Talk about mixed messages. The new presidential administration wants what they consider “costly and unnecessary regulations” wiped out. At the same time we have continued pressure by regulatory agencies to strengthen and improve internal controls over financial reporting (ICFR). Anyone who is involved in SOX compliance has to wonder: Is the almost 15-year-old law part of the discussion in Washington? And what should we all be doing in the meantime?
Our crystal ball isn’t any less cloudy than yours, but here’s some advice. Keep in mind SOX’s goal—to have in place a strong ICFR system that prevents a material misstatement of the financial statements. To what extent this is mandated may be in flux, but the benefits of such a program are foundational. It’s good for your valuation, as well as management, employees, investors and anyone you do business with.
To keep your SOX program doing what you need it to do, know that it needs to evolve. As your business expands, its interests and risks shift, and leaders come and go, your SOX program needs tending to as well. Here are five ways to make sure yours stays up-to-date, no matter what happens on Capitol Hill.
1. Pay attention to your culture.
Culture plays a huge role in ICFR. What are the expectations for ethical behavior in the workplace? Are these embedded in your workplace culture? Is the pressure to deliver results so great that a blind eye is turned to questionable behavior? These are important questions to ask regularly, as the answers may change when leaders come and go, and the company grows more complex.
No matter how strong your design of controls, without a healthy ethical environment, your ICFR program will be fighting an uphill battle. Tone at the top matters. “In most cases of alleged financial fraud, the CEO and CFO are named in the complaint,” according to a March report from the Center for Audit Quality. “[Securities and Exchange] Commission staff noted that the driver of earnings management—the catalyst for most fraud cases—is often top management, such that the focus on the CEO and CFO is not surprising.”
In addition to the tone set by the senior leadership at headquarters, look at the culture of remote offices, both foreign and domestic. Take into account both the local tone at the top as well as customs and practices and any incentives offered to local leadership for achieving performance goals.
2. Revisit your company’s risk profile.
Business risks change. Are you staying current? Identify anticipated changes in business processes, systems and key personnel, and make sure you are addressing any known areas of risks that need attention. Even if your internal environment is stable, assess how your business risks may have changed due to external factors.
3. Adopt a quarterly review process.
Keep the people responsible for key controls engaged all year long. By carrying out quarterly self-assessments, control owners can get a quick read on areas that are changing and controls that no longer serve the organization. These evaluations can also help prevent surprises when it comes time to test the controls.
4. Seek alignment with your external auditors.
Expectations can change, so stay fluid. The regulatory landscape will continue to evolve as new leadership takes shape at the SEC and the Public Company Accounting Oversight Board, and their priorities and interests are passed down to auditors. Understanding changes in your auditors’ expectations and having clear, proactive communication can make all the difference in your ability to retain an effective SOX program.
Some of the more recent areas of focus by your auditors may include IPE (information produced by the entity) and the related scrutiny to ensure that the data is complete and accurate. In considering the completeness and accuracy of information used in the execution of a control, it is important to pay attention to the relevant data elements.
5. Fold in insights from experts who bring another perspective.
When your external auditor asks for additional controls, how can you tell whether it’s a check-the-box request? What’s a reasonable risk-based response? You can use a co-sourcing finance team as a sounding board to help you formulate the appropriate answers. Experts who work with a variety of companies can offer a broader perspective of what is going on in the industry.
And for smaller companies that need to rely on a single employee for subject-matter expertise, outside experts can fill in knowledge with their “second set of eyes,” such as by evaluating the design of controls or reviewing a complex, nonstandard transaction.
Regardless of whether SOX as we know it goes away or is here to stay, savvy companies will want to keep the benefits of strong, right-sized internal controls.
Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.