From Zero to SOX Implementation: Sarbanes-Oxley Compliance

People looking at a laptop.

The process of building a sustainable, comprehensive internal control environment sufficient to comply with the Sarbanes-Oxley act of 2002 (SOX) requires a significant investment of organizational resources. We have created the Zero to SOX implementation process to assist organizations in this endeavor.

A Five-Year Window for SOX Internal Control Audit Requirements

On March 12, 2020, the SEC issued a ruling – Amendments to the Accelerated Filer and Large Accelerated Filer Definitions.  The effect of the changes was to reduce the burden and compliance costs for certain smaller registrants.  Under the new rules, certain low-revenue registrants no longer are required to have their assessment of the effectiveness of internal control over financial reporting (ICFR) attested and reported on by their independent auditors. The figure below from the U.S. Securities and Exchange Commission shows a detail of thresholds between Small Reporting Companies (SRCs) and Non-SRC organizations.

While the burden may have been lifted for smaller organizations, the requirement of a comprehensive internal control environment remain. An emerging growth company’s annual report still must contain an internal control report which:

  • states management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
  • contains an assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s internal control structure and procedures for financial reporting.

During the five years following an IPO, a Small Reporting Company should take a risk-focused approach to SOX compliance by specifically identifying, implementing and monitoring those internal controls that enable management to achieve these regulatory requirements with confidence.

ZERO to SOX – A Five Year Timeline

Year One Pre-SOX

Activities in the first post-IPO year are focused upon the identification of HIGH Risk processes and the implementation of the documentation and monitoring activities necessary to support management’s annual reporting requirements under Section 404.

Years Two and Three Pre-SOX

Activities in the second and third post- IPO year are focused upon evaluating and understanding the company’s internal control priorities in light of the company’s growth and evolution.  Monitoring activities necessary to support management’s annual reporting requirements under Section 404 continue.

Year Four Pre-SOX

Activities in the fourth post-IPO year add the additional objective of documentation and assessment of the MODERATE and LOW risk processes.

Evaluating and understanding the company’s internal control priorities in light of the company’s growth and evolution continues along with monitoring activities necessary to support management’s annual reporting requirements under Section 404.

Year Five SOX

Activities in the fifth post-IPO year are focused upon the monitoring activities necessary to support management’s annual reporting requirements under Section 404 continue and those necessary to support the integrated audit work of the company’s external auditors.

Our SOX Services Helps Set Your Company Up for Long-term Compliancy

The Zero to SOX process designed with clearly defined goals, executed by experienced team members will lay the foundation to meet your company’s regulatory compliance requirements as well as practice effective corporate governance now and into the future.

For more information on our SOX Services, contact our team.