Posts

As we head into the home stretch for this year’s SOX programs, we thought it would be helpful to highlight some key areas of focus by auditors that deserve particular attention this year. No year is ever the same: From dealing with pandemic-related risks to implementing new accounting standards, companies always have new considerations when it comes to complying with SOX. Based on my SOX crystal ball, here’s what I expect will be key areas of focus in SOX assessments.

How Is Your SOX Compliance in These Key Areas?

Not surprisingly, auditors’ areas of focus tend to align with the areas that the Public Company Accounting Oversight Board has been prioritizing during its inspections. Here’s what the PCAOB says about that:

“While inspections vary by firm, we may focus on auditor’s risk assessment processes, financial reporting, and audit areas affected by economic trends or pressures, audit areas that present challenges and significant risk, new accounting standards, and areas of recurring audit deficiencies.”

What does this thinking mean for SOX compliance in 2021? Well, let’s start with areas of recurring audit deficiencies—we’ve seen internal controls over financial reporting on that list for many years, and no matter how much effort companies put into making improvements, it still isn’t enough in the PCAOB’s view. With all this mind, here some aspects of ICFR that merit your attention this SOX season:

Risk assessment process: Spend the time to prepare a thorough risk assessment and include robust documentation. Have you identified all the areas for potential material misstatements? Do you have controls to mitigate your significant risks? Are all your financial statement assertions covered?

Many companies have addressed the risks in their control set associated with the sudden shift to remote work made because of COVID shelter-in-place orders, but the pandemic continues to present risks to the business. We continue to see supply chain shortages crop up as well as other new impacts of our pandemic life. Be sure you have addressed key changes to your business in your risk assessment.

If you’ve recently adopted new accounting standards, such as ASC 606 (Revenue) or ASC 842 (Leases), or refined your workflow and processes in these areas, make sure you’ve updated your design of controls to reflect the new risks and process flows as part of your sox compliance program.

Management review controls: This has been on the PCAOB list for quite some time—so expect to see further scrutiny here. Look to stated precision levels utilized in the management review process and what the reviewer does when something falls outside those threshold levels, or what happens when the process doesn’t follow the “normal” process. Your auditors will likely expect to see documentation showing that you’ve done these steps for each review.

Completeness and accuracy of IPE: From a SOX perspective, IPE, or “information produced by the entity,” means documenting how control operators satisfy themselves that the data used in the execution of the control is complete and accurate. It sounds simple enough, and yet this is an area that gives most people trouble. We see the whole range of reactions in our client base—from control owners who say, “I get this report from our IT team—it’s their job to make sure it’s complete and accurate” to “It’s a canned report from a leading cloud company—of course it’s complete and accurate.” The reality is, the responsibility for completeness and accuracy is shared between the application owner and the application user.

Let’s break this down even further:

For canned reports—standard reports that you run from a third-party application—you’ll need to demonstrate the report was generated using the appropriate parameters, that the calculations performed in the report are accurate, and that the vendor has effective access and change management controls in place.

  • Parameters: Verify that the parameters used to generate the report are correct, and indicate that you have reviewed them. You can do that by tick mark, a highlight, whatever works for you. But you really do need to look at the parameters—we’ve seen companies run Q1 reports with the dates of January 1 to March 30. The after-the-fact argument of “there was no activity on March 31” isn’t going to fly—the only way to prove that is to run the report using the right date. We’ve also seen stock reports run without a complete population (e.g., it’s missing one of the stock plans).
  • Accuracy of calculations: Verification of calculations performed can be accomplished a few ways—it could be the vendor actually does this verification and includes it in the SOC 1 report. If that’s the case, you can rely on that. Most of the time, a SOC 1 report doesn’t cover this, so you’ll need to do your own verification. Generally a “test of one” will suffice—but be sure you do a “test of one” on all the use cases, not just one. (Here’s a simple example: You can manually recalculate monthly depreciation expense for a single asset and compare your calculation to the report output—if it matches, you’re good. But also include a test for a fully depreciated asset, for an asset added during the month and for an asset retired during the month.)

Digging Deeper into SOC 1 Reports

Effective assessment of a SOC 1 report could be a blog topic in and of itself—so we’ll just hit some highlights:

Make sure the SOC 1 report covers the period you are relying on and it has a bridge letter to get you to the end of your fiscal year. Many vendors will issue a SOC 1 report covering the period through September or October, and then issuing a bridge letter saying there were no changes through December 31. For a calendar year-end company, that should work. If your fiscal year-end is different, you’ll need to do additional work here.

You should also evaluate if the design of controls listed in the report covers the key risks you need covered, and whether any testing exceptions were noted. If there are missing controls, you’ll need to do something more on your end (such as verification of calculations). If there are testing exceptions, then evaluate the impact to your organization—it could be the exception is in an area you are not relying on, or you might have compensating controls in place to mitigate the risk.

The SOC 1 report will also list out any sub-service organizations the vendor relies on, and whether the report includes controls from the sub-service organization. Often they are excluded, so you will need to obtain and review those SOC 1 reports separately. Finally, look at the list of User Control Considerations—controls that the vendor expects you to have in place, typically around access, and evaluate whether your controls address those areas.

You’ll need to go through a similar process for information used in control execution that is developed in-house and for calculations in Excel workbooks, such as tax provisions, data from a data warehouse that was extracted from other systems, custom reports, queries and scripts, etc.

Always Be on Top of SOX Trends

SOX compliance is always evolving. The SOX experts at RoseRyan can help your company master the latest key areas of focus and ensure that your company not only meets compliance requirements but does so in an efficient way that can be carried over to future years. To learn more about how we can create a tailored SOX program for your company and our SOX philosophy, see our latest video , and contact us to help you with your SOX program.

Pat Voll is a vice president at RoseRyan, where she guides and develops new solutions for our strategic advisory practice, which includes corporate governance, strategic projects and operational accounting. She also manages multiple client relationships and oversees strategic initiatives for the firm. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.

Is there room for improvement in your IT and business processes? Are your internal controls effective? Are you effectively meeting your compliance obligations? These are some of the top-of-mind questions for an internal audit function designed to mainly focus on the risk management, corporate governance, and internal control processes at the company, but there is so much more that can be gleaned from this valuable resource—if your internal audit function is set up a certain way. Here is how to improve and enhance the internal audit process and function at your company.

How Can I Improve the Internal Audit Function?

 

  1. Reset your view of the internal audit function. Whether your internal audit function is fully outsourced, completely in-house or “co-sourced,” this area of the company can be a tremendous resource. Today’s internal auditors have greatly expanded their responsibilities to fill in the types of knowledge gaps that prevent companies from understanding not only significant current risks but emerging risks and opportunities that deserve attention. When they have a deep understanding of the business, the internal audit team can offer a fresh, unique perspective and specialized expertise to help business leaders think through important issues and key risks, while gaining a more complete picture of how they should move forward. 
  1. Transform your internal audit function to be a strategic business asset. To get to this point, your company could benefit from an outside expert perspective, to undertake an internal audit assessment, look at your internal audit procedures, and bring the internal audit function to the next level. The idea is to get the business to focus on the risks that matter along with the strategic opportunities that it could be missing otherwise. 
  1. Open up collaborations between the internal audit team and business leaders to uncover emerging risks and opportunities. Here’s where a properly developed, modern internal audit function can really shine. Internal audit experts bring their accounting and corporate governance backgrounds, along with their curiosity and understanding of the business, to ask the kinds of questions of business leaders that few, if anyone, are asking. Different organizations within the business rarely have time to compare notes with each other. As a result, one organization may not be aware of a potential risk that could critically affect them. By understanding everyone’s top concerns and risks, through meaningful conversations, the internal audit team can bring to the surface important issues as they help decision-makers prioritize some of the most pressing problems. 
  1. Leverage internal audit insights for a positive influence on business growth. Internal auditors are not only looking out for risks and problems. They’re also on the lookout for opportunities, and they can help you think them through with scenario planning. As they conduct their SWOT (strengths, weaknesses, opportunities and threats) analysis, they take a forward-looking approach and will alert the company to potential ways of building on its strengths and seeking new opportunities (e.g., a new product line). 
  1. Lean on seasoned pros to help transform your internal audit process and function and mentor your team. It’s rare that an internal audit function would grow organically within a company; the audit planning process development can require a specific skill set and knowledge. Experts who have led internal audit teams and have served as internal auditors can get the ball rolling, by introducing objective critical thinking; deep, actionable insights; along with mentoring of new members of the team. They can shift the focus of the internal audit function or establish it from the ground up, moving away from the traditional compliance-only focus to influence strategy and lead change. In this way, the company will gain a true partner for strategic initiatives, including M&A support, new system implementations, new product introductions and process improvements.

Ready for a More Proactive Internal Audit Team?

If your in-house resources do not have the skills to keep up with emerging risks, it’s probably time for a change. It’s true that internal audit needs to cover compliance and risk management—but the function can be set up to be broader, more effective, more proactive, and more strategic minded.

The internal audit and corporate governance experts at RoseRyan can help your company set the foundation for an internal audit function that will not only prepare your company for the audit of internal controls and audit the efficiency of your internal control system, but also take on much more—to make your company more aware of new emerging risks to the business strategy and how to address them. Find out more about the RoseRyan Internal Audit Solution, and let us know how we can help.

 

Without a doubt one of the most major milestones in a company’s growth journey is going public. That ringing of the opening bell (either literally or figuratively) for your IPO leads to another milestone the company will soon have to hit: becoming SOX compliant.

While the Sarbanes-Oxley Act of 2002 features many provisions designed to prevent financial fraud and enhance corporate governance, Section 404 in particular becomes a pressing concern soon after an initial public offering. This is when management will weigh in on the effectiveness of the company’s internal controls over financial reporting and, eventually, the company’s external auditors will offer an opinion as well.

Challenges in Establishing an Effective SOX Compliance Program

Here are a just a few of the challenges companies face when setting up an effective SOX compliance program:

A shift in some practices. Any change can be tough. The team may have been doing something a certain way for a long time and haven’t yet realized the practice could have a detrimental effect on the financial operations or the veracity of the financial information. New systems may need to be put in place that could take some time to learn. A cultural shift will need to occur if the “tone at the top” (namely the CEO and CFO) isn’t encouraging the best behavior throughout the company.

For the most part, professionals know what the ethical, right thing to do is—however, when systems are put in place to formalize that, it can require some adjustments. SOX experts who are practical in nature and flexible to the companies they work with know this already and come up with solutions that work for the company (its size, industry, complexity).

Disparate ways of working. Cultural differences among geographically dispersed offices can affect the company’s overall need to comply with SOX. Remote offices may follow customs and practices that don’t yet align with where the company needs to shift.

Ever-evolving risks. Here’s where SOX compliance is rarely if ever the same year to year. The top risks affecting the company are frequently changing as are emerging risks that the company may need to address. External experts are often invaluable in this regard as they work with multiple companies and see everything—they can seamlessly incorporate best practices they’ve picked up in the field and adjust them to your company.

Benefits of a SOX Compliance Program

In addition to meeting corporate governance compliance requirements, a SOX program offers multiple benefits, including the ones listed below.

Minimizes the risk of a material misstatement of the financial statement and fraud risk. With the right systems and processes in place, your company can prevent (or better detect) incidents of fraud and prevent errors from occurring that could affect the reliability of your financial reporting. All of the work that goes into SOX compliance contributes to this goal—SOX’s main purpose. It also contributes to protecting the company’s and top management’s reputation.

Introduces efficiencies. With a SOX program tailored for your company that integrates with your workflow, ongoing pain points will be eased and simplifying of controls will be achieved.

Gains trust in the marketplace. Whether your company has always instilled a sense of financial integrity or only now is shoring up its internal controls, potential stakeholders will know they can rely on the information you are sharing with them—and that can have a positive effect on your valuation.

Tips for Creating, Maintaining an Effective SOX Compliance Program

You may be wondering, how do I set up or improve a SOX compliance program? This post highlighted many of the challenges along with the benefits of taking on SOX compliance. SOX experts can help from the very beginning, even before your company is ready to go IPO and also be there when it’s time to bring in your external auditors to meet your SOX 404(b) requirements.

By working closely with SOX experts who have helped a wide range of companies, in various stages of SOX compliance, you can establish a workable, practical SOX compliance program that can be effectively maintained year over year. We’ve helped companies design, document and execute controls, often during a time crunch.

For an assessment of your program or the start of a SOX 404 compliance program, reach out to our corporate governance pros today.

Sarbanes-Oxley compliance has come an incredibly long way since the corporate governance law was passed nearly two decades ago. That doesn’t mean startups are in a hurry to become SOX compliant. Still, for a high-growth startup that may one day go public, its SOX-like compliance efforts can give assurance to management and investors that the company’s financial reporting can be relied upon.

What makes SOX compliance more clearly beneficial, compared to the early days of the anti-fraud law, is the significant financial operational efficiencies that open up when companies assess and tighten up their internal controls over financial reporting. With the help of financial integrity experts, they can realize such efficiencies as they start understanding and documenting their internal controls.

As your early stage startup contemplates the future, including potential exit strategies, what would you need to do to become SOX compliant?

SOX Compliance for Startups

Tip 1. Firm up your financial foundation. Your emerging growth company’s venture into the public markets might seem far away. Strategic opportunities can unexpectedly arise, however, in the form of a SPAC (special purpose acquisition company) merger, accelerating your company’s need to be IPO ready or SOX ready. Despite whatever strategic plan is in the works, the financial foundation of your startup should be sound so that you have the level of financial information and analysis needed to confidently move the company in the right direction.

Have investments in technology kept up with the size and complexity of the company and where it’s headed? Are your accounting processes practical and leading to timely, credible financial reports that are auditable? Do you have access to the kind of strategic financial expertise required to help you move the startup forward?

Tip 2. Keep current on your key risks. As your startup quickly moves ahead, your risk management efforts need to be adjusted. Risks change as the markets change, as new employees are brought in, as the economy shifts, and as customer demographics evolve. A large part of SOX compliance involves understanding the current major risks facing the company, so risk management for IPO-headed startups is also important.

Tip 3. Seek expertise early and often. Whether your company needs a version of “SOX lite” right now, an idea of whether it’s headed in a smart direction in its growth journey, or simply some expert advice, you need the right expertise to help you. Amid fast growth and your assessment of your high growth startup compliance, you’ll likely find that you need more insights than you can find in-house.

You’ll need to connect with experts who will adjust their guidance to where your startup is right now and then will be there with relevant solutions as those needs change. Seek out a finance and accounting consulting firm that understands emerging growth companies like yours as well as the version of the company you hope it will become.

Do the consulting firm’s experts have experience in your industry, with companies like yours? And if they don’t, how can they meet your needs? Look for a consulting firm that tailors its solutions to their clients rather than trying to bend a company toward its solutions.

Tip 4. Be prepared to act like a public company. Does your team have the skills and resources to meet the ongoing financial reporting demands and SOX requirements of a newly public company? The deadlines are not flexible once your company goes public, and the scrutiny is higher. Pre-IPO companies can ease into meeting the higher expectations by truly understanding what it takes to act like a public company, including SOX 404 compliance and all that entails.

Some of the main internal controls that a public company is expected to adopt are simply best practices that every company should be doing, such as segregation of duties. Undertaking good habits as early as possible can minimize the risk of a material misstatement of the financial statements.

Tip 5. Communicate with your external auditors. Here’s a tip that not everyone intuitively realizes is a possibility: You can proactively check in with your external auditors to understand their expectations.

SOX experts can help you keep these communication lines open, while retaining independence between your startup and the auditors. This way you can understand what auditors want to know and minimize any back and forth that would require your attention. After all, you have so many other responsibilities besides SOX compliance for startups.

How Does Sarbanes-Oxley Affect My Startup?

You may be wondering, “How do I implement SOX in my high-growth startup?” The short answer is startups do not have to be SOX compliant until they are public. Depending on your current growth plans, however, you could find that your startup should work toward becoming SOX ready. To set the wheels in motion, reach out to SOX and financial integrity experts who can help guide your company through what you can and should do now, based on your current growth plans.

It’s that time of year again. Remember last year, after the auditors came and went, when you promised yourself next year would go a lot smoother? Well, here we are, with an opportunity to set up all of your department’s information as organized and as clean as possible so that you can keep any bumps between your team and the audit team to a minimum. To help with this process, I have put together a list, primarily for accounting managers, to prepare for the year-end audit.

Be sure you are on the same page as the auditors: Every quarter, you have provided documentation per the audit request list (also known as PBC, or Prepared by Client). Check with the auditors that they will be using the data that you’re taking the time to put together for them. Oftentimes, those of us who are tasked with working with auditors find out only after we have provided a schedule with multiple tabs of information that they will not be using those tabs. They may instead rely on other data points they have collected over the year or they are just not fully aware of the additional information. Communication here will prevent everyone from wasting time.

Take a look back at the past year: In the preparation of year-end, review the information that was provided to the audit team on a quarterly basis as well as any comments the auditors or your internal SOX team made afterward. Keep in mind quarterly reviews do not necessarily find all issues or errors. They are more likely to crop up during the year-end, when the audit team really digs into the details.

Check your work: When creating the year-end schedules, look at the logic of the worksheet, the formulas used in each calculation, and verify the totals match the financials. Hint: if using Excel, select the “formulas” tab and select the “show formulas” option. This will change the worksheet from showing the resulting number to the formula used in each cell. Look for any changes made since the last quarter’s review in methodology, calculations, method of gathering the data (because of a different report or an updated system), or presentation on the schedule. Then, if you are the person creating the audit schedules, have someone else take a look who is familiar with the process. That person will probably find little things that you didn’t see simply because you are too familiar with the information.

Address any mistake in the schedule ahead of time: If a discrepancy is found during the internal review process, create a new year-to-date schedule by quarter with the changes identified, documented, and quantified. Discuss your findings with management so they can determine if the changes are material and how best to communicate them with the audit team.

Be organized: Make an audit binder or a folder on your secured internal site with the schedules and any information that would help someone else prepare them. Keep track of when you submit your schedules to the audit team and what version you give them. If there are any questions, you will both need to be looking at the same schedule.

Don’t forget about the effect on the first-quarter review: Lastly, when creating your first-quarter review schedules, verify they contain any updates from the year-end review – both yours and the audit team’s. In other words, don’t automatically pull the previous first quarter schedules to use.

These tips will hopefully make your audit process much smoother than last year. For more information about this topic, check out our intelligence report Audit time? Don’t sweat it.

Monica Zorn is a member of the RoseRyan dream team. She specializes in controllership issues, reconciliations and audit prep, and SOX.

Enterprise risk management (ERM) tends to be thought of as something only big companies need (or can afford). But it’s not just a megacorp thing—it can protect assets; rescue your company from unforeseen catastrophes, like a supplier going out of business or an epic PR crisis; guard against weak links in your supply chain; and more. Done right, an ERM program can also make decision making smarter, more strategic and more sharply focused on key success factors.

And it doesn’t have to be a major undertaking. Our new report, ERM: Not Just for the Big Guys, shows how midsize businesses can benefit from ERM and how to implement a program cost effectively with a plan that’s right-sized for your company.

How can you get the right fit? The report covers this checklist:

  • Give the CFO the lead
  • Get support from the top
  • Take a step-by-step approach
  • Provide the right tools and frameworks
  • Integrate ERM into decision making
  • Identify key performance indicators

The thought of yet another program when you’re already running lean may make you want to run the other way. You’re not alone: in a recent CFO magazine survey, participants said a commitment of time and resources was the single biggest impediment to implementing ERM.

Think about what you could gain—and what you might lose if unseen risks arise and you don’t have a plan. ERM: Not Just for the Big Guys shows how you can get started sensibly, one step at a time.

Other RoseRyan intelligence reports are available on topics such as M&A due diligence, acing your IPO filing, debt financing and revenue recognition.

I recently read an article discussing how approximately $1.2 billion in cash went missing from the coffers of MF Global Holdings, simply “vaporizing” in the wake of the company’ s collapse, according to The Wall Street Journal. It seems astonishing that they didn’t have the internal controls  in place that would have prevented this from happening: the CEO and CFO certified that the company’s internal controls were effective less than 90 days before the company went bankrupt.

The following controls—which are always part of our standard reviews—could have prevented this massive loss.

Segregation of duties (SOD): Traditional internal control systems rely on assigning certain responsibilities to different individuals or segregating incompatible functions. The general premise of SOD is to keep an employee or group of employees from being in a position to perpetrate and conceal errors or fraud in the course of their duties by preventing one person from having both access to assets and the responsibility for maintaining the accountability of those assets. The principal duties to be segregated are custody of assets, authorization or approval of transactions affecting those assets, and recording or reporting related transactions.

Monitoring controls: Monitoring can refer to evaluations of internal controls, either ongoing or separate. These evaluations enable management to determine whether the components of internal control continue to function over time, identifying deficiencies and communicating them in a timely manner to the people responsible for taking corrective action and to management and the board.

Fraud controls: The risk of fraud can increase significantly when three factors—pressures/incentives, opportunity and rationalization, commonly referred to as the “fraud triangle”—are all present. Of the three, opportunity can most effectively be managed to address fraud risks by designing and implementing a control environment that prevents, detects and deters most fraudulent behavior, whether it’s conducted by employees, vendors, consultants or senior management.

Simply put, if these three controls had been in place, the money would not have disappeared. Therefore, the internal controls never existed.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently released for comment a draft 2012 Internal Control—Integrated Framework. The 2012 framework, expected to be released later this year, addresses changes in the globalization of markets, operations, and business models; rapidly changing technology; increasingly complex regulatory requirements; and growing expectations for governance oversight that have evolved since the original was implemented in 1992.

The revised framework retains the original five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) but incorporates additional principles and attributes intended to provide clarity in the design and development of internal controls, and that can support the assessment of the effectiveness of internal controls.

The new draft provides what I believe is improved guidance and clarity for completing a comprehensive risk assessment in a number of areas:

  • Most significant is the clarification that the risk assessment process includes risk identification, risk analysis (for example, the probability of occurrence and potential impact), and risk response (such as how the risk should be managed, with acceptance, avoidance, reduction and sharing).
  • Identifying risks is clearly linked to the achievement of an entity’s objectives.
  • Risk is considered within the overall entity and within its subunits (HR, legal, purchasing, etc.).
  • Risk tolerances are incorporated into the assessment of acceptable risk levels.
  • The new framework emphasizes the need for management to understand significant changes in internal and external factors that may impact the overall system of internal controls (external factors may include economic changes that impact financing or availability of capital; internal factors may include significant changes in management responsibilities or disruptions in information systems processing that can adversely impact operations).
  • The new framework considers not only fraud risks related to financial reporting or safeguarding of assets, but also risks related to corruption and specific attributes in identifying and evaluating such risks.

Don’t wait—update now
Even though the 2012 Internal Control—Integrated Framework is still in draft form, I believe there is much that management can leverage in updating their risk assessment processes in the new year. The new framework provides a much more robust process that covers risk assessment against stated business objectives; risks associated with fraud and corruption and safeguarding assets; and risk appetite as an integral part of control activities. It adds value by ensuring that you’re focusing on the right internal controls so your company meets objectives and sustains and improves performance.

This means now is the time to take a fresh perspective and evaluate current processes, rather than waiting until the new framework is released. Making sure your activities are in alignment with the new framework now will put you ahead of the game.

To read the draft 2012 Framework and provide comments, go to the COSO website.

Congratulations to Lucy Lee for her recent election to XBRL US’s Domain Steering Committee. The committee’s primary goal is to oversee the development of taxonomies that meet the business reporting needs of key U.S. markets.

“This committee is at the forefront of driving and shaping XBRL standards, so this is a unique opportunity to gain insight into taxonomy development,” says Lucy. “I’m excited to share the latest developments with our clients and my colleagues. Likewise, I look forward to contributing to the committee by providing it with meaningful input from RoseRyan’s work in the field.”

Lucy, who spearheaded the development of RoseRyan’s XBRL practice, will serve two consecutive one-year terms representing the analyst community. Her committee colleagues include representatives from Big 4 firms and leading software and service providers. Responsibilities of the committee include reviewing and establishing the business requirements for the XBRL specification, participating in the development of global taxonomy architecture best practices and participating in the development of taxonomy development and approval processes.

The new rev rec guidelines have made for some labor-intensive process changes in some of the client companies that we work for.

It took me back in time to the initiation of Sarbanes-Oxley (SOX) compliance and how it made stress levels skyrocket. Fears of the additional headcount that would be needed just to get the job done, what would happen if they didn’t comply, how they would disclose deficiencies and what affect that would have on the company, confusion about how to write a narrative or test plan and what’s a key vs. nonkey control.

Now, years later, working in the corporate governance line of business, I see an entirely different story. SOX has become so much a part of the fabric of the process within a company, that when a company is considering a process change, we actually hear “How will that affect the SOX testing?”

I think we would all agree that fear of the unknown is always greater than the fear of the known. As we work to make SOX controls part of our everyday life and the process becomes repeatable, the fear evaporates. The controls identified in the narrative have become part of the day-to-day process, employees are educated on controls and many companies have found that outsourcing SOX testing to companies like RoseRyan has been the right decision for their business.

This same approach will work for implementing the new rev rec guidance. Getting outside expert advice or implementation help, using some of the software tools that already exist (rather than re-creating the wheel) and looking for the simplest approach in implementation (not to mention taking a deep breath on a frequent basis), will all make the changes easier. And before you know it, you’ll be through the worst of it and it will feel like it was always a part of your process.

This just reaffirms how adaptable we all are. And isn’t it wonderful how time changes everything?