This past year, perhaps like no other, has likely brought tremendous changes to your company -and those changes will bring up new considerations in your Sarbanes-Oxley risk assessment. Shifts in strategic plans, impacts from the COVID-19 pandemic, and new ways of working by your finance team (completely paper-less, fully remotely) could require some updates in your SOX compliance program.
The process of assessing risk for SOX compliance turns up new considerations every year, such as an increased area of focus by your external auditors because of common themes in Public Company Accounting Oversight Board inspections, or big swings in your company’s market capitalization. Here, we provide a starting point for the considerations that may be on the table this year. This list of areas to consider and questions to ask is based on years of SOX experience and our SOX experts’ 2020 work with clients.
Prepping for SOX Risk Assessments
SPAC plans: Is your company one of the many currently looking into a special purpose acquisition company (SPAC)? What is the timing of the SPAC-IPO trajectory? Unlike newly public companies that take the traditional IPO route, SPACs do not get the one-year grace period for SOX compliance. Have you started your risk assessment to begin the design of your control environment?
Impact from market cap changes: Are you prepared if your market capitalization unexpectedly increases and requires you to change your assessment of your control environment under 404(b)? In 2020 we saw a number of companies whose market cap unexpectedly increased on their measurement date of June 30. If the company had previously been exempt from the SOX requirement for external audit attestation on internal controls over financial reporting, you may find that’s gone this year. It’s time to review the improvements you’ve made in your control environment and optimize your designed controls.
What if you see a decrease in market cap? Is this decrease expected to last, or is this just a temporary market fluctuation? If you believe this exemption from 404(b) will extend for a few years, maybe modifications can be made to your SOX compliance program: Can you reduce your sampling in testing? Can you perform self-assessments in place of testing? There are many options available to continue to be compliant. But be cautious here: if this is a short-term change, your best option may be to not make any changes to your 404 program.
SOC 1 reports: Increased reliance on SaaS software has increased companies’ reliance on their service providers’ SOC 1 reports. SOC 1 report reviews need to account for the fact that many of these service providers have changed their auditors for their SOC 1 reports, and those auditors have discovered deficiencies. To mitigate these risks for 2020, you may have put temporary controls in place, performed alternate procedures, or you may have unremediated control deficiencies. Companies should identify their own controls that can address the risks identified within a SOC 1 report.
Proper documentation: Auditors continue to focus on documentation of management review controls. Increased details regarding the evidence being reviewed and any judgments made by the reviewer need to be included in the documentation and testing of the control.
Emails saying “approved” can no longer stand in, on their own, as sufficient evidence. If an email approval is the only option of obtaining approval, the approver needs to include the details of what they are actually reviewing and approving.
Accounting estimates: We’ve also seen a focus on accounting estimates and increased documentation required in the performance of the control. What is being used in the determination of the estimate? What were the input assumptions? Was there a sensitivity analysis performed? Any reports used for the estimate must be retained and provided for testing.
All-remote workforce: How companies secure and protect their information became more of a challenge when so many people started working remotely last year. Think about the effect a sprawling workforce – working on their own devices and with increased potential for exposing information to outside parties—has had on the company’s cybersecurity risk.
Also, if recent changes include relying less on paper and transitioning from processing checks to ACH payments, increased controls may be needed in your payment systems. New ways of communicating and getting work done could require a deeper look into segregation of duties and user access reviews in the finance function.
Compliance: Meeting Sarbanes-Oxley Act Requirements
A fresh perspective from experts with steep SOX audit knowledge could be what your company needs after a year of tremendous change. Our SOX experts will make sure your internal controls are addressing your company’s current risks, apprise you of auditors’ areas of focus, and keep the entire SOX program running smoothly.
RoseRyan consultant Tracy Thames excels at SOX, corporate compliance, enterprise risk management, internal audit and project management. She was previously director of internal audit at Informatica and Guidewire, and she’s a Big 4 alum (EY).