What is a SOX key report or information used in a control (IUC)?

SOX key reports are the backbone of financial reporting

Reports organize and summarize the data within a company based on specified criteria. A report can be a simple list of transactions, or a complex compilation of inputs from various systems and sources.

Management relies on these reports when making decisions, communicating with the public, and financial reporting. External auditors also rely on these reports when assessing a company for Sarbanes-Oxley (SOX) compliance.

SOX key reports are the backbone of internal controls

When addressing SOX compliance, the data or information or reports you use to perform your internal controls are your “key” reports.

An important step in preparing for SOX compliance is to take an inventory of the reports you rely on for managing your financial reporting tasks.

Why are SOX key reports tested?

Why are SOX key reports tested?

• Report testing has received a lot of focus by external auditors and the PCAOB
• Report testing has received a lot of focus by external auditors and the PCAOB
• This means that your external auditors will closely scrutinize the procedures your company uses to validate the accuracy and completeness of the reports you rely on for your internal controls and compliance with SOX
• Management must be able to demonstrate that it understands where the data comes from for reports and that it is reliable
• Management must also document how it gains that reliance; this is the documentation your external auditors will review

Accurate data is essential

Management uses system-generated reports to make judgements for booking journal entries or recording financial transactions, and this impacts the financial statements

Complete data is essential

• As a public company you are not only offering stock, but also the confidence that the information you provide is reliable, whether reviewed internally or by external auditors
• When your company reaches Accelerated Filer status it will need to comply with SOX 404B, which means external auditors will test your internal controls
• It also means that your company will need to document how it verifies that the key reports used for financial reporting are accurate and complete

External auditors will be inspecting

• External auditors will be inspecting
• If you are being audited, perhaps by one of the “Big Four” (Deloitte, EY, PWC, or KPMG), or “Big Six” (including BDO and Grant Thornton), a team of SOX and audit experts will review your key reports testing
• If your external auditors find that your controls are supported by inaccurate or incomplete data, that’s a deficiency (or material weakness, if the risk is high enough)

When are SOX key reports tested?

Annually, at most

• Many SOX compliance activities are performed only once a year
• Certain key reports are tested only every few years on a rotating basis
• Many auditing firms require a long and intricate form for SOX key reports testing

Who should test a SOX key report?

• Since this is an activity that is not done regularly, it’s hard for a company to hire someone in house who is experienced at this kind of work
• Not having an expert test your key reports can be an inefficient use of resources
• Co-sourcing with a third-party can be a great way to avoid errors or deficiencies (or even worse, material weaknesses)