Talk about mixed messages. The new presidential administration wants what they consider “costly and unnecessary regulations” wiped out. At the same time we have continued pressure by regulatory agencies to strengthen and improve internal controls over financial reporting (ICFR). Anyone who is involved in SOX compliance has to wonder: Is the almost 15-year-old law part of the discussion in Washington? And what should we all be doing in the meantime?

Our crystal ball isn’t any less cloudy than yours, but here’s some advice. Keep in mind SOX’s goal—to have in place a strong ICFR system that prevents a material misstatement of the financial statements. To what extent this is mandated may be in flux, but the benefits of such a program are foundational. It’s good for your valuation, as well as management, employees, investors and anyone you do business with.


To keep your SOX program doing what you need it to do, know that it needs to evolve. As your business expands, its interests and risks shift, and leaders come and go, your SOX program needs tending to as well. Here are five ways to make sure yours stays up-to-date, no matter what happens on Capitol Hill.

1. Pay attention to your culture.

Culture plays a huge role in ICFR. What are the expectations for ethical behavior in the workplace? Are these embedded in your workplace culture? Is the pressure to deliver results so great that a blind eye is turned to questionable behavior? These are important questions to ask regularly, as the answers may change when leaders come and go, and the company grows more complex.

No matter how strong your design of controls, without a healthy ethical environment, your ICFR program will be fighting an uphill battle. Tone at the top matters. “In most cases of alleged financial fraud, the CEO and CFO are named in the complaint,” according to a March report from the Center for Audit Quality. “[Securities and Exchange] Commission staff noted that the driver of earnings management—the catalyst for most fraud cases—is often top management, such that the focus on the CEO and CFO is not surprising.”

In addition to the tone set by the senior leadership at headquarters, look at the culture of remote offices, both foreign and domestic. Take into account both the local tone at the top as well as customs and practices and any incentives offered to local leadership for achieving performance goals.

2. Revisit your company’s risk profile.

Business risks change. Are you staying current? Identify anticipated changes in business processes, systems and key personnel, and make sure you are addressing any known areas of risks that need attention. Even if your internal environment is stable, assess how your business risks may have changed due to external factors.

3. Adopt a quarterly review process.

Keep the people responsible for key controls engaged all year long. By carrying out quarterly self-assessments, control owners can get a quick read on areas that are changing and controls that no longer serve the organization. These evaluations can also help prevent surprises when it comes time to test the controls.

4. Seek alignment with your external auditors.

Expectations can change, so stay fluid. The regulatory landscape will continue to evolve as new leadership takes shape at the SEC and the Public Company Accounting Oversight Board, and their priorities and interests are passed down to auditors. Understanding changes in your auditors’ expectations and having clear, proactive communication can make all the difference in your ability to retain an effective SOX program.

Some of the more recent areas of focus by your auditors may include IPE (information produced by the entity) and the related scrutiny to ensure that the data is complete and accurate. In considering the completeness and accuracy of information used in the execution of a control, it is important to pay attention to the relevant data elements.

5. Fold in insights from experts who bring another perspective.

When your external auditor asks for additional controls, how can you tell whether it’s a check-the-box request? What’s a reasonable risk-based response? You can use a co-sourcing finance team as a sounding board to help you formulate the appropriate answers. Experts who work with a variety of companies can offer a broader perspective of what is going on in the industry.

And for smaller companies that need to rely on a single employee for subject-matter expertise, outside experts can fill in knowledge with their “second set of eyes,” such as by evaluating the design of controls or reviewing a complex, nonstandard transaction.

Regardless of whether SOX as we know it goes away or is here to stay, savvy companies will want to keep the benefits of strong, right-sized internal controls.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

Stop us if you’ve heard this one before. A top executive of a public company suddenly resigns. This person had bypassed the company’s processes and procedures to move forward with a huge transaction that really should have been approved or at least communicated to the board. Other mishaps that could have been prevented with proper internal controls have come to light as well.

The stock price drops as the company’s worth and its future are questioned in the days that follow. The information the company has previously put out about its financials faces skepticism.

Such a public scenario is fairly rare to see over a decade after the passage of the Sarbanes-Oxley Act, but companies are at risk if something is off with their “tone at the top.” Set by the board of directors and carried out by senior management, the tone lays out the ethical climate as well as the foundation for internal controls.

A poor tone at the top opens up the company to a higher risk of fraudulent activity. It could feed the temptation or make it possible for someone or some people to successfully do something wrong and not get detected for a while. This is especially true at companies that discourage any questioning of authority.

To stay grounded and preserve a good tone at the top, companies need to do the following:

Communicate often: The board and the senior management team lead by example in the way they communicate. Have an open-door policy and be transparent with what’s going on at the company, with frequent updates, including regular company meetings. Under a culture of communication, employees are less likely to think secrecy is acceptable.

Give internal controls a voice: It’s a topic that should have a spot on the agenda of the audit committee for conducting free-flowing discussions with external auditors when management is not present. Also check in with outside experts on ideas for strengthening the company’s internal controls.

Expect accountability: Make it clear everyone is accountable for their actions and what they observe. Outline expected behaviors in the workplace with a code of conduct and business ethics policy that is revisited periodically.

Finally, a best practice is to have all employees annually acknowledge they have read the company’s code of conduct and send a reminder letting everyone know they have access to an anonymous whistleblower hotline and shouldn’t fear retaliation if they need to use it. SOX mandates that employees who report fraud suspicions are protected, but it’s up to the company to remind employees that the tool is available and that the board and senior management values it.

All of these points are in management’s interest. We were once brought in to help a company after an employee made a report on a whistleblower hotline that unraveled a two-year-old fraud. Six quarters of financial results had to be restated because two sales executives had orchestrated an environment to recognize revenue earlier than allowed under GAAP. Their orchestrations included colluding with the customer to take delivery of product earlier than needed, forged documents and misrepresentations to company management and auditors.

How could the executives get away with it? The company lacked a proper tone at the top. Without this key foundation, companies are in effect encouraging employees to break the rules.

Theresa Eng, a member of RoseRyan’s dream team, is a superstar whether she’s working with a client or rallying her coworkers to volunteer for a good cause. Her areas of expertise include financial planning and budgeting, finance operations, and SOX.

Michelle Perez was honored in 2012 with RoseRyan’s coveted TrEAT Award, which honors a guru who has best exemplified our firm’s values (Trustworthy, Excel, Advocate and Team) throughout the year. She excels at SOX testing and documentation, finance management, general accounting, audit prep and support.

Many people say life speeds up as you get older. Maybe that’s why the year-end crunch seems to keep getting tighter. The end of Q3 is upon us and year end is right around the corner. While the company’s SOX testing may be under control, we have some recommendations for your 2015 internal control checklist that expand beyond SOX, and should help set you up for a year end process that runs as smoothly as possible (yes, it is time to be thinking about these issues):

1. Check in on COSO
By now, most companies have transitioned to the 2013 version of the Committee of Sponsoring Organizations (COSO) internal-controls framework, although there are some holdouts. Before you go any further in this checklist, if your company has not yet made the transition, we recommend that you familiarize yourself with the new framework, map your existing controls and identify any gaps.

The Securities and Exchange Commission has not confirmed a timeline for going after companies that have not migrated to COSO 2013, but lack of COSO compliance can still lead to problems. From an internal control over financial reporting (ICFR) perspective, if one or more of the new framework’s 17 principles are not present and functioning, a major deficiency may exist. This would equate to a material weakness under Section 404 of the Sarbanes-Oxley Act. Not something that management, the board or investors are likely to want.

2. See if you need to expand enterprise risk reviews
The latest COSO framework calls on companies to have an operational risk assessment program, and to identify risks that may derail their ability to reach corporate objectives. Most companies record their significant risks in their 10-Qs and the 10-K, of course, but they may need to rethink or expand the information sources.

The assessment should include input from business units and appropriate levels of management. Has the company also created an upward/downward communication route for identifying, documenting and addressing lower level risks that impact smaller entities and regional operations? If not, now would be a good time to make a change.

3. Put out some fraud feelers
Another COSO requirement is consideration of fraud risk. A proven way to address the issue is to conduct fraud brainstorming sessions with various employee groups. It could provide a whole new perspective. When employees are asked to “think like a fraudster” and brainstorm “how a fraud could perpetrate itself at the company,” they may reveal gaps or risks that had never been contemplated on a companywide scale.

4. Evaluate how management reviews controls
For controls that require management review, particularly for complex processes, it’s important to document the steps taken as part of the review process. Supporting documentation will make any auditor questions that pop up easier to handle and could also make the process easier when next year rolls around, or in the event of a personnel change.

5. Touch base with your auditors
Management must evaluate the adequacy and completeness of the key reports used for preparing financial statements. By now, the company should have the list of key reports handy. If you have not already done so, we recommend meeting immediately with your external auditor to confirm that the list is appropriate, while there is still an opportunity to address gaps prior to fiscal year end.

6. Take a fresh look at related-party and significant or unusual transactions
A new auditing standard could bring this issue to the forefront, even for companies that may think they do not have such transactions. To head off extra questions by auditors, companies should consider: Is the board or audit committee aware of all related-party transactions, including suppliers, vendors and customers? What if employees haven’t disclosed them? Does the company have a documented process to assess related-party transactions and determine when disclosure is required?

Here’s a quick trick that could be revealing: Compare employee addresses to vendor addresses to see if there are any matches. While it may not turn out to be a problem, a match could be a flag that requires further investigation.

Be aware that external auditors need to conduct new procedures to comply with Auditing Standard 18—Related Parties (which became effective for audits occurring on or after December 15, 2014), and they will report their results to the audit committee. The report will include transactions they found that the company had not told them about, as well as deals that were not authorized or approved in accordance with company policies, or that appear to lack a business purpose.

Also make a point to review significant or unusual transactions. Is the company preparing memos or documenting the approval and controls process for significant or unusual transactions? Your external auditor needs to report on this as well.

Ideally, these internal control and compliance areas are already a part of your toward-the-end-of-the-year checklist. If they’re not, you may want to start right now. That clock keeps ticking!

Alisanne Gilmore-Allen is a member of the RoseRyan dream team. She is a Certified Internal Auditor, Certified Fraud Examiner, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.

We often hear more about fraud at large companies because of the hefty price tags involved and the large number of investors who may be affected. But the sad fact is that when small businesses experience a fraudulent event, they may be hit much harder and have more difficulty absorbing the losses. Innocent employees may lose their jobs, personal investments may be lost, and creditors may be wary of helping out the victimized business in the future. And smaller companies are more likely to experience a fraud than large ones.

In the past two years, nearly 30 percent of reported organizational fraud cases occurred at companies with fewer than 100 employees, and 24 percent of cases occurred at companies with between 100 and 999 employees, according to the Association of Fraud Examiners (ACFE) 2014 Report to the Nations.

And from a loss-to-revenue standpoint, their impact hurt more. Organizations with fewer than 100 employees had a median loss of $154,000, while those with 100-999 employees had a median loss of $130,000. The victim organizations with over 10,000 employees made up just 20 percent of the reported cases, experiencing a median loss of $160,000. (Keep in mind while all those median losses are at the six-figure level, one-fifth of all reported cases involved losses of over $1 million.)

The problem for many of these companies is they didn’t realize that fraud could be instigated by their most trusted employees.

A common thread
Smaller companies may underestimate their risk, thinking “it can’t happen to me.” And yet small organizations are disproportionately harmed by fraud losses, often due to employee misconduct, a lack of internal controls and segregation of duties.

And what kind of fraud is most prevalent? The fraud schemes most common in small businesses include corruption (33%), billing fraud (29%) and check tampering (22%). Embezzlement happens, particularly in organizations with inadequate controls or segregation of duties.

Awareness can reduce the risk
There are inexpensive and tangible actions that even the smallest of companies can take to reduce the risk of fraud:

  • Implement a code of conduct, and have employees acknowledge their compliance annually.
  • Perform supervisory or management reviews, particularly of complex, unusual or non-standard transactions.
  • Segregate duties that involve payments (e.g., adding vendors and employees to systems vs. paying them).
  • Separate cash handling, including bank deposits from bank reconciliation activities.
  • Hold employees accountable for the completeness and accuracy of financial statements (e.g., certification).
  • Provide a whistleblower hotline, keeping these points in mind:
    • While 68% of companies with over 100 employees have fraud hotlines, they are found only in 18% of companies with fewer than 100 employees, yet these simple tools reportedly reduced the median duration of fraud from 24 months to 12 months!
    • Posters improve hotline awareness within a company, and when the hotline can be accessed through the company extranet, customers and vendors have a vehicle to report potential fraud if necessary.
    • Educate employees on how best to raise flags and report suspicious activities.

The fact is that resource-strapped companies can prioritize activities that are proven to effectively reduce the risk and duration of frauds. For example, consider the feasibility of the following:

  • Fraud risk assessment: Identify your company’s fraud risks and brainstorm how a fraud might occur within company boundaries. If an insider wanted to do something inappropriate, would anyone take notice? Does the company have adequate controls to mitigate these potential risks? A formal fraud risk assessment tailored specifically to your company might be just what the doctor ordered and may help your organization avoid becoming the next victim.
  • Fraud training: Do employees know the warning signs of fraud? Teaching them the basics about fraud risks, red flags and the procedures for reporting suspicious activities may empower your team members to speak up or raise a concern.
  • Regular and surprise audits: Consider asking an internal auditor to conduct an occasional deeper dive audit in areas of potential risk. Should this include financial, cash handling processes, inventory or related party transactions?

It has been reported that companies lose 5% of their revenues to fraud. You don’t want your company to be the next one victimized or to be known for ineffective controls and management.

Alisanne Gilmore-Allen is a recent addition to the RoseRyan dream team. She is a Certified Fraud Examiner as well as a Certified Internal Auditor, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.