The Sarbanes-Oxley Act of 2002 added new requirements for public companies doing business in the United States to ensure the accuracy and integrity of financial information.  Since the implementation of Sarbanes-Oxley (SOX), many other countries passed similar reforms, with each company determining the optimal structure for meeting compliance requirements.  With Shared Services often being the major processing hub for a company’s financial transactions, it is not a surprise that it often takes on an important role when it comes to Sarbanes-Oxley compliance.

A Peeriosity member representing a $15B+ global food processing company was considering options for centralizing Sarbanes-Oxley testing in Shared Services and wanted to know how the activity was managed at other companies.  Within 24 hours, member companies responded to his iPolling^TM questions, with many providing additional comments to explain their responses.  The member was then able to follow up directly with each company, as needed, to further discuss approaches.

According to the iPolling results, approximately one in five companies have SOX testing being managed by Shared Services.  Other public companies are fairly evenly split between each process area being responsible for testing in their area and having a separate internal controls team (often Internal Audit) that is outside of Shared Services with overall responsibility for testing. 

When reviewing the many poll response comments (a summary is below) it becomes clear that, even when Shared Services doesn’t have overall responsibility, because much of the activity is within Shared Services, the organization plays an important role in ensuring compliance with Sarbanes-Oxley requirements.  And, with self-assessment techniques being a very common approach, Shared Services often plays a critical compliance role for much of the activity in scope for review, even when another area has overall responsibility.

Regarding the question of SOX testing frequency, 40% perform testing annually and 29% perform testing twice a year, with 23% testing quarterly and only 8% testing on a monthly basis.

As mentioned above, additional comments included with poll responses help to clarify the approaches at member companies.  Here are some of the comments:

·         Internal Audit performs Sarbanes-Oxley testing.

·         To create proportional ownership, people in each process area are responsible for self-testing.

·         Internal Audit Department handles.

·         We have an independent team within Shared Services that performs self-testing throughout the year for any processes already handed over. Individuals in the process areas cover activities that are not handled by Shared Services. Corporate Internal Audit and audit firm perform independent testing once a year from October to November.

·         Sarbanes-Oxley controls are tiered into multiple levels. Certain tiers are tested in certain quarters by the process owners and documented in the self-assessment application. We have a Financial Controls team that is our Sarbanes-Oxley team, which is part of an Audit Services & Controls (not Shared Services) team that owns the testing process, the self-assessment application, and reporting responsibilities.

·         All Sarbanes-Oxley-related testing is performed by Internal Audit to maximize our external auditor’s reliance on our work. All in-scope areas are tested annually, with the more financially material testing being done in Q4 to minimize roll-forward testing.

·         We have a mixed approach — individuals in the various process areas throughout the company are responsible for testing for Sarbanes-Oxley compliance annually (and a large percentage of this is within our Shared Services operations because we are responsible for most of the Sarbanes-Oxley-relevant processes.) But we also have an Internal Controls team (outside of Shared Services) that audits the testing. Within our Shared Services groups, we usually have Sarbanes-Oxley-focused internal audits about every other year.

·         We use a small team for Sarbanes-Oxley testing that is comprised of Shared Services individuals, Corporate individuals, and 3rd party for certain controls.

·         We have a Sarbanes-Oxley team, so testing is mainly done by them. The frequency is typically one interim testing period and one final testing period in a calendar year.

How is Sarbanes-Oxley testing managed at your company?  What is the testing frequency and what role does Shared Services play to ensure compliance?

Who are your peers and how are you collaborating with them?

 “iPolling^TM” is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from participating or accessing content. Members have full visibility of all respondents and their comments. Using Peeriosity’s integrated email system, Peer Mail^TM, members can easily communicate at any time with others who participate in iPolling.