Talk about mixed messages. The new presidential administration wants what they consider “costly and unnecessary regulations” wiped out. At the same time we have continued pressure by regulatory agencies to strengthen and improve internal controls over financial reporting (ICFR). Anyone who is involved in SOX compliance has to wonder: Is the almost 15-year-old law part of the discussion in Washington? And what should we all be doing in the meantime?

Our crystal ball isn’t any less cloudy than yours, but here’s some advice. Keep in mind SOX’s goal—to have in place a strong ICFR system that prevents a material misstatement of the financial statements. To what extent this is mandated may be in flux, but the benefits of such a program are foundational. It’s good for your valuation, as well as management, employees, investors and anyone you do business with.


To keep your SOX program doing what you need it to do, know that it needs to evolve. As your business expands, its interests and risks shift, and leaders come and go, your SOX program needs tending to as well. Here are five ways to make sure yours stays up-to-date, no matter what happens on Capitol Hill.

1. Pay attention to your culture.

Culture plays a huge role in ICFR. What are the expectations for ethical behavior in the workplace? Are these embedded in your workplace culture? Is the pressure to deliver results so great that a blind eye is turned to questionable behavior? These are important questions to ask regularly, as the answers may change when leaders come and go, and the company grows more complex.

No matter how strong your design of controls, without a healthy ethical environment, your ICFR program will be fighting an uphill battle. Tone at the top matters. “In most cases of alleged financial fraud, the CEO and CFO are named in the complaint,” according to a March report from the Center for Audit Quality. “[Securities and Exchange] Commission staff noted that the driver of earnings management—the catalyst for most fraud cases—is often top management, such that the focus on the CEO and CFO is not surprising.”

In addition to the tone set by the senior leadership at headquarters, look at the culture of remote offices, both foreign and domestic. Take into account both the local tone at the top as well as customs and practices and any incentives offered to local leadership for achieving performance goals.

2. Revisit your company’s risk profile.

Business risks change. Are you staying current? Identify anticipated changes in business processes, systems and key personnel, and make sure you are addressing any known areas of risks that need attention. Even if your internal environment is stable, assess how your business risks may have changed due to external factors.

3. Adopt a quarterly review process.

Keep the people responsible for key controls engaged all year long. By carrying out quarterly self-assessments, control owners can get a quick read on areas that are changing and controls that no longer serve the organization. These evaluations can also help prevent surprises when it comes time to test the controls.

4. Seek alignment with your external auditors.

Expectations can change, so stay fluid. The regulatory landscape will continue to evolve as new leadership takes shape at the SEC and the Public Company Accounting Oversight Board, and their priorities and interests are passed down to auditors. Understanding changes in your auditors’ expectations and having clear, proactive communication can make all the difference in your ability to retain an effective SOX program.

Some of the more recent areas of focus by your auditors may include IPE (information produced by the entity) and the related scrutiny to ensure that the data is complete and accurate. In considering the completeness and accuracy of information used in the execution of a control, it is important to pay attention to the relevant data elements.

5. Fold in insights from experts who bring another perspective.

When your external auditor asks for additional controls, how can you tell whether it’s a check-the-box request? What’s a reasonable risk-based response? You can use a co-sourcing finance team as a sounding board to help you formulate the appropriate answers. Experts who work with a variety of companies can offer a broader perspective of what is going on in the industry.

And for smaller companies that need to rely on a single employee for subject-matter expertise, outside experts can fill in knowledge with their “second set of eyes,” such as by evaluating the design of controls or reviewing a complex, nonstandard transaction.

Regardless of whether SOX as we know it goes away or is here to stay, savvy companies will want to keep the benefits of strong, right-sized internal controls.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

When SOX was first invented, we all struggled to figure out what companies were supposed to be doing, and what auditors were expecting to see. All this happened while the auditors were trying to follow new audit rules just as their new regulator (the PCAOB) came into existence. We were all stumbling around together.

AS2 came out with principles-based guidance—and was the shortest auditing standard in history. It threw everything into the auditors’ scope regardless of materiality, and created a lot of work for dubious value. And a lot of expense.

Along came AS5 to replace that standard, with an attempt to focus auditors on items that could reasonably give rise to a material misstatement. Use professional judgment was the message. That helped settle things down for a while … until the PCAOB started failing audit firms in the inspection process, citing deficiencies in its reviews of internal control over financial reporting.

The audit firms pushed back, and the PCAOB pushed harder. All the pushback was occurring behind the curtain. Companies were often left in the dark about priorities and expectations. And disagreements over what should be in scope of the audit have persisted.

Interpretations in flux

Over a decade after SOX’s passage, a mismatch in expectations continues. The interpretation of the rules keeps evolving. The new directives aren’t always official but are instead happening piecemeal, audit firm by audit firm, and sometimes even engagement team by engagement team. Companies have often been caught unawares of new changes, not realizing that the bar had been raised.

Most of this direction has stemmed from inspection findings. Audit firms are in the unenviable position of delivering the news to their clients about what the PCAOB inspectors find, and companies understandably cry foul that it’s not helpful to have them change their ways “after the fact.” When it comes to audits, no one likes surprises.

The upsides of SOX

Years of SOX compliance have resulted in positive progress. The way companies design controls is far different today than the early days—and how they evidence the execution of controls has matured as well. We see that companies have integrated SOX into their operations—it is not some “thing” off to the side, separate and apart from ongoing operations. And real, tangible benefits are being derived from it. Financial statements are more reliable. There are more checks and balances in place. We see a better defined “tone at the top”—there’s clear integrity and transparency in how SOX-compliant companies do business.

We’ve also seen companies becoming more mature in their operations and documentation of accounting entries. In the past, we were more likely to see journal entries with no supporting documentation. Or we’d find that reconciliations were performed but nobody reviewed them. Now, the level of documentation produced and retained is more robust, and there is more scrutiny of the underlying data itself.

What do they want?

Still, it’s not always clear whether companies are living up to their auditors’ (and their auditors’) expectations. In 2013, some light shone through when the PCAOB released an audit alert following three years’ worth of serious deficiencies in internal-control audits. The general public finally got to hear what the inspectors were seeing beyond their vague inspection reports. The PCAOB expected to see more proof that the auditors were doing what they are supposed to be doing while reviewing internal controls, and those demands have trickled down to the auditors’ clients.

Here’s one example of how it plays out now: When auditors want to look over management review controls (controls that help management identify errors), they need to understand them and then test to see if they are operating at a precise enough level to detect a material misstatement. The potential snafu here is that management documented their review in accordance with their own needs, not the auditors’. The auditor will want sufficient evidence to prove what management looked at, what was investigated and how it was resolved.

Management does not need a stack of paperwork to perform a meaningful budget-to-actual analysis and be comfortable that there are no material misstatements. But auditors want to know for sure that the analysis was done and thoroughly reviewed or else they are hard-pressed to place reliance on that control. Ten years ago, a simple signature on a page was often sufficient evidence. Not so today.

At times it seems audit requests are coming from a “one size fits all” approach rather than a tailored approach based on specific facts and circumstances. Companies end up feeling a need to pile on the documentation to make future audits easier but on areas that have little connection to the possibility of a material misstatement.

What’s next

How the PCAOB goes about its inspections could change. In May, the PCAOB revealed that it may go about the selection of audits to review differently, shifting from a risk-based focus to taking some audits at random (as it is now, the PCAOB tends to review the riskiest/most complex clients in a company’s portfolio).

That change may not address the issue of mismatched expectations but it will certainly get the conversation going, which isn’t a bad thing. As usual, the devil is still in the details. What matters to the regulator—and the firms it audits—will continue to evolve as precedents get set and the bar gets raised. Some areas, such as cybersecurity risks, could attract more focus.

Here’s the bottom line: The evolution could all be for the better, as long as we can use judgment about what adds value and what is merely checking off boxes.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. She was recently asked by ComplianceWeek for her take on the “new normal for internal controls.” Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

Many people say life speeds up as you get older. Maybe that’s why the year-end crunch seems to keep getting tighter. The end of Q3 is upon us and year end is right around the corner. While the company’s SOX testing may be under control, we have some recommendations for your 2015 internal control checklist that expand beyond SOX, and should help set you up for a year end process that runs as smoothly as possible (yes, it is time to be thinking about these issues):

1. Check in on COSO
By now, most companies have transitioned to the 2013 version of the Committee of Sponsoring Organizations (COSO) internal-controls framework, although there are some holdouts. Before you go any further in this checklist, if your company has not yet made the transition, we recommend that you familiarize yourself with the new framework, map your existing controls and identify any gaps.

The Securities and Exchange Commission has not confirmed a timeline for going after companies that have not migrated to COSO 2013, but lack of COSO compliance can still lead to problems. From an internal control over financial reporting (ICFR) perspective, if one or more of the new framework’s 17 principles are not present and functioning, a major deficiency may exist. This would equate to a material weakness under Section 404 of the Sarbanes-Oxley Act. Not something that management, the board or investors are likely to want.

2. See if you need to expand enterprise risk reviews
The latest COSO framework calls on companies to have an operational risk assessment program, and to identify risks that may derail their ability to reach corporate objectives. Most companies record their significant risks in their 10-Qs and the 10-K, of course, but they may need to rethink or expand the information sources.

The assessment should include input from business units and appropriate levels of management. Has the company also created an upward/downward communication route for identifying, documenting and addressing lower level risks that impact smaller entities and regional operations? If not, now would be a good time to make a change.

3. Put out some fraud feelers
Another COSO requirement is consideration of fraud risk. A proven way to address the issue is to conduct fraud brainstorming sessions with various employee groups. It could provide a whole new perspective. When employees are asked to “think like a fraudster” and brainstorm “how a fraud could perpetrate itself at the company,” they may reveal gaps or risks that had never been contemplated on a companywide scale.

4. Evaluate how management reviews controls
For controls that require management review, particularly for complex processes, it’s important to document the steps taken as part of the review process. Supporting documentation will make any auditor questions that pop up easier to handle and could also make the process easier when next year rolls around, or in the event of a personnel change.

5. Touch base with your auditors
Management must evaluate the adequacy and completeness of the key reports used for preparing financial statements. By now, the company should have the list of key reports handy. If you have not already done so, we recommend meeting immediately with your external auditor to confirm that the list is appropriate, while there is still an opportunity to address gaps prior to fiscal year end.

6. Take a fresh look at related-party and significant or unusual transactions
A new auditing standard could bring this issue to the forefront, even for companies that may think they do not have such transactions. To head off extra questions by auditors, companies should consider: Is the board or audit committee aware of all related-party transactions, including suppliers, vendors and customers? What if employees haven’t disclosed them? Does the company have a documented process to assess related-party transactions and determine when disclosure is required?

Here’s a quick trick that could be revealing: Compare employee addresses to vendor addresses to see if there are any matches. While it may not turn out to be a problem, a match could be a flag that requires further investigation.

Be aware that external auditors need to conduct new procedures to comply with Auditing Standard 18—Related Parties (which became effective for audits occurring on or after December 15, 2014), and they will report their results to the audit committee. The report will include transactions they found that the company had not told them about, as well as deals that were not authorized or approved in accordance with company policies, or that appear to lack a business purpose.

Also make a point to review significant or unusual transactions. Is the company preparing memos or documenting the approval and controls process for significant or unusual transactions? Your external auditor needs to report on this as well.

Ideally, these internal control and compliance areas are already a part of your toward-the-end-of-the-year checklist. If they’re not, you may want to start right now. That clock keeps ticking!

Alisanne Gilmore-Allen is a member of the RoseRyan dream team. She is a Certified Internal Auditor, Certified Fraud Examiner, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.