Complying with the Sarbanes-Oxley Act is always a complex and evolving process. It doesn’t matter whether your company has issued audited financial statements and management’s attestation of internal control effectiveness for many years or only recently embarked on the road to going public. Building and maintaining capabilities to comply with this law is a constant balancing act requiring an understanding of potential new costs, current risks of material misstatements, and awareness of internal changes that could have an impact on the efficacy of your program.
A quick assessment of your SOX compliance program can help you understand its strengths and weaknesses. Here are six ways to better balance the cost of your Sarbanes-Oxley program with the risks of material misstatements in your financial statements:
1. Expect additional costs from PCAOB inspections.
The recently announced 2020 budget for the Public Company Accounting Oversight Board increased year-over-year, and the board reaffirmed its strategic direction. The trickle down effect of what’s uncovered during the inspections of external audit firms and any significant deficiencies identified in those inspections does help the PCAOB meets its goals of greater financial reporting transparency and protection of investors. However, inspections will continue to put upward pressure on the work performed by (and costs companies pay) their audit firms.
2. Start early.
Reduce the chances of errors, audit headaches and avoidable costs by executing a robust planning process toward the beginning of the year (e.g., just after filing the previous 10-K). This is the time to anticipate where additional focus will be needed in the coming year. Notable findings from recent PCAOB inspections revealed common challenges:
- Improper design, documentation and testing of internal controls over financial reporting
- Inadequate understanding of likely misstatement sources
- Incomplete or inaccurate information and data used in estimates
- Inappropriate implementation of accounting for changes in the business and new accounting standards
Revenue recognition, equity, inventory and liability accounting were noted many times across PCAOB reports. For small companies, controls to ensure proper segregation of duties and assessing the competence of financial reporting duties outsourced to a third party were notably reported as deficient.
3. Monitor and assess key staff turnover.
There are a number of considerations any time a person leaves a company, from making sure they exit properly to figuring out how their role will be filled. Departures of staff with key internal control responsibilities add additional risk to this situation. The impact of the change should be assessed quickly to ensure their internal control duties are performed in a timely manner and in a way that addresses the related risk.
4. Remember that segregation of duties is essential.
Trust is not a control, and a having a small team is not an excuse. Proper segregation of duties protects company assets. It’s an essential internal control to protect the accuracy of the financial statements. Application controls, when properly designed and monitored, can help to reduce the workload. However, automation adds other risks that need to be considered—proper access management and system administration. Delegation is another level that can be used to effectively manage cost and risk. Consider the portion of internal control tasks being delegated. Funneling detailed reviews through senior staff or management can address segregation challenges with surprising efficiency.
5. Understand IT risks.
Here’s an area that continues to evolve fast, raising the probability of misstatements if your company becomes a target of a cyberattack. Large banks and companies are no longer the sole targets—hackers have found success in targeting companies and municipalities of all sizes. Popular tactics like spoofing emails and social engineering are hardly new practices, but the sophistication of methods has dramatically increased. We have seen a rise in successful efforts to defraud companies in many forms, including misdirected payments to employees and vendors, demands to wire money now to continue key services, and threats to company data.
Know where the “keys” to the company assets are, and take steps to ensure they remain in control of the company. Have policies and procedures in place, and make sure they’re followed when using the keys to distribute company funds or assets. Keep in mind that this is not only about mistakenly sending out money that will likely never be recovered—ironically, if the lost money is not recorded accurately and possible disclosed, it could indicate a control deficiency and possibly worse.
6. Pay renewed attention to SOC 1 reports.
Financial statement audits are not the only audits undergoing increased scrutiny. The audit of a service provider’s SOC 1 reports are changing as well. We have observed an increase in the number and significance of findings in these reports. The findings include specific controls companies are expecting to rely on, general IT controls regarding access and change management, and sub-servicer control issues. All of these have the potential to reduce or even eliminate companies’ ability to rely on them. It is important to carefully analyze the controls being sought for reliance and have appropriate monitoring and backup plans in place to address unforeseen surprises. Remember, the SOC 1 reports are issued late in the year, leaving little time to remediate if there’s an issue.
What’s Missing in Your Sarbanes-Oxley Program?
While companies face continued upward pressure on the costs to comply with Sarbanes-Oxley, smart planning, sound decisions on what controls to implement, and a coordinated effort throughout the year can help keep SOX compliance costs in check. These can all be addressed when your Sarbanes-Oxley program includes experts who deeply know SOX and how to navigate the complex waters of financial statement risk management and compliance.
Ken Roberts is a RoseRyan consultant who works with companies of all types in our Corporate Governance area. He’s an expert in SOX and internal control testing, and he’s held CFO, controller and internal audit roles. He also has experience with M&A integration work and operational accounting. Ken previously worked at Ernst & Young.