What is SOX and How to Be Compliant

Four people talking at a table

In this blog post, we will explain what SOX is and how your business can be compliant. We’ll also provide some resources to help you get started.

What is SOX?

Since signed into law in 2002, Sarbanes-Oxley (SOX) compliance has become one of the most historically significant reforms to U.S. security legislation. To increase transparency and create a more formalized system of internal checks and balances, SOX essentially measures how well a company manages its internal controls.

Broad ranged and crucial to success, SOX affects financial governance and accountability, data storage and transmission, and information technology. The goal is to safeguard investors against inaccurate or unreliable corporate disclosures.

Enforcement and Penalties for Noncompliance

Strictly enforced and far-sweeping, SOX has affected global markets far more than expected. In an interdependent world, it has proven critical to understand, implement, and maintain the proper controls and compliance rules set forth by SOX. SOX noncompliance penalties range in severity and can result in fines and removal from the Public Stock Exchange.

SOX Implementation Steps and Tips for Success

To avoid noncompliance issues, it is extremely important to have a well thought out strategy. All SOX implementations and ongoing maintenance will follow these general steps:

1. Design

Perform a SOX-based risk assessment and determine the scope of business units and processes to be included. Based on an understanding of transactional processes and financial misstatement risk, determine what key controls are required and design them to mitigate significant risks effectively. Considering risk periodically is critical, as a company’s risk profile can change dramatically throughout the year, especially in a high-tech or equally dynamic industry.

Tip: The controls (and thus their design) should be reviewed periodically as circumstances change (i.e., acquisition, new product launch, new markets, growth, or downturn), but at least annually.

2. Document

Key controls require sufficient documentation so that the process can be properly performed and replicated. Anyone performing control activities should be clear on how to perform and document them consistently, and internal and external auditors should be able to test controls for compliance easily.

Tip: The keyword for documentation is “sufficient.” Over documentation, especially in the first year, is a serious resource consumer. Reaching the documentation balance requires experience and perspective, so be sure to consult with your internal audit and external auditors to stay on track

3. Testing

All key controls must be periodically tested with the appropriate samples to gather evidence and support a conclusion about the effectiveness of management’s controls. The nature and extent of testing should be discussed early in the process, to ensure management and external auditors agree. Having this agreement will enable external auditors to place greater reliance on management’s testing.

Tip: Year after year, testing will consume much of your SOX budget. Spend time and effort to ensure you have the most efficient and effective test resources available. A highly efficient test program will include experienced testers, executing well-developed test plans, utilizing appropriate technology and proven procedures.   

4. Evaluate & Report

Testing results will be compiled and evaluated to determine if there are deficiencies and, if so, their severity. There are three levels of deficiencies:  deficiencies, significant deficiencies, and material weaknesses. There is a lot written about the technical definition of deficiencies, but the practical concerns with each are as follows:

Deficiency – a control did not operate as “advertised,” but the resulting impact is insignificant. Correct the problem and learn from it. Report the issue to management and share it with external auditors.

Significant deficiency – a control did not operate effectively and the impact was close to material, but not quite. This must be reported to management, external auditors, and the audit committee.

Material weakness  – one or more controls failed and the result was, or could have been, a material misstatement to the financials. This level requires full public disclosure in the financial statements.

Tip:  Developing a highly effective test program can help you find issues early, which will help you correct problems before they escalate beyond a simple deficiency.

Take the Next Step to Improve Your Company’s SOX Compliance

SOX compliance may seem daunting, but it doesn’t have to be. By following our tips and partnering with a qualified consultant, you can ensure your company is on track for compliance. Have questions about SOX or need more information? Contact us – we’re here to help!