Many people say life speeds up as you get older. Maybe that’s why the year-end crunch seems to keep getting tighter. The end of Q3 is upon us and year end is right around the corner. While the company’s SOX testing may be under control, we have some recommendations for your 2015 internal control checklist that expand beyond SOX, and should help set you up for a year end process that runs as smoothly as possible (yes, it is time to be thinking about these issues):

1. Check in on COSO
By now, most companies have transitioned to the 2013 version of the Committee of Sponsoring Organizations (COSO) internal-controls framework, although there are some holdouts. Before you go any further in this checklist, if your company has not yet made the transition, we recommend that you familiarize yourself with the new framework, map your existing controls and identify any gaps.

The Securities and Exchange Commission has not confirmed a timeline for going after companies that have not migrated to COSO 2013, but lack of COSO compliance can still lead to problems. From an internal control over financial reporting (ICFR) perspective, if one or more of the new framework’s 17 principles are not present and functioning, a major deficiency may exist. This would equate to a material weakness under Section 404 of the Sarbanes-Oxley Act. Not something that management, the board or investors are likely to want.

2. See if you need to expand enterprise risk reviews
The latest COSO framework calls on companies to have an operational risk assessment program, and to identify risks that may derail their ability to reach corporate objectives. Most companies record their significant risks in their 10-Qs and the 10-K, of course, but they may need to rethink or expand the information sources.

The assessment should include input from business units and appropriate levels of management. Has the company also created an upward/downward communication route for identifying, documenting and addressing lower level risks that impact smaller entities and regional operations? If not, now would be a good time to make a change.

3. Put out some fraud feelers
Another COSO requirement is consideration of fraud risk. A proven way to address the issue is to conduct fraud brainstorming sessions with various employee groups. It could provide a whole new perspective. When employees are asked to “think like a fraudster” and brainstorm “how a fraud could perpetrate itself at the company,” they may reveal gaps or risks that had never been contemplated on a companywide scale.

4. Evaluate how management reviews controls
For controls that require management review, particularly for complex processes, it’s important to document the steps taken as part of the review process. Supporting documentation will make any auditor questions that pop up easier to handle and could also make the process easier when next year rolls around, or in the event of a personnel change.

5. Touch base with your auditors
Management must evaluate the adequacy and completeness of the key reports used for preparing financial statements. By now, the company should have the list of key reports handy. If you have not already done so, we recommend meeting immediately with your external auditor to confirm that the list is appropriate, while there is still an opportunity to address gaps prior to fiscal year end.

6. Take a fresh look at related-party and significant or unusual transactions
A new auditing standard could bring this issue to the forefront, even for companies that may think they do not have such transactions. To head off extra questions by auditors, companies should consider: Is the board or audit committee aware of all related-party transactions, including suppliers, vendors and customers? What if employees haven’t disclosed them? Does the company have a documented process to assess related-party transactions and determine when disclosure is required?

Here’s a quick trick that could be revealing: Compare employee addresses to vendor addresses to see if there are any matches. While it may not turn out to be a problem, a match could be a flag that requires further investigation.

Be aware that external auditors need to conduct new procedures to comply with Auditing Standard 18—Related Parties (which became effective for audits occurring on or after December 15, 2014), and they will report their results to the audit committee. The report will include transactions they found that the company had not told them about, as well as deals that were not authorized or approved in accordance with company policies, or that appear to lack a business purpose.

Also make a point to review significant or unusual transactions. Is the company preparing memos or documenting the approval and controls process for significant or unusual transactions? Your external auditor needs to report on this as well.

Ideally, these internal control and compliance areas are already a part of your toward-the-end-of-the-year checklist. If they’re not, you may want to start right now. That clock keeps ticking!

Alisanne Gilmore-Allen is a member of the RoseRyan dream team. She is a Certified Internal Auditor, Certified Fraud Examiner, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.

The JOBS Act granted some relief from the burdens of SOX for emerging growth companies, and while any relief was most welcome, the changes brought on some confusion. And it hasn’t abated even three years later. There’s so much for newly public companies to do as they gear up for their intro on the markets and so much they have to do afterward to be in compliance with the new overseer in their life (the SEC). Working in the middle of an active IPO market, we often get questions about what a newly public company actually needs to take care of to be in compliance with SOX under the JOBS Act.

I’ll get to that in just a moment. First, here’s a quick refresher. The JOBS Act granted a temporary exemption (generally five years, depending on certain factors) from SOX 404(b)—the requirement for external audit attestation on internal controls over financial reporting for so-called emerging growth companies (i.e., practically any Silicon Valley company that’s on the go-public track). There is no exemption from SOX 404(a)—management’s report on internal controls over financial reporting. For any new public company, regardless of size, management is responsible for designing effective internal controls over financial reporting, for testing the effectiveness of those controls, and reporting their take on them beginning with the company’s second 10-K.

There’s a good intent behind all this: Whether you are exempt from audit attestation or not, you still need to report accurate financials. Internal controls over financial reporting should prevent material misstatements in your financials. A restatement of financials would be disruptive to your business, demoralizing to your team and very expensive. Where compliance become a hairy endeavor is in the details. It’s not something you want to put off until the 11th hour before that second 10-K is due. And you don’t want to be blasé about the whole matter just because the auditors won’t be looking at this area until the five-year mark goes by.

After working with companies for years on their internal controls, we have some practical advice that’s useful for both newly public and soon-to-be public companies:

Expect a culture shift. The typical entrepreneurial mindset that pits “nimble, innovative and responsive” as the polar opposite of “discipline and documentation” should change. The attitude that helped create your success needs to evolve to a more disciplined state for this next phase of your organizational development. This, more than anything, can be the biggest challenge of SOX compliance. Approach it as a “check the box, bureaucratic nightmare” and that is what you likely will end up with when you’re done. View and treat SOX as a value-add contribution to the success of your business and you may be surprised by the value you get.

Map out your SOX timeline before you go public. The second 10-K sounds so far away, but it will sneak up on you. You’ll need to ideally have your first round of testing finished in the first or second quarter of the year prior to your second 10-K—that gives you time to remediate and retest before the end of the year. Work backwards from there, keeping in mind other business priorities, such as new system implementations, audit timelines, vacation schedules and other deadlines. Your SOX timeline needs to build in the design, testing and reporting aspects—and you need to manage all that while the business evolves and your first rounds of SEC reporting deadlines create their own challenges.

Design your controls. Take advantage of the processes you already have in place, and identify your existing controls (you might be surprised at how much you already have in place). You’ll need to map to the COSO framework, identify where you already have strong controls and where you need to shore up others. You can develop a “gap list” of controls that need to be implemented and prioritize them so you can work on them over time. Your IT controls and entity level controls need to be addressed as well. The twist for SOX compliance is that not only do you have to have controls, you have to be able to demonstrate that you perform the controls. Reviewing the payroll register isn’t sufficient; documenting your review becomes just as important.

Time to start testing—assume the best but plan for the worst. First-time SOX testing typically has a high failure rate, unfortunately. Most everyone is learning the ropes and still operating under the entrepreneurial mentality of “Let’s get things done fast, and don’t worry about the paperwork.” People may be performing the controls that you have designed but failing to document what they did. For that payroll register review, if the sign-off is missing, it’s hard to demonstrate the review actually happened. On the other hand, some controls may be new, and they may not get done reliably at first; it may take a while for new habits to take hold. “Trust, but verify,” and “test early” will be your mantras, so you can find out who may need more training and which controls are not workable in your environment and need to be redesigned. Remediate and retest. As often as needed.

For more hints on making the transition to a compliant, well-oiled organization, check out our intelligence report on Ensuring a smooth ride as a newly public company.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

Regulators are not requiring companies to follow the new COSO framework even though the 1992 version is being retired later this year. While we encourage companies to adopt the new internal control framework and most of them have begun the process, the lack of an explicit mandate still has some dragging their feet.

For now, the Securities and Exchange Commission staff have said they are keeping a close watch on which framework companies will be following. During this upcoming transitional year of reporting, they won’t be questioning companies that haven’t migrated to the new framework even after the old one is superseded as of December 15, 2014. As it is, the Committee of Sponsoring Organizations of the Treadway Commission has given organizations a fair amount of time to make the move before the preceding 20-year-old guidance is no longer available.

Still, some companies delayed starting their transition until after their 2013 10K and 2014 first quarter 10Q were filed. By the time fiscal year-end 2014 filings are submitted, not all public companies will have been able to say they follow the more modern framework, as COSO had hoped they would.

If you fall into that camp, it might be too late to make the transition for fiscal year 2014. Making the move is different for each company. Let’s say you’ve followed best practices for internal controls, then you may only need to map your existing internal controls to the new framework. In that situation, your internal controls have been effective for the year and can be relied upon, and your transition is done. However, if you don’t fall into this category, there will be more time involved (how much time and resources will be required depends on the current state of your internal controls). At this point, it also means that the new controls put in place for the new framework have not been effective for the first eight months of the year, and therefore, reliance on these controls will be in question.

We’re not trying to make you feel bad. Procrastination—for whatever reason—happens. What really matters is what you do now. While the ideal path would have been to make your COSO transition sooner rather than later, this could also be the time if you haven’t started at all to begin the evaluation of the new COSO framework for fiscal year 2015.

Where to begin
If you have read the new framework, you will have noticed that it has 17 new principles for internal control, and within each of those principles, there are specific points of focus. The points of focus do help with identifying controls within your organization. Most of these internal controls will exist in your entity level controls. Entity level controls address those controls that apply across the organization, and most of the new principles are aimed at those internal controls that reside at the organizational level.

If you haven’t reviewed the 17 new principles and their corresponding points of focus, you should really start to familiarize yourself with them. Any controls identified that only need to be documented, improvements to existing controls, or the addition of new controls do need to be in place and working in order to be able to rely on them. Any of the controls you add or modify under the new framework should be in place and in working order. Otherwise, they cannot be relied upon.

Based on those companies that have already mapped their entity level controls to the new framework, here’s what will likely happen. We have seen our clients experience a combination of three possible outcomes:

  1. They need to take credit for what they already do, as their latest evaluation shows the control is already in place but not currently identified as an internal control. This involves formalizing the control and documenting it.
  2. They work on improving a control that already exists in order to make sure it covers the points of focus within the framework.
  3. They add a new control. This is the one that requires more time. You will need to get agreement from the organization that the control needs to be added, confirm that the control is documented accurately and will be performed, and then be able to test early enough to allow time to remediate the control in case something goes wrong.

If your company has been following best practices with identifying internal controls within its entity level controls, then you will likely see the transition to the new framework follows items 1 and 2 above. This will take time for documentation, but the controls are already being performed and additional training will not be needed.

However, if you haven’t been following best practices for internal controls as closely as you could have been, then you might find yourself working with all three points above. Item 3 does entail additional time and training that could go beyond the finance department. The sooner you start this process, the sooner you will position yourself to be prepared to make the switch.

With all of this said, if you are choosing to not migrate to the new COSO framework now, you will at the very least have to document your reasoning as to why you think your internal controls are sufficient as is. In addition, you will have to make sure your external auditors are in agreement with your rationale. In my opinion, it would be prudent to keep in mind that at some point, the new COSO framework will be required. Nobody wants to be caught without the time, resources, or remediation runway when that requirement is made.

Tracy Thames has been a member of the RoseRyan dream team since 2008. She excels at SOX, internal audit, accounting management and project management.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently released for comment a draft 2012 Internal Control—Integrated Framework. The 2012 framework, expected to be released later this year, addresses changes in the globalization of markets, operations, and business models; rapidly changing technology; increasingly complex regulatory requirements; and growing expectations for governance oversight that have evolved since the original was implemented in 1992.

The revised framework retains the original five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) but incorporates additional principles and attributes intended to provide clarity in the design and development of internal controls, and that can support the assessment of the effectiveness of internal controls.

The new draft provides what I believe is improved guidance and clarity for completing a comprehensive risk assessment in a number of areas:

  • Most significant is the clarification that the risk assessment process includes risk identification, risk analysis (for example, the probability of occurrence and potential impact), and risk response (such as how the risk should be managed, with acceptance, avoidance, reduction and sharing).
  • Identifying risks is clearly linked to the achievement of an entity’s objectives.
  • Risk is considered within the overall entity and within its subunits (HR, legal, purchasing, etc.).
  • Risk tolerances are incorporated into the assessment of acceptable risk levels.
  • The new framework emphasizes the need for management to understand significant changes in internal and external factors that may impact the overall system of internal controls (external factors may include economic changes that impact financing or availability of capital; internal factors may include significant changes in management responsibilities or disruptions in information systems processing that can adversely impact operations).
  • The new framework considers not only fraud risks related to financial reporting or safeguarding of assets, but also risks related to corruption and specific attributes in identifying and evaluating such risks.

Don’t wait—update now
Even though the 2012 Internal Control—Integrated Framework is still in draft form, I believe there is much that management can leverage in updating their risk assessment processes in the new year. The new framework provides a much more robust process that covers risk assessment against stated business objectives; risks associated with fraud and corruption and safeguarding assets; and risk appetite as an integral part of control activities. It adds value by ensuring that you’re focusing on the right internal controls so your company meets objectives and sustains and improves performance.

This means now is the time to take a fresh perspective and evaluate current processes, rather than waiting until the new framework is released. Making sure your activities are in alignment with the new framework now will put you ahead of the game.

To read the draft 2012 Framework and provide comments, go to the COSO website.