Case Study: Digital Marketplace SOX Program and Material Weakness Remediation

Situation 

A large, private U.S.-based multinational digital marketplace and ticketing/events company faced significant challenges in remediating audit findings related to its internal control environment. The company had received multiple material weaknesses in its annual audit, prompting the need to identify the root causes of these control failures, establish new controls, and ensure the adoption and sustainability of these controls to pass future audits.

The control issues permeated various business processes, including entity-level controls, and extended across financial and revenue cycles. IT General Control (ITGC) deficiencies were identified in multiple applications, including the company’s proprietary digital marketplace, which was crucial for revenue tracking and recognition.

Additionally, the company needed to chart a course toward compliance with the Sarbanes-Oxley Act of 2002 (SOX). As a young, fast-growing, private company, management had not previously prioritized creating a mature control environment. The company also embarked on implementing a new ERP system as part of its journey toward financial maturity.

Solutions 

Given the broad scope of work, Altum divided the project into multiple workstreams to efficiently address the client’s needs.

• Material Weakness Remediation:
  • Altum collaborated with management to address four specific material weaknesses during the current fiscal year. The first step involved a risk assessment of financial statement line items based on complexity and materiality. Together with management, Altum classified risks and ranked accounts, entities, and line items by materiality thresholds and de minimis.
  • In-depth walkthroughs were conducted to fully understand the existing processes and controls. Following this, controls were rationalized, strengthened, and tested for both design and operational effectiveness. The results and supporting evidence were packaged for review by external audit teams to provide an opinion on the remediation efforts for the targeted weaknesses.

• SOX Program Development and Training:
  • As the company prepared for SOX compliance, Altum emphasized the importance of focusing on the people. A tailored SOX introduction and training program was developed to help employees understand how SOX would benefit the organization, impact individuals and business units, and support long-term success. These training sessions laid a strong foundation for SOX compliance by setting clear expectations for stakeholders and management.
  • To ensure ongoing governance, Altum assisted the company in establishing a SOX Steering Committee. This committee met regularly to discuss progress, resolve issues, and keep stakeholders informed. It was responsible for overseeing all SOX compliance efforts, creating a structured governance framework, and ensuring accountability.

• Risk Assessment and Controls Gap Analysis:
  • Altum conducted a comprehensive risk assessment and controls gap analysis to identify areas where material financial misstatements were most likely to occur. This process also identified key areas of risk across business processes and IT systems. A detailed risk and control matrix was developed, documenting risks, owners, control activities, and test steps for all in-scope processes and IT systems. This matrix enabled targeted scrutiny of controls and helped pinpoint areas that required remediation.

• AuditBoard Implementation for Centralized Control Management:
  • Altum led the implementation of AuditBoard to centralize all process flows, narratives, and risk and control matrices (RCMs). This platform enabled the client to store supporting documentation and manage the testing process efficiently, creating a well-governed internal controls environment.

• Collaboration and Communication:
  • To ensure the project’s success, strong collaboration between internal and external control teams was essential. Altum developed a comprehensive communication plan with regular touchpoints to ensure alignment and maintain a collaborative atmosphere throughout the pre-SOX compliance efforts.

Results 

Through close collaboration with key client stakeholders, management, Internal Audit, and the company’s audit firm, Altum successfully helped remediate multiple material weaknesses, develop tailored risk and control matrices, validate controls with business units, IT/application owners, and control owners, and operationalize an instance of AuditBoard to manage control testing and remediation efforts.

The engagement resulted in the company’s successful transition towards SOX readiness and established a control environment that would withstand future audits. Additionally, it laid the groundwork for the client’s external auditors to move from a wholly substantive audit approach to a more controls-reliant audit, reducing complexity and effort in future audit cycles.