SOX compliance testing validates changes made to code and verifies adherence to internal controls. All publically traded companies operating in the United States must adhere to SOX corporate governance compliance. Management work with internal auditors to create policies and controls. Testers are responsible for testing code changes to ensure accuracy.
Reasons for SOX Compliance
In the late 1990s and early 2000s, the United States uncovered and then prosecuted several prominent businesses that had deceitfully falsified financial records and/or performed insider trading. Their deception ultimately cost the citizens billions of dollars, with many also losing their jobs and retirement funds. The overall intention of SOX testing is to protect stakeholders and other investors from corporate fraud.
The Sarbanes-Oxley Act
There were several business scandals, but the most infamous concerned the Enron Corporation, a Houston-based energy company. The corruption seen in the Enron scandal was so severe that the SOX Act came into being. Its purpose is to prevent all points of failure witnessed at Enron from being repeated. Politicians Paul Sarbanes and Michael G. Oxley sponsored the bill now known as the Sarbanes-Oxley (SOX) Act that would hold top business management responsible for the financial information they report. The consequences for reporting inaccuracies would penalize management instead of stakeholders and be harsher than previous punishments.
The SOX Act applies only to business in the United States, but other countries recognized that they also needed similar laws. J-SOX and C-SOX are the Japanese and Canadian equivalents, respectively. Australia has initiated the Corporate Law Economic Reform Program Act (CLERP 9), and a United Kingdom version, UK SOx, is anticipated to roll out towards the end of 2023.
How does SOX Compliance Testing differ from other Testing Types?
The Software Development Life Cycle is still relevant for SOX-scoped testing. However, there are certain concepts that the tester must comprehend to provide the best quality, specifically controls, audits, and assessments.
Controls
Accounting controls are put into place to ensure the validity and accuracy of financial statements. There are four major types of controls.
- IT Security – This control refers to the security of the systems and their data. For example, cyber-security teams work hard at preventing hacks and breaches, and IT teams create permission types so only specific roles can view sensitive data.
- Access – This refers to the digital and physical access of data. Controls in place could be as simple as locking your workstation or using the principle of least privilege.
- Change Management – Controls that manage change typically involve onboarding, offboarding, or changes in employee positions. It can also involve new equipment or software.
- Data Backup and Retention – This control focuses on having proper data backups, ensuring the backups are as secure as the current data, and data retention. Some companies have requirements for data retention that extend for years. The archived data also needs to remain safe.
Audits
Audits can have negative connotations, but they only examine a company’s financial statement and the controls put in place to ensure their accuracy. Audits can be internal or external.
- Internal – Internal audits are performed by employees within the organization to act as a management tool, to improve processes and controls. The internal audit should find and remediate any issues before the formal external audit.
- External – Outside accounting firms perform external audits to review financial statements and controls. These audits verify the accuracy of financial statements for the benefit of the stakeholders.
Assessments
Assessments are essentially a walkthrough, typically done by management or Subject Matter Experts (SME) of all the current controls and policies. If the company is new to SOX compliance, those involved will need to dig very deep into its processes, looking for ways to improve. However, if the company already has controls in place, it may want to look for points of failure in the existing processes. Assessments differ from audits because they aim to identify where a company stands in its compliance journey, which enables the implementation of relevant improvements.
Collaboration
Communication is crucial in SOX compliance testing. Testers will need to collaborate with several people to ensure test completion.
- Management – Managers must decide if a change is considered SOX-scoped. Sometimes this is obvious within a policy, but other times it will need clarification.
- Developers – Testers are accustomed to communicating with developers, which is no different from SOX compliance testing.
- Business Analysts – A business analyst should be able to explain any requested change, the reason for the request, and the data source.
- Stakeholders – Stakeholders are the authority for SOX-scoped changes. Most often, they have put in the change request, so they should be the ones to clarify if any disputes arise.
How to Test for Compliance
Assuming the tester understands the policies and internal controls the company has initiated, then there are steps to follow for SOX compliance testing. The first step in SOX compliance is test planning. It’s essential to understand what’s being tested, the changes made, and the source of the data. Because of this, test planning and requirement analysis usually happen simultaneously.
For example, say you are testing a report that shows how much your company paid for utilities during the previous month. There was a request for change because someone wanted the report to include a new column for repairs. As the tester, you need to know what constitutes a ‘repair.’ You also need to see the data source, which could be data from a specific database table or the sum of multiple tables. The important part is to test the change and ensure the accuracy of the results.
Once you have the requirements, the second step is writing and executing test cases. A way of doing this is to write a query to find the data. Next, take a screenshot of the report with the data before the change is implemented, and then take another screenshot of the report and data after the change has been implemented. The process can sometimes be more complex, especially at a company’s year-end. For example, if a report is changed because the data needs to come from a different table, then the tester needs to know if that change will affect other reports. Collaborating with developers, DBAs, and business analysts may be necessary for verifying the data.
The most important part of SOX compliance testing is accuracy and documentation. You will need documentation for acceptance testing and as a test artifact. Typically, the stakeholder will be a coworker who ‘owns’ a report. This person may not know how to query a database, which is why screenshots of your work are essential. You may need to explain the testing steps to the stakeholder so they understand enough to sign off or reject a change.
Generally, a yearly audit is performed. However, some controls only require testing annually. This is also a convenient time to tidy up processes and documentation. Auditors will routinely provide feedback during the audit, so be sure to follow their suggestions.
SOX Compliance How to Test for Compliance Tools
Solar Winds: Solar Winds has products designed to provide customizable reports that create records of SOX compliance. In addition, there are options for access and security controls, audit trails, and detecting breaches, and it is a fundamental security tool. Pricing is not available online, but it does allow a free trial.
Onspring: Onspring is a compliance management solution that relates your controls to standards, regulations, and laws. It has a friendly, customizable dashboard for the individual user, with plenty of subscription options. There are many available integrations with programs like Jira, DocuSign, and Workday, but they do not provide pricing details online.
Workiva: Workiva is a financial reporting platform that allows users to collaborate and work from the same information. The reporting tool provides a built-in audit trail and automation tools, making compliance easier. Partnering with companies like KPMG and Bakertilly, Workiva provides excellent resources. Its website does not provide pricing.
Tips for SOX Compliance Testing
- Make sure to document as much as possible. Documentation is required for many tests, but it also helps you recall information and reasons for your actions. This is useful if an auditor has questions about your tests months after you have completed them.
- Try to keep your controls simple. You may not have the authority for this, but keeping your controls simple will save you time and make testing easier.
- Be aware of scope creep and put a stop to it. Scope creep doesn’t benefit anyone. It will make development and testing take longer, which often means missed deadlines, which irritates customers.
- Maintain your persistence. If a report is off by a cent, it can seem like no big deal to look the other way, but when you are testing as part of SOX compliance, every cent must be accounted for. Sometimes this can be tedious and take a lot of time, but the accuracy of the reports is imperative.
- Be aware of when your company’s fiscal year ends. They may have policies about taking vacations or mandatory overtime during this time.
Conclusion
SOX compliance testing can be tedious work and seem intimidating. But, in reality, it is rewarding knowing that you are providing security for your company, your coworkers, and stakeholders by assuring financial data is secure and accurate.