As publicly traded companies work to optimize their Sarbanes-Oxley (SOX) compliance, increasing the efficiency and effectiveness of those efforts requires management to better understand organizational risks, align management and the audit committee, train process owners, increase automation, and centralize the monitoring of risk exposures and control performance.

The optimization process starts with an effective risk assessment that helps the company understand its exposures and map the various controls that help it mitigate those risks. The types and number of needed controls will depend on a specific company and its risks.

It’s also important to avoid imposing more controls than the company needs to mitigate risks effectively because each control bears costs for design, documentation, testing, evaluation, and reporting. Understanding the company’s risks, and ensuring you have the correct number of controls, is key to effectiveness and efficiency. This can be further enhanced through a control rationalization, with a deeper review of key risks and the alignment of mitigating control activities.

Management and the audit commitment play important roles in SOX compliance by setting the appropriate “tone at the top” by actively asking about and understanding the company’s key risks, and allocating resources to the implementation and evaluation of the appropriate controls. By demonstrating that they believe in and understand risk management and compliance, they set a tone that the rest of the company will generally follow.

A valuable way to increase efficiency and potentially reduce the cost of a SOX review is making it as easy as possible for external auditors to rely on the company’s testing and documentation. Under SOX, external auditors are required to sign off on the company’s internal controls, give an opinion about the effectiveness of those controls, and identify any deficiencies.

To make these determinations, the auditors will either rely on the company’s control testing and documentation, or will have to perform that testing themselves. While a company won’t be able to reach a point where the auditors rely exclusively on the company’s testing, expanding the percentage of company-tested controls increases efficiency. It does this by reducing the volume (and cost) of auditor testing, as well as avoiding controls being tested twice by the company as well as by the auditors.

Another important step in optimizing SOX compliance is providing training for financial reporting process owners—the managers with oversight responsibilities for specific processes. In addition to setting the tone at the top with messaging from a SOX sponsor (e.g., the CFO), managers need to understand the nature of transactional flows and data involved with significant processes—and be enabled to identify gaps in the performance or documentation of those steps. They should also understand the risks that could affect material accounts.

As part of this training, process owners need to understand the value of testing and documentation outside of preparing for an audit. These steps need to be part of ongoing, year-round risk management activities.

While the role of automation in financial reporting is early and evolving in many organizations, the advantages of streamlining the financial processes that underlie the controls being evaluated will pay dividends in SOX compliance. A large portion of the SOX effort and control performance are steps that are repeated through the fiscal year and across fiscal years.  Where tasks are repeated and involve systems or applications, there are opportunities to automate.

For instance, the vast majority of the information needed for SOX compliance is produced during the accounting period close. Critical activities that occur during closes include journal entries, analyses, reconciliations, approvals, and more—all of which need to be documented and are subject to auditor review.

Tools such as BlackLine increase process accuracy and SOX compliance by importing data from feeds and matching transactions to reconcile accounts automatically, posting journal entries, and coordinating task completion and approval using real-time dashboards. This reduces reliance on manual tools and the risk of data existing in disparate spreadsheets.

To the extent various activities can be automated, the company and its auditor benefit. Manual processes, documentation, and testing are more expensive and typically have higher rates of deficiencies. Where companies have more automation, auditors see fewer deficiencies and smoother, more efficient testing that is conducted with less work and a lower resulting cost.

Companies can increase the efficiency and effectiveness of their SOX compliance efforts by creating a project management office to coordinate their compliance efforts. Depending on the size and scope of the company, that oversight could come from one person, a team, or someone using a combination of internal and outsourced resources.

Without regard to how the role is structured, it’s important for the team member to have an appropriate level of knowledge and experience to coordinate its SOX compliance efforts year-round to ensure controls are performing as designed, and that emerging issues are addressed as quickly as possible.

If your company needs assistance with implementing effective SOX internal controls, reach out to our team of audit professionals who can support you throughout the process.

Increasing the frequency of SOX audits is a strategic move that helps companies enhance the robustness of their internal controls, improve financial reporting accuracy, and ensure ongoing compliance with regulatory requirements.

Companies typically conduct interim and year-end SOX testing as part of their audit plan, but relying solely on interim and year-end SOX testing may result in limited visibility, delayed issue identification, increased risk exposure, complacency, inadequate response to change, and regulatory scrutiny. 

To mitigate these diverse risks, organizations should complement periodic testing with continuous monitoring and auditing practices to ensure ongoing compliance, enhance control effectiveness, and address emerging risks and issues promptly.

Increasing the frequency of SOX audits can provide several benefits:

Frequent audits allow for the early detection of compliance issues and internal control weaknesses. By identifying problems as they arise, companies can implement corrective actions promptly and reduce the risk of financial misstatements and regulatory penalties.

Increased audit frequency can streamline operations by embedding compliance into daily business processes. This integration fosters a culture of continuous improvement, where compliance becomes a routine part of the organizational workflow rather than a periodic checkpoint.

To fully realize the benefits of more frequent SOX audits, organizations must implement a structured approach that incorporates technology, risk assessment, collaboration, and continuous education.

Here are some essential strategies for increasing the frequency of SOX audits effectively:

Utilize automation and advanced data analytics to facilitate continuous auditing. These tools can monitor transactions and controls in real-time, providing immediate insights and reducing the burden of manual audit tasks.

Focus on high-risk areas that have the greatest potential impact on financial reporting. By prioritizing these areas, companies can allocate resources more effectively and ensure critical risks are identified and addressed promptly.

Foster collaboration between internal audit, compliance, and financial reporting teams. Regular communication and information sharing can help identify and address issues more efficiently, ensuring that all stakeholders are aligned on the organization’s compliance objectives.

Invest in ongoing training for audit and compliance personnel. Keeping staff updated on the latest regulatory changes, auditing techniques, and technological advancements is essential for maintaining an effective continuous auditing program.

Increasing the frequency of SOX auditing offers numerous benefits, from timely issue detection to enhanced operational efficiency. By adopting a more frequent audit schedule, leveraging technology, and focusing on high-risk areas, organizations can strengthen their compliance posture and build a robust framework for financial integrity.

As the business environment continues to evolve, embracing continuous and frequent SOX auditing will be key to staying ahead of the curve and ensuring long-term success. Contact us to explore ways to enhance your internal control program and reduce year-end SOX audit pressures.

Understanding your objectives, identifying organizational risk, enlisting executive support, and evaluating internal controls are among the keys to developing an effective internal audit function.

Internal audit provides the company, on an ongoing basis, with insights into its performance, policies, and procedures that can improve operational, compliance, and financial risks. Common objectives for an internal audit include:

The first step in developing an effective internal audit function is developing a framework that defines management’s needs and expectations. This will vary depending on the company’s industry but will typically include examining the various categories of risk the organization faces, as well as any specific compliance requirements.

This step should be followed by conversations with leaders in different business units — finance, planning, operations, the audit committee, and others — as the first stages of a broader risk assessment. This will involve asking questions about the organization’s risks and whether the implications of a given risk are material.

You can’t eliminate risk completely, but instead, you want to develop a cross-functional view of the appropriate thresholds, so you’re devoting time and resources most effectively during the internal audit.

It’s also important for the organization to designate an executive sponsor of the internal audit function to highlight unequivocally the organization’s commitment to compliance and ethical behavior. Everyone participating in or supporting the audit needs to understand the organization will accept any findings and address shortcomings discovered during the audit process. If people believe the audit will not result in action, the process can become an unproductive exercise that wastes time and money.

Together, these steps will help the company define the scope of the internal audit and optimize management’s risk tolerance, as well as the thresholds for testing during the audit. For example, reviewing the approval of $49 transactions may not be an appropriate use of internal audit’s time.

This discussion also will help you design the objectives and attributes of the tests you will perform during the audit process. This may include, for example:

The next step is scheduling time with management, process owners, and other key participants to align the audit process with the organization’s calendar to avoid intrusions during busy seasons or other important periods. You probably can’t eliminate the perception that the audit is interrupting routine work, but working to accommodate peak periods will improve cooperation and the effectiveness of the audit overall.

With this plan in place, you can launch an internal audit process knowing that it’s backed by a carefully designed, well-reasoned plan that’s aligned with the company’s financial, operational, and compliance risk management objectives.

Whether you’re looking to establish, enhance, or outsource your internal audit function, we provide ‘right-sized’ audit support to assist you. For more information about optimizing the value of your SOX investment, reach out to our team.

Creating internal controls over financial reporting (ICFR) is mandated under the Sarbanes-Oxley Act (SOX). SOX internal controls provide important insights into the accuracy and presentation of a company’s financial position while serving as a valuable risk management tool.

Section 404 of the Sarbanes-Oxley Act requires publicly traded companies to establish, assess, and report on the design and operational effectiveness of its internal controls over financial reporting.

The objective of SOX is to protect investors by improving the accuracy and reliability of an organization’s financial position and disclosures. Accuracy and reliability are vital to protect investors and other stakeholders from the risk of loss due to reporting errors or fraud. Errors and fraud may occur if a company does not have adequate policies and procedures over how financial data is recorded, processed, generated, and reported.

Although mandatory for companies publicly traded in the United States, SOX requirements are often followed by private companies that plan to become public (or to be acquired) in the near future, as well as private companies interested in demonstrating strong governance practices to external stakeholders.

It’s important for companies to distinguish their SOX internal controls from other control procedures, including those designed to improve operational efficiency. These controls typically fall outside the scope of an ICFR review under SOX Section 404. The focus of SOX internal controls is on the risk of financial misstatement.

In order to properly manage the risk of financial misstatement, management teams need to adequately identify risks faced by the organization. This is accomplished through a review of the company’s financial statements and significant transactional flows, while considering the people, processes, and systems involved in each. As management and auditors understand the company’s processes, the identification of financial misstatement risks will be defined.

With an understanding of risk, management will perform procedures to identify and assess the risks of material misstatement to the financial statements, whether due to fraud or error. Risks defined as being more significant will be the drivers for where SOX internal control activities are required.

When management and their external auditors have a common understanding of the company’s processes and financial misstatement risks, the next step is to use an agreed-upon system or framework to define control objectives and organize control activities. Together with its external auditors, management will design a risk-based approach to its internal controls, SOX compliance, and the scope of its financial statement audit.

The best approach for developing an organization’s SOX compliance program is the COSO Framework. The COSO Framework provides organizations with principles-based guidance for designing and implementing effective internal controls. While the COSO Framework is generally accepted, there are other control frameworks a company may adopt. However, the COSO framework provides components, principles, and points of focus that are commonly accepted by auditors.

The COSO framework is built around interconnected components that include:

Beyond the COSO Framework, external auditors will likely use the top-down approach recommended by the Public Company Accounting Oversight Board (PCAOB) to select controls for testing. This approach starts at the financial statement level and the auditor’s understanding of the organization’s overall ICFR risks.

The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and relevant assertions, before selecting controls for testing that address the more significant risks of financial misstatement.

This will typically be achieved by reviewing samples of transactions to verify amounts are being recorded accurately. If, for example, the auditor’s testing provides reasonable assurance that revenue transactions are reported reliably, the company can assume its controls are performing as designed and, in turn, the risk is low that its financial statements are materially inaccurate.

These procedures help companies and auditors provide investors with assurance that the company’s financial statements have been reviewed, the reported amounts are correct, and the statement provides an accurate report on the company’s financial performance and balance sheet at the close of the reporting period.

If your company needs assistance with implementing effective SOX internal controls, reach out to our team of audit professionals who can support you throughout the process.

You’ve heard the words in business circles —COSO, ERM, SOX, and COBIT. Looks like alphabet soup. But what do they mean? If you think these all relate to risk management, you are on the right track. The difference lies in their primary focus/objective and the methodology. Before we dig deeper into the different frameworks, let’s first define what risk management is.

Risk management is the process of identifying, assessing and controlling financial, legal, strategic, and security risks to an organization’s financial reporting, capital, and earnings. Risks originate from many sources, including financial reporting errors, fraud, legal, statutory, strategic management errors, cyber threats, and/or natural disasters.

A successful risk management program will enable management teams to consider a broad range of risks an organization faces. Risk management also considers the relationship between risks – and the cascading impact they could have on an organization’s strategic goals.

To reduce risk, management teams need to effectively implement internal controls to minimize, monitor, and control the impact of threats.

If you are curious about the unusual name, here is the explanation. The COSO internal control framework was introduced in 1992 and then overhauled to a more modern, comprehensive version in 2013. The framework was sponsored and funded by five accounting and auditing associations:

The commission was led by James Treadway, the former SEC commissioner.

COSO is recognized as the leading framework for designing, implementing, and assessing the effectiveness of internal controls. Its objective was to provide reasonable assurance regarding achieving organizational objectives in the following categories: operational effectiveness and efficiency, financial reporting reliability, compliance with applicable laws and regulations, and asset safeguarding.

SOX is a legislation passed by the U.S. Congress in 2002 and was sponsored in Congress by Senator Sarbanes and Representative Oxley. One of the features of this law was the addition of a requirement for management to certify and the independent auditor to attest to the effectiveness of a company’s internal control system. The goal was to protect shareholders and the public from fraudulent financial reporting practices. Among the COSO objectives, SOX’s focus was on the financial objective.

The ERM framework, issued in 2004, added a focus on the strategic objective (i.e., high-level goals that support the organization’s mission) to COSO’s operational, financial, and compliance objectives.

ERM expanded on COSO’s risk management focus to seize opportunities for achieving organizational objectives such as enhancing profits. ERM considers both positive risks (i.e., business opportunities) and negative risks (i.e., business threats).

COBIT is the IT equivalent of COSO. It is a framework created by ISACA (Information Systems Audit and Control Association) for information technology management and governance. It aimed to link business risks, control requirements, and the technical infrastructure. It is used for the governance of both IT implementations and ongoing operations.

While there are many frameworks to choose from, it is important to find the right one for your company and ensure compliance. Our Internal Audit team has extensive knowledge of risk management frameworks and can work with you to select the best option for your business and guide you through compliance. Reach out to speak to our team and get started.

In this blog post, we will explain what SOX is and how your business can be compliant. We’ll also provide some resources to help you get started.

Since signed into law in 2002, Sarbanes-Oxley (SOX) compliance has become one of the most historically significant reforms to U.S. security legislation. To increase transparency and create a more formalized system of internal checks and balances, SOX essentially measures how well a company manages its internal controls.

Broad ranged and crucial to success, SOX affects financial governance and accountability, data storage and transmission, and information technology. The goal is to safeguard investors against inaccurate or unreliable corporate disclosures.

Strictly enforced and far-sweeping, SOX has affected global markets far more than expected. In an interdependent world, it has proven critical to understand, implement, and maintain the proper controls and compliance rules set forth by SOX. SOX noncompliance penalties range in severity and can result in fines and removal from the Public Stock Exchange.

To avoid noncompliance issues, it is extremely important to have a well thought out strategy. All SOX implementations and ongoing maintenance will follow these general steps:

Perform a SOX-based risk assessment and determine the scope of business units and processes to be included. Based on an understanding of transactional processes and financial misstatement risk, determine what key controls are required and design them to mitigate significant risks effectively. Considering risk periodically is critical, as a company’s risk profile can change dramatically throughout the year, especially in a high-tech or equally dynamic industry.

Tip: The controls (and thus their design) should be reviewed periodically as circumstances change (i.e., acquisition, new product launch, new markets, growth, or downturn), but at least annually.

Key controls require sufficient documentation so that the process can be properly performed and replicated. Anyone performing control activities should be clear on how to perform and document them consistently, and internal and external auditors should be able to test controls for compliance easily.

Tip: The keyword for documentation is “sufficient.” Over documentation, especially in the first year, is a serious resource consumer. Reaching the documentation balance requires experience and perspective, so be sure to consult with your internal audit and external auditors to stay on track

All key controls must be periodically tested with the appropriate samples to gather evidence and support a conclusion about the effectiveness of management’s controls. The nature and extent of testing should be discussed early in the process, to ensure management and external auditors agree. Having this agreement will enable external auditors to place greater reliance on management’s testing.

Tip: Year after year, testing will consume much of your SOX budget. Spend time and effort to ensure you have the most efficient and effective test resources available. A highly efficient test program will include experienced testers, executing well-developed test plans, utilizing appropriate technology and proven procedures.   

Testing results will be compiled and evaluated to determine if there are deficiencies and, if so, their severity. There are three levels of deficiencies:  deficiencies, significant deficiencies, and material weaknesses. There is a lot written about the technical definition of deficiencies, but the practical concerns with each are as follows:

Deficiency – a control did not operate as “advertised,” but the resulting impact is insignificant. Correct the problem and learn from it. Report the issue to management and share it with external auditors.

Significant deficiency – a control did not operate effectively and the impact was close to material, but not quite. This must be reported to management, external auditors, and the audit committee.

Material weakness  – one or more controls failed and the result was, or could have been, a material misstatement to the financials. This level requires full public disclosure in the financial statements.

Tip:  Developing a highly effective test program can help you find issues early, which will help you correct problems before they escalate beyond a simple deficiency.

SOX compliance may seem daunting, but it doesn’t have to be. By following our tips and partnering with a qualified consultant, you can ensure your company is on track for compliance. Have questions about SOX or need more information? Contact us – we’re here to help!

Along with providing an infusion of capital to a growing company, going public brings strict financial reporting and compliance requirements that must be in place well before the offering.

To meet investor expectations for a timely closing and regulatory requirements to provide accurate disclosures, pre-IPO companies need to have the right people, processes, and technology in place to meet their needs as a public company.

An important early step is assessing the skills and capabilities of the organization’s finance team. Management needs to be sure the team can meet the complex reporting and compliance needs of a public company, such as developing adequate internal controls and preparing accurate financial reports on a timely basis.

Financial planning and analysis skills are also critical since investors expect accurate forecasts about key metrics such as the company’s revenue, business outlook, net income, and operating cash flow. Being able to develop and share accurate forecasts is valuable in informing investors and avoiding potential surprises.

Perhaps the most obvious difference between public and private companies is the requirement to report financial and operating results quarterly. The finance team must close the books and report the company’s results quickly and accurately. It will need to develop and follow an efficient, repeatable process.

At least a year before the offering, it’s important to schedule quarterly rehearsals of the reporting process as if the company were public. Practice the multiple steps in closing the books, preparing an earnings release, and holding a mock investor call. This ensures the company’s finance team and management are familiar with the process when they must disclose actual earnings after the offering.

Another important part of the reporting process is establishing metrics to help management explain the company’s results to investors. Along with determining the most appropriate metrics, management should be ready to explain why they chose a specific metric and why it’s helping in understanding the company’s performance.

Similarly, the company will need to establish and document its internal controls, as well as the reasons behind the controls they create.

Another critical step in preparing for an IPO is upgrading the company’s financial tools to support these new reporting requirements and regulatory disclosures. Spreadsheets, for example, that may have been sufficient in the early stages of the company won’t allow the finance team and management to develop reports quickly. This will likely require manual workarounds (such as copying data between applications and reformatting documents) that take time and can introduce errors and delay the close process.

It’s more effective and efficient to implement a scalable financial management solution such as Sage Intacct that enables companies to automate the reporting process and general ledger entries, and to help the finance team close the books and prepare quarterly reports more rapidly and accurately.

Effective financial management will also provide management with daily visibility into the company’s revenue and treasury activities, and will offer data analysis and reporting tools to speed the closing process, offer insights into the company’s performance and trends, and support more strategic decision-making.

Overall, pre-IPO companies must act as if they are public before the initial public offering. Creating and honing the company’s processes and technology tools will help it be better able to operate as a public company and be ready and able to meet strict disclosure requirements and satisfy investor expectations.

For more information on preparing for IPO with Sage Intacct, reach out to our team for a consultation and demo.

Private or smaller publicly traded companies that proactively employ internal controls over financial reporting benefit from the following:

Formalizing or enhancing internal controls, like those expected of larger public companies, results in more reliable financial reporting and increases the credibility of management’s operations for bankers, investors, regulators, and other stakeholders.

Providing reliable financial information enables the company to produce financial statements with greater integrity and transparency. Internally, management can also make more effective decisions about the organization’s strategy, critical to maintaining a competitive advantage and potentially preparing for a public offering or a strategic transaction.

Understanding and documenting the company’s transactional flows, leads to a clearer understanding of financial risk. This, in turn, enables management to focus on control design. Effective controls help management realize and focus on the highest-risk areas – to optimize its financial reporting, operations, and compliance.

Through this analysis, management can better identify, streamline, and potentially automate, processes that divert staff attention from critical activities. One additional benefit – by centralizing process and controls documentation, management can reduce audit-related expenses.

That said, obtaining and reporting the right financial information depends partly on how well management identifies and mitigates financial statement risks. This may seem complex and challenging. However, it becomes manageable with the right messaging, methodology, and discipline across the organization — regardless of the company’s size, complexity, or structure.

For private companies that often lack a dedicated compliance resource, we recommend enlisting the help of experienced SOX advisors who will work with you to outline a roadmap, mitigate disruptions, and bring expertise to streamline the process and train staff.

For questions or more information related to an internal audit, controls optimization, or SOX compliance, contact our team.

Beyond regulatory requirements, developing an effective internal controls framework is valuable in helping your company manage risk.

Identifying and mitigating the company’s financial and operational risks under the Sarbanes Oxley Act’s (SOX) Section 404 requirements can also be a prudent investment in improving efficiency by aligning management’s priorities with the organization’s internal processes and operations.

One of the keys to successful SOX compliance is understanding whether your company falls under the reporting requirements of 404 Section (a) or Section (b). While management must certify the effectiveness of its internal controls in either case, Section (b) adds the requirement (based on the company’s capitalization and revenue) for your external auditor to attest to that effectiveness.

In practice, we often see companies that are not required to file under Section (b) scale back their compliance efforts by trimming assessments to the bare bones and eliminating internal testing — yet continuing to issue certifications.

This may seem like a cost-savings move, but the company may run into significant deficiencies and material weaknesses that are discovered during the year-end external audit. This, in turn, leads to additional remediation steps that must be implemented quickly. More importantly, these deficiencies can reduce confidence in the quality of the company’s financial reporting and internal controls from auditors, the board, and potentially investors.

Taking the time to develop an effective compliance framework and culture helps your company manage risk more effectively while also satisfying your regulatory obligations.

It’s critical for your company’s management to identify the most important risks to the quality and accuracy of your financial statements, and to focus attention and resources on the areas that represent the most important risk.

The COSO Enterprise Risk Management – Integrated Framework offers a good starting point for developing an effective internal controls system. The framework offers 17 principles embedded within five components outlining your controls environment, risk assessment, control activities, and other key aspects.

To learn more, you can view a recording of our webinar, Navigating SOX 404a Compliance.

Similarly, it’s helpful to understand that, over time, the company’s risk profile is going to evolve in response to market conditions as well as organizational changes. Part of an effective risk assessment strategy is understanding those changes, the potential impacts on the company, and the processes and controls that must be adjusted as a result.

Optimizing the value of your SOX investment, like your compliance effort, also depends on management setting an effective tone highlighting the importance of risk management and ethical behavior.

Management needs to stress the importance of compliance and risk management company-wide, and to back up those statements with internal training and quarterly check-ins to ensure management identifies and controls its most important financial statement risks.

Department leaders also need to understand that compliance isn’t a once-and-done or periodic activity, but rather an ongoing process of identifying risk, establishing effective controls, testing those controls, and making necessary corrections.

An effective compliance culture will improve risk management and cost savings by helping the company minimize last-minute surprises with its audit committee and auditors.

In addition, management can focus on the most direct risk to its financials, create appropriate controls, and produce the high-quality financial data the organization needs for external and internal reporting.

Whether you’re looking to establish, enhance, or outsource your internal audit function, we provide ‘right-sized’ audit support to assist you. For more information about optimizing the value of your SOX investment, reach out to our team.

The process of building a sustainable, comprehensive internal control environment sufficient to comply with the Sarbanes-Oxley act of 2002 (SOX) requires a significant investment of organizational resources. We have created the Zero to SOX implementation process to assist organizations in this endeavor.

On March 12, 2020, the SEC issued a ruling – Amendments to the Accelerated Filer and Large Accelerated Filer Definitions.  The effect of the changes was to reduce the burden and compliance costs for certain smaller registrants.  Under the new rules, certain low-revenue registrants no longer are required to have their assessment of the effectiveness of internal control over financial reporting (ICFR) attested and reported on by their independent auditors. The figure below from the U.S. Securities and Exchange Commission shows a detail of thresholds between Small Reporting Companies (SRCs) and Non-SRC organizations.

While the burden may have been lifted for smaller organizations, the requirement of a comprehensive internal control environment remain. An emerging growth company’s annual report still must contain an internal control report which:

During the five years following an IPO, a Small Reporting Company should take a risk-focused approach to SOX compliance by specifically identifying, implementing and monitoring those internal controls that enable management to achieve these regulatory requirements with confidence.

Activities in the first post-IPO year are focused upon the identification of HIGH Risk processes and the implementation of the documentation and monitoring activities necessary to support management’s annual reporting requirements under Section 404.

Activities in the second and third post- IPO year are focused upon evaluating and understanding the company’s internal control priorities in light of the company’s growth and evolution.  Monitoring activities necessary to support management’s annual reporting requirements under Section 404 continue.

Activities in the fourth post-IPO year add the additional objective of documentation and assessment of the MODERATE and LOW risk processes.

Evaluating and understanding the company’s internal control priorities in light of the company’s growth and evolution continues along with monitoring activities necessary to support management’s annual reporting requirements under Section 404.

Activities in the fifth post-IPO year are focused upon the monitoring activities necessary to support management’s annual reporting requirements under Section 404 continue and those necessary to support the integrated audit work of the company’s external auditors.

The Zero to SOX process designed with clearly defined goals, executed by experienced team members will lay the foundation to meet your company’s regulatory compliance requirements as well as practice effective corporate governance now and into the future.

For more information on our SOX Services, contact our team.

Several SOX challenges can affect a company’s ability to maintain an effective controls framework, or potentially hinder its ability to demonstrate that its ICFR efforts serve their intended purpose.

Management’s commitment to effective controls and financial reporting is a key component to a SOX effort receiving the required time and attention.

It’s essential to understand the company’s risks and to design controls to mitigate those risks, rather than treating SOX as a check-the-box compliance exercise.

Concise documentation that helps staff members and external auditors understand the thinking underlying a process is more effective than trying to capture every potential contingency and nuance (which can divert attention from more important activities).

Along with ensuring the data is accurate, you need to verify that the process used to generate that data is operating effectively.

Management and external auditors should understand the company’s risks to evaluate better the design and the effectiveness of the controls designed to mitigate those risks. Nobody should be surprised during the audit process.

This is typically a culture issue, but team members responsible for controls may not integrate risk and performance of controls as part of their typical activities.

Control activities performed manually, on a repetitive basis come with a greater cost and increased risk of error, when compared to automated controls.

Understanding the requirements of SOX 404(a) and 404(b) and communicating frequently with external auditors about the design and performance of your controls are cornerstones of effective risk management and SOX compliance. Knowing these SOX challenges can help a company with its compliance journey.

For questions or more information about SOX compliance, visit our SOX services page or contact our team.

As public companies grow, they may move from one filing status or issuer category to another. Recent and proposed changes to the Securities and Exchange Commission (SEC) rules for some categories could affect your company’s financial reporting and audit procedures.

Under existing rules, public companies fall into different SEC filing status categories, based on their public “float” (the amount of shares available to the public for trading):

What is an emerging growth company (EGC)? Generally, an EGC is a new public company that has gross revenues under $1 billion in its most recent fiscal year and meets certain other requirements. EGCs enjoy a variety of benefits during their first five years of existence, including scaled-back disclosures and exemption from the auditor attestation of a company’s internal control over financial reporting as required by Section 404(b) of the Sarbanes-Oxley Act.

A company that ceases to be an EGC must begin complying with Sec. 404(b), except for nonaccelerated filers, which are exempt from that requirement unless they become accelerated or large accelerated filers. (Congress currently is considering legislation that would extend the exemption for certain companies, however.)

On June 28, 2018, the SEC voted unanimously to issue the final rule in Release No. 33-10513, Amendments to Smaller Reporting Company Definition. The rule increases the public float threshold for SRCs to $100 million and nonaccelerated filers to $250 million.

To complicate matters, the SEC did not make conforming changes to the definition of an accelerated filer. Rather, it eliminated the automatic exclusion of SRCs in the definitions of accelerated and large accelerated filers. As a result, a registrant could be both an SRC and an accelerated filer. As an accelerated filer, a company would still be required to comply with Sec. 404(b).

The new SEC rule will be effective 60 days after publication in the Federal Register, which normally occurs a few weeks after a rule is posted on the SEC’s website. The SEC said 966 additional companies will be eligible for smaller company status in the first year of the new threshold.

Changes in filing status affect the form, content and timing of financial reports, as well as the extent of external audit procedures. So, it’s a good idea to re-evaluate your company’s status well before the end of each fiscal year. We can help you evaluate your filing status based on the SEC’s evolving guidelines. If a change is anticipated, we can help you prepare for new filing, disclosure and audit requirements. Contact us for more information on SEC filing status.

© 2023