surprise, this is also precisely where we are seeing a surge in work effort to address this issue. 

What are the different types of reports?  

Reports are ubiquitous tools that are used to drive critical business decisions as well as report on the financial and operational health of the business. From trial balances, transaction listing, and variance reports, to queries generated from systems like Oracle or SAP, reports must be complete and accurate not only for key business decisions but also to ensure controls can be executed with the right data to avoid risks of potential misstatement. Key reports can be categorized into three main types:  

1. Standard (Canned) reports: Pre-designed (out-of-the-box) by system vendors; source code cannot be modified by end users or their IT departments
2. Custom reports: Tailored by the company’s IT teams or developed by application’s power users to pull data based on specific business needs (e.g. data elements, records)
3. Query-based reports: Customized by business end-users using certain criteria such as period, G/L account activity, or using query languages like SQL to pull specific data
   

What are management’s responsibilities over information used in key reports for ICFR purposes? 

As part of the SOX 404 ICFR assessments, management is required to demonstrate adequate analysis of the information used in the execution of key controls through appropriate validation procedures. This analysis will allow management to address key risks surrounding data input, extraction, and manipulation to ensure reliability of information to drive successful business outcomes. Key focus points are: 

1. Identification and Validation: Management is responsible for developing and maintaining an inventory of all key reports used in the execution of key controls and / or used in providing population requests to auditors, and baselined for completeness and accuracy to verify reliability.  
2. Modifications: It is essential to identify and evaluate any report modifications due to business requirement changes or other vendor driven changes. Modifications may require additional baselining or testing to ensure the report's continued effectiveness for both accuracy and completeness and to ensure the change follows a well-designed change management process is crucial, while maintaining an audit trail.  
3. IT General Controls: Ensuring that the source IT systems where the reports are run from are subject to effective ITGC’s such as logical access security, privileged access, and change management, which helps maintain the integrity and reliability of the reports
4. Documentation and Evidence: Maintaining thorough documentation and evidence of the procedures performed during report generation is critical for demonstrating compliance and ensuring the reliability of the reports
   
   

Our Point of View: 

As usual in the business of risk management and mitigation, an ounce of prevention is worth a pound of cure. In this instance, “prevention” means training on understanding your data. It is vital that companies focus on good data hygiene policies (e.g. data governance) and have adequate resources for communication and training for process and control owners on best practices to maintain data integrity. Training should also include ways to address the various risks associated with key reports. This will not only mitigate risks and ensure the integrity of their financial position and disclosures for a successful ICFR audit but also safeguard against rising external audit fees and potential fines or sanctions from regulators like the SEC. Additionally, this can also help with managing operational inefficiencies while detecting potential fraud early. It also provides more confidence to the executives and the Board on the financials and metrics and enable better forecasting while establishing stronger investor trust. 

Case In Point 

Reports Inventory & Baselining: 

A large healthcare client had material weaknesses in their control environment driven by the lack of adequate controls over the key reports used in SOX controls. To address these issues, we partnered with the company’s Internal Audit team and performed a complete inventory of reports used in SOX controls including source systems. They completed validation procedures to assess the accuracy and completeness of those reports as a baselining exercise. This exercise allowed the company to ensure no reports were missing and owners had full visibility of all reports used and the data within.  

Ongoing Validation of report modifications: 

A global provider of data, insights, and analytics, addressed their data related risks by requiring that all key reports baselined go through appropriate IT General Controls and all modifications went through adequate validation by control owners. This helped to ensure all report modifications went through appropriate IT change management procedures. The company documented the change management process for these reports and ensured both IT and the business process owners were trained to perform timely validation in advance of the change going into production. 

Top 7 Takeaways for management:

This reliance on data is only going to increase, especially with the growth of AI and other data driven tools and technology. The companies that take the right proactive and preemptive measures to safeguard data integrity and related controls will not only have stronger reporting for decision support, but it will also help ensure a more effective and efficient audit. We recommend:   

1. Complete a full inventory of key reports used in SOX Controls. Maintain the list for additions or changes to this list. 
2. Identify source systems, business use, key fields used by control owners, and key control activities it supports. 
3. Confirm these source systems are subject to IT General Controls (ITGC’s). 
4. Baseline these reports for accuracy and completeness and record the date.
5. Ensure these key reports are also subject to appropriate ITGC’s for future report modifications.  
6. Maintain documentation and evidence to support management’s due diligence and auditors. 
7. Engage an expert advisory firm who has experience in both IT and business to support you in this initiative 

Are you looking for support in assessing your SOX 404 assessments? We’re here to help. Learn more about how we can support your goals and contact us here.