What is SOX and How to Be Compliant

In this blog post, we will break down what SOX is and how your business can be compliant. We’ll also provide some resources to help you get started.

Since being signed into law in 2002, SOX compliance has become one of the most historically significant reforms to U.S. security legislation. With the goal of increasing transparency and creating a more formalized system of internal checks and balances, SOX essentially measures how well a company manages its internal controls. Broad ranged and crucial to success, SOX affects financial governance and accountability, data storage and transmission, as well as information technology. The goal: to create a safeguard for investors against inaccurate or unreliable corporate disclosures.

Strictly enforced and far sweeping, SOX has affected global markets on a scale far more than expected. In an interdependent world, it has proven critical to understand, implement and maintain the proper controls and compliance rules set forth by SOX. SOX noncompliance penalties range in severity and can result in fines and removal from the Public Stock Exchange.

To avoid noncompliance issues, it is extremely important to have a well thought out strategy. All SOX implementations and ongoing maintenance will follow these general steps:

Perform a SOX-based risk assessment and determine the scope of business units and processes to be included.  Based on an understanding of transactional processes and financial misstatement risk, determine what key controls are required and design them to effectively mitigate significant risks. Considering risk on a periodic basis is critical, as a company’s risk profile can change dramatically throughout the year, especially in a high-tech or equally dynamic industry.

Tip: The controls (and thus their design) should be reviewed periodically as circumstances change (i.e. acquisition, new product launch, new markets, growth or downturn), but at least annually.

Key controls require sufficient documentation so that the process can be properly performed and replicated. Anyone performing control activities should be clear on how to consistently perform and document them, and internal and external auditors should be able to easily test controls for compliance.

Tip: The keyword for documentation is “sufficient.” Over documentation, especially in the first year, is a serious resource consumer. Reaching the documentation balance requires experience and perspective, so be sure to consult with your internal audit and external auditors to stay on track

All key controls must be periodically tested with the appropriate samples to gather evidence and support a conclusion about the effectiveness of management’s controls.  The nature and extent of testing should be discussed early in the process, to ensure management and external auditors are in agreement. Having this agreement will enable external auditor to place greater reliance on management’s testing.

Tip: Year after year, testing will consume a large portion of your SOX budget. Spend the necessary time and effort to ensure you have the most efficient and effective test resources available. A highly efficient test program will include experienced testers, executing on well-developed test plans, utilizing appropriate technology and proven procedure.   

Results of testing will be compiled and evaluated to determine if there are deficiencies, and if so, their severity. There are three levels of deficiencies:  deficiencies, significant deficiencies and material weaknesses. There is a lot written about the technical definition of deficiencies, but the practical concerns with each are as follows:

Deficiency – a control did not operate as “advertised,” but the resulting impact is not significant. Correct the problem and learn from it. Report the issue to management and share with external auditors.

Significant deficiency – a control did not operate effectively and the impact was close to material, but not quite. This must be reported to management, external auditors and the audit committee.

Material weakness  – one or more controls failed and the result was, or could have been, a material misstatement to the financials. This level requires full public disclosure in the financial statements.

Tip:  Developing a highly effective test program can help you find issues early, which will help you correct problems before they escalate beyond the level of a simple deficiency.

SOX compliance may seem daunting, but it doesn’t have to be. By following our tips and partnering with a qualified consultant, you can make sure your company is on track for compliance. Have questions about SOX or need more information? Contact us – we’re here to help!