As we head into the home stretch for this year’s SOX programs, we thought it would be helpful to highlight some key areas of focus by auditors that deserve particular attention this year. No year is ever the same: From dealing with pandemic-related risks to implementing new accounting standards, companies always have new considerations when it comes to complying with SOX. Based on my SOX crystal ball, here’s what I expect will be key areas of focus in SOX assessments.

How Is Your SOX Compliance in These Key Areas?

Not surprisingly, auditors’ areas of focus tend to align with the areas that the Public Company Accounting Oversight Board has been prioritizing during its inspections. Here’s what the PCAOB says about that:

“While inspections vary by firm, we may focus on auditor’s risk assessment processes, financial reporting, and audit areas affected by economic trends or pressures, audit areas that present challenges and significant risk, new accounting standards, and areas of recurring audit deficiencies.”

What does this thinking mean for SOX compliance in 2021? Well, let’s start with areas of recurring audit deficiencies—we’ve seen internal controls over financial reporting on that list for many years, and no matter how much effort companies put into making improvements, it still isn’t enough in the PCAOB’s view. With all this mind, here some aspects of ICFR that merit your attention this SOX season:

Risk assessment process: Spend the time to prepare a thorough risk assessment and include robust documentation. Have you identified all the areas for potential material misstatements? Do you have controls to mitigate your significant risks? Are all your financial statement assertions covered?

Many companies have addressed the risks in their control set associated with the sudden shift to remote work made because of COVID shelter-in-place orders, but the pandemic continues to present risks to the business. We continue to see supply chain shortages crop up as well as other new impacts of our pandemic life. Be sure you have addressed key changes to your business in your risk assessment.

If you’ve recently adopted new accounting standards, such as ASC 606 (Revenue) or ASC 842 (Leases), or refined your workflow and processes in these areas, make sure you’ve updated your design of controls to reflect the new risks and process flows as part of your sox compliance program.

Management review controls: This has been on the PCAOB list for quite some time—so expect to see further scrutiny here. Look to stated precision levels utilized in the management review process and what the reviewer does when something falls outside those threshold levels, or what happens when the process doesn’t follow the “normal” process. Your auditors will likely expect to see documentation showing that you’ve done these steps for each review.

Completeness and accuracy of IPE: From a SOX perspective, IPE, or “information produced by the entity,” means documenting how control operators satisfy themselves that the data used in the execution of the control is complete and accurate. It sounds simple enough, and yet this is an area that gives most people trouble. We see the whole range of reactions in our client base—from control owners who say, “I get this report from our IT team—it’s their job to make sure it’s complete and accurate” to “It’s a canned report from a leading cloud company—of course it’s complete and accurate.” The reality is, the responsibility for completeness and accuracy is shared between the application owner and the application user.

Let’s break this down even further:

For canned reports—standard reports that you run from a third-party application—you’ll need to demonstrate the report was generated using the appropriate parameters, that the calculations performed in the report are accurate, and that the vendor has effective access and change management controls in place.

  • Parameters: Verify that the parameters used to generate the report are correct, and indicate that you have reviewed them. You can do that by tick mark, a highlight, whatever works for you. But you really do need to look at the parameters—we’ve seen companies run Q1 reports with the dates of January 1 to March 30. The after-the-fact argument of “there was no activity on March 31” isn’t going to fly—the only way to prove that is to run the report using the right date. We’ve also seen stock reports run without a complete population (e.g., it’s missing one of the stock plans).
  • Accuracy of calculations: Verification of calculations performed can be accomplished a few ways—it could be the vendor actually does this verification and includes it in the SOC 1 report. If that’s the case, you can rely on that. Most of the time, a SOC 1 report doesn’t cover this, so you’ll need to do your own verification. Generally a “test of one” will suffice—but be sure you do a “test of one” on all the use cases, not just one. (Here’s a simple example: You can manually recalculate monthly depreciation expense for a single asset and compare your calculation to the report output—if it matches, you’re good. But also include a test for a fully depreciated asset, for an asset added during the month and for an asset retired during the month.)

Digging Deeper into SOC 1 Reports

Effective assessment of a SOC 1 report could be a blog topic in and of itself—so we’ll just hit some highlights:

Make sure the SOC 1 report covers the period you are relying on and it has a bridge letter to get you to the end of your fiscal year. Many vendors will issue a SOC 1 report covering the period through September or October, and then issuing a bridge letter saying there were no changes through December 31. For a calendar year-end company, that should work. If your fiscal year-end is different, you’ll need to do additional work here.

You should also evaluate if the design of controls listed in the report covers the key risks you need covered, and whether any testing exceptions were noted. If there are missing controls, you’ll need to do something more on your end (such as verification of calculations). If there are testing exceptions, then evaluate the impact to your organization—it could be the exception is in an area you are not relying on, or you might have compensating controls in place to mitigate the risk.

The SOC 1 report will also list out any sub-service organizations the vendor relies on, and whether the report includes controls from the sub-service organization. Often they are excluded, so you will need to obtain and review those SOC 1 reports separately. Finally, look at the list of User Control Considerations—controls that the vendor expects you to have in place, typically around access, and evaluate whether your controls address those areas.

You’ll need to go through a similar process for information used in control execution that is developed in-house and for calculations in Excel workbooks, such as tax provisions, data from a data warehouse that was extracted from other systems, custom reports, queries and scripts, etc.

Always Be on Top of SOX Trends

SOX compliance is always evolving. The SOX experts at RoseRyan can help your company master the latest key areas of focus and ensure that your company not only meets compliance requirements but does so in an efficient way that can be carried over to future years. To learn more about how we can create a tailored SOX program for your company and our SOX philosophy, see our latest video , and contact us to help you with your SOX program.

Pat Voll is a vice president at RoseRyan, where she guides and develops new solutions for our strategic advisory practice, which includes corporate governance, strategic projects and operational accounting. She also manages multiple client relationships and oversees strategic initiatives for the firm. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.

Is there room for improvement in your IT and business processes? Are your internal controls effective? Are you effectively meeting your compliance obligations? These are some of the top-of-mind questions for an internal audit function designed to mainly focus on the risk management, corporate governance, and internal control processes at the company, but there is so much more that can be gleaned from this valuable resource—if your internal audit function is set up a certain way. Here is how to improve and enhance the internal audit process and function at your company.

How Can I Improve the Internal Audit Function?


  1. Reset your view of the internal audit function. Whether your internal audit function is fully outsourced, completely in-house or “co-sourced,” this area of the company can be a tremendous resource. Today’s internal auditors have greatly expanded their responsibilities to fill in the types of knowledge gaps that prevent companies from understanding not only significant current risks but emerging risks and opportunities that deserve attention. When they have a deep understanding of the business, the internal audit team can offer a fresh, unique perspective and specialized expertise to help business leaders think through important issues and key risks, while gaining a more complete picture of how they should move forward. 
  1. Transform your internal audit function to be a strategic business asset. To get to this point, your company could benefit from an outside expert perspective, to undertake an internal audit assessment, look at your internal audit procedures, and bring the internal audit function to the next level. The idea is to get the business to focus on the risks that matter along with the strategic opportunities that it could be missing otherwise. 
  1. Open up collaborations between the internal audit team and business leaders to uncover emerging risks and opportunities. Here’s where a properly developed, modern internal audit function can really shine. Internal audit experts bring their accounting and corporate governance backgrounds, along with their curiosity and understanding of the business, to ask the kinds of questions of business leaders that few, if anyone, are asking. Different organizations within the business rarely have time to compare notes with each other. As a result, one organization may not be aware of a potential risk that could critically affect them. By understanding everyone’s top concerns and risks, through meaningful conversations, the internal audit team can bring to the surface important issues as they help decision-makers prioritize some of the most pressing problems. 
  1. Leverage internal audit insights for a positive influence on business growth. Internal auditors are not only looking out for risks and problems. They’re also on the lookout for opportunities, and they can help you think them through with scenario planning. As they conduct their SWOT (strengths, weaknesses, opportunities and threats) analysis, they take a forward-looking approach and will alert the company to potential ways of building on its strengths and seeking new opportunities (e.g., a new product line). 
  1. Lean on seasoned pros to help transform your internal audit process and function and mentor your team. It’s rare that an internal audit function would grow organically within a company; the audit planning process development can require a specific skill set and knowledge. Experts who have led internal audit teams and have served as internal auditors can get the ball rolling, by introducing objective critical thinking; deep, actionable insights; along with mentoring of new members of the team. They can shift the focus of the internal audit function or establish it from the ground up, moving away from the traditional compliance-only focus to influence strategy and lead change. In this way, the company will gain a true partner for strategic initiatives, including M&A support, new system implementations, new product introductions and process improvements.

Ready for a More Proactive Internal Audit Team?

If your in-house resources do not have the skills to keep up with emerging risks, it’s probably time for a change. It’s true that internal audit needs to cover compliance and risk management—but the function can be set up to be broader, more effective, more proactive, and more strategic minded.

The internal audit and corporate governance experts at RoseRyan can help your company set the foundation for an internal audit function that will not only prepare your company for the audit of internal controls and audit the efficiency of your internal control system, but also take on much more—to make your company more aware of new emerging risks to the business strategy and how to address them. Find out more about the RoseRyan Internal Audit Solution, and let us know how we can help.


Without a doubt one of the most major milestones in a company’s growth journey is going public. That ringing of the opening bell (either literally or figuratively) for your IPO leads to another milestone the company will soon have to hit: becoming SOX compliant.

While the Sarbanes-Oxley Act of 2002 features many provisions designed to prevent financial fraud and enhance corporate governance, Section 404 in particular becomes a pressing concern soon after an initial public offering. This is when management will weigh in on the effectiveness of the company’s internal controls over financial reporting and, eventually, the company’s external auditors will offer an opinion as well.

Challenges in Establishing an Effective SOX Compliance Program

Here are a just a few of the challenges companies face when setting up an effective SOX compliance program:

A shift in some practices. Any change can be tough. The team may have been doing something a certain way for a long time and haven’t yet realized the practice could have a detrimental effect on the financial operations or the veracity of the financial information. New systems may need to be put in place that could take some time to learn. A cultural shift will need to occur if the “tone at the top” (namely the CEO and CFO) isn’t encouraging the best behavior throughout the company.

For the most part, professionals know what the ethical, right thing to do is—however, when systems are put in place to formalize that, it can require some adjustments. SOX experts who are practical in nature and flexible to the companies they work with know this already and come up with solutions that work for the company (its size, industry, complexity).

Disparate ways of working. Cultural differences among geographically dispersed offices can affect the company’s overall need to comply with SOX. Remote offices may follow customs and practices that don’t yet align with where the company needs to shift.

Ever-evolving risks. Here’s where SOX compliance is rarely if ever the same year to year. The top risks affecting the company are frequently changing as are emerging risks that the company may need to address. External experts are often invaluable in this regard as they work with multiple companies and see everything—they can seamlessly incorporate best practices they’ve picked up in the field and adjust them to your company.

Benefits of a SOX Compliance Program

In addition to meeting corporate governance compliance requirements, a SOX program offers multiple benefits, including the ones listed below.

Minimizes the risk of a material misstatement of the financial statement and fraud risk. With the right systems and processes in place, your company can prevent (or better detect) incidents of fraud and prevent errors from occurring that could affect the reliability of your financial reporting. All of the work that goes into SOX compliance contributes to this goal—SOX’s main purpose. It also contributes to protecting the company’s and top management’s reputation.

Introduces efficiencies. With a SOX program tailored for your company that integrates with your workflow, ongoing pain points will be eased and simplifying of controls will be achieved.

Gains trust in the marketplace. Whether your company has always instilled a sense of financial integrity or only now is shoring up its internal controls, potential stakeholders will know they can rely on the information you are sharing with them—and that can have a positive effect on your valuation.

Tips for Creating, Maintaining an Effective SOX Compliance Program

You may be wondering, how do I set up or improve a SOX compliance program? This post highlighted many of the challenges along with the benefits of taking on SOX compliance. SOX experts can help from the very beginning, even before your company is ready to go IPO and also be there when it’s time to bring in your external auditors to meet your SOX 404(b) requirements.

By working closely with SOX experts who have helped a wide range of companies, in various stages of SOX compliance, you can establish a workable, practical SOX compliance program that can be effectively maintained year over year. We’ve helped companies design, document and execute controls, often during a time crunch.

For an assessment of your program or the start of a SOX 404 compliance program, reach out to our corporate governance pros today.

Sarbanes-Oxley compliance has come an incredibly long way since the corporate governance law was passed nearly two decades ago. That doesn’t mean startups are in a hurry to become SOX compliant. Still, for a high-growth startup that may one day go public, its SOX-like compliance efforts can give assurance to management and investors that the company’s financial reporting can be relied upon.

What makes SOX compliance more clearly beneficial, compared to the early days of the anti-fraud law, is the significant financial operational efficiencies that open up when companies assess and tighten up their internal controls over financial reporting. With the help of financial integrity experts, they can realize such efficiencies as they start understanding and documenting their internal controls.

As your early stage startup contemplates the future, including potential exit strategies, what would you need to do to become SOX compliant?

SOX Compliance for Startups

Tip 1. Firm up your financial foundation. Your emerging growth company’s venture into the public markets might seem far away. Strategic opportunities can unexpectedly arise, however, in the form of a SPAC (special purpose acquisition company) merger, accelerating your company’s need to be IPO ready or SOX ready. Despite whatever strategic plan is in the works, the financial foundation of your startup should be sound so that you have the level of financial information and analysis needed to confidently move the company in the right direction.

Have investments in technology kept up with the size and complexity of the company and where it’s headed? Are your accounting processes practical and leading to timely, credible financial reports that are auditable? Do you have access to the kind of strategic financial expertise required to help you move the startup forward?

Tip 2. Keep current on your key risks. As your startup quickly moves ahead, your risk management efforts need to be adjusted. Risks change as the markets change, as new employees are brought in, as the economy shifts, and as customer demographics evolve. A large part of SOX compliance involves understanding the current major risks facing the company, so risk management for IPO-headed startups is also important.

Tip 3. Seek expertise early and often. Whether your company needs a version of “SOX lite” right now, an idea of whether it’s headed in a smart direction in its growth journey, or simply some expert advice, you need the right expertise to help you. Amid fast growth and your assessment of your high growth startup compliance, you’ll likely find that you need more insights than you can find in-house.

You’ll need to connect with experts who will adjust their guidance to where your startup is right now and then will be there with relevant solutions as those needs change. Seek out a finance and accounting consulting firm that understands emerging growth companies like yours as well as the version of the company you hope it will become.

Do the consulting firm’s experts have experience in your industry, with companies like yours? And if they don’t, how can they meet your needs? Look for a consulting firm that tailors its solutions to their clients rather than trying to bend a company toward its solutions.

Tip 4. Be prepared to act like a public company. Does your team have the skills and resources to meet the ongoing financial reporting demands and SOX requirements of a newly public company? The deadlines are not flexible once your company goes public, and the scrutiny is higher. Pre-IPO companies can ease into meeting the higher expectations by truly understanding what it takes to act like a public company, including SOX 404 compliance and all that entails.

Some of the main internal controls that a public company is expected to adopt are simply best practices that every company should be doing, such as segregation of duties. Undertaking good habits as early as possible can minimize the risk of a material misstatement of the financial statements.

Tip 5. Communicate with your external auditors. Here’s a tip that not everyone intuitively realizes is a possibility: You can proactively check in with your external auditors to understand their expectations.

SOX experts can help you keep these communication lines open, while retaining independence between your startup and the auditors. This way you can understand what auditors want to know and minimize any back and forth that would require your attention. After all, you have so many other responsibilities besides SOX compliance for startups.

How Does Sarbanes-Oxley Affect My Startup?

You may be wondering, “How do I implement SOX in my high-growth startup?” The short answer is startups do not have to be SOX compliant until they are public. Depending on your current growth plans, however, you could find that your startup should work toward becoming SOX ready. To set the wheels in motion, reach out to SOX and financial integrity experts who can help guide your company through what you can and should do now, based on your current growth plans.

Talk about mixed messages. The new presidential administration wants what they consider “costly and unnecessary regulations” wiped out. At the same time we have continued pressure by regulatory agencies to strengthen and improve internal controls over financial reporting (ICFR). Anyone who is involved in SOX compliance has to wonder: Is the almost 15-year-old law part of the discussion in Washington? And what should we all be doing in the meantime?

Our crystal ball isn’t any less cloudy than yours, but here’s some advice. Keep in mind SOX’s goal—to have in place a strong ICFR system that prevents a material misstatement of the financial statements. To what extent this is mandated may be in flux, but the benefits of such a program are foundational. It’s good for your valuation, as well as management, employees, investors and anyone you do business with.


To keep your SOX program doing what you need it to do, know that it needs to evolve. As your business expands, its interests and risks shift, and leaders come and go, your SOX program needs tending to as well. Here are five ways to make sure yours stays up-to-date, no matter what happens on Capitol Hill.

1. Pay attention to your culture.

Culture plays a huge role in ICFR. What are the expectations for ethical behavior in the workplace? Are these embedded in your workplace culture? Is the pressure to deliver results so great that a blind eye is turned to questionable behavior? These are important questions to ask regularly, as the answers may change when leaders come and go, and the company grows more complex.

No matter how strong your design of controls, without a healthy ethical environment, your ICFR program will be fighting an uphill battle. Tone at the top matters. “In most cases of alleged financial fraud, the CEO and CFO are named in the complaint,” according to a March report from the Center for Audit Quality. “[Securities and Exchange] Commission staff noted that the driver of earnings management—the catalyst for most fraud cases—is often top management, such that the focus on the CEO and CFO is not surprising.”

In addition to the tone set by the senior leadership at headquarters, look at the culture of remote offices, both foreign and domestic. Take into account both the local tone at the top as well as customs and practices and any incentives offered to local leadership for achieving performance goals.

2. Revisit your company’s risk profile.

Business risks change. Are you staying current? Identify anticipated changes in business processes, systems and key personnel, and make sure you are addressing any known areas of risks that need attention. Even if your internal environment is stable, assess how your business risks may have changed due to external factors.

3. Adopt a quarterly review process.

Keep the people responsible for key controls engaged all year long. By carrying out quarterly self-assessments, control owners can get a quick read on areas that are changing and controls that no longer serve the organization. These evaluations can also help prevent surprises when it comes time to test the controls.

4. Seek alignment with your external auditors.

Expectations can change, so stay fluid. The regulatory landscape will continue to evolve as new leadership takes shape at the SEC and the Public Company Accounting Oversight Board, and their priorities and interests are passed down to auditors. Understanding changes in your auditors’ expectations and having clear, proactive communication can make all the difference in your ability to retain an effective SOX program.

Some of the more recent areas of focus by your auditors may include IPE (information produced by the entity) and the related scrutiny to ensure that the data is complete and accurate. In considering the completeness and accuracy of information used in the execution of a control, it is important to pay attention to the relevant data elements.

5. Fold in insights from experts who bring another perspective.

When your external auditor asks for additional controls, how can you tell whether it’s a check-the-box request? What’s a reasonable risk-based response? You can use a co-sourcing finance team as a sounding board to help you formulate the appropriate answers. Experts who work with a variety of companies can offer a broader perspective of what is going on in the industry.

And for smaller companies that need to rely on a single employee for subject-matter expertise, outside experts can fill in knowledge with their “second set of eyes,” such as by evaluating the design of controls or reviewing a complex, nonstandard transaction.

Regardless of whether SOX as we know it goes away or is here to stay, savvy companies will want to keep the benefits of strong, right-sized internal controls.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

Any business faces challenges great and small, day in and day out, but some situations carry a considerable measure of risk, volatility and disruption potential. The top five situations most likely to disrupt a business and cause significant risk are market instability, business transitions, funding uncertainty, changes in corporate strategy, and finance talent shortfalls, according to our new intelligence report, The Chaos Chronicles.

After 20 years in business, RoseRyan gurus have lived through pretty much every kind of chaotic business situation, steering companies around the fault lines or cleaning up the mess. Our report draws on those experiences with real-world stories and on-the-ground advice to help you cope when chaos strikes.

By chaos, we mean hair-on-fire scrambling to prevent looming business disaster, or slow-motion disintegration into operational dysfunction, or the disarray that results when finance departments held together with duct tape and staples finally come undone, or similarly ulcer-inducing scenes.

Prevention is usually the best cure, but it isn’t always possible. And it can happen to anyone—even the best and the brightest have found themselves caught up in chaos simply because they didn’t train their attention on the right risk factors.

Download The Chaos Chronicles to learn more. Authors Stephen Ambler, Chris Kondo, Kathy Ryan, Ray Solari and Pat Voll tell true tales of chaos—how it happens, what results from it, how to fix it and how to prevent it.

I’ve been fascinated recently with “currency wars” and the ways national governments are adapting. For instance, the United Kingdom and China are entering their own currency-swap deals, and Brazil, Russia, India, China and South Africa (aka BRICS) have recently agreed to set up their own $100 billion monetary reserve and are reportedly dumping their euro reserves.

Closer to home, currency fluctuations hit U.S.-based multinational corporations in 2012 to the tune of a collective negative impact of $22.7 billion in the third quarter alone. The trend continues in 2013, and currency volatility has for the first time grabbed the attention of management at the highest levels in companies. In this volatile environment, the treasurer is working more closely than ever with the CEO, the CFO, the board and the head of M&A on associated risk management.

But how are companies adapting? For one, tech giant Hewlett-Packard, which has approximately 65 percent of its sales outside the United States, addresses the possibility of countries exiting the euro in its risk disclosures. Companies are increasingly trying to understand the potential implications of currency volatility and how to plan for them; the best advice bankers seem to be able to give is to get the paperwork in order and narrow the number of jurisdictions that hedge contracts are subject to. Restricting business to counter-party banks in a single jurisdiction is a smart move, because at least the terms would be consistent.

When, and if, exposure is clearly quantified, identifying the need for direct risk-mitigation strategies that can be controlled and reduced by operational strategies can best be accomplished by answering the following questions: Where are balances kept and in what currencies? Do FX exposures match the respective trading risks? What is the relationship between subsidiaries and the global parent? Are they financed by loans or equity?

JP Morgan, in the recent article “Managing FX Risk: The Challenge of Global Payments,” says the key is to centralize what is appropriate. In many instances, treasury activity is with business units. It is possible to leave the payments with these units (they are most in touch with vendors and suppliers), but centralize everything else. (Fortunately, several global banks now offer easy-to-use technology that allows multinationals to see their FX exposures without the cost of standardizing all their ERP systems or even requiring the systems to be on the same version.)

According to a recent Wells Fargo Foreign Exchange Risk Management Practices Survey of U.S.-based multinationals, companies are using three risk management approaches:

Systematic risk management: hedging a fixed amount of forecasted foreign currency transactions over a specific time period at regular intervals using specific hedge instruments (55 percent of survey respondents)

Active hedging: discretionary hedging of forecasted foreign currency transactions based on market conditions that allows for extending the hedge horizon, changing targeted percentage amounts or using discretion in the hedge instrument (36 percent)

Dynamic hedging: using discretion not only when initiating hedges, but also during the life of hedges (9 percent)

Given the rapidly changing environment, it’s imperative that a multinational’s particular strategy be revisited at least quarterly and openly discussed with the board.

Perhaps countries will one day figure out how to calm currency volatility, and currency wars will be a thing of the past. This month, the Bitcoin 2013 conference in San Jose drew more than 1,000 enthusiasts, developers, entrepreneurs, VCs and lawyers. (I still don’t understand how this decentralized, open-source peer-to-peer digital currency works, but I’ll keep trying.) And at the G8 Summit in July 2009, then-president of Russia Dmitry Medvedev presented a newly minted “test coin” representing a “united future world currency.” Mere mention of this in my circles creates very spirited debate between those who believe we’re eventually heading for a single global currency and those who believe entertaining such an idea is simply conspiracy theory.

One thing is for certain, the monetary policies of the mature and emerging markets will continue to keep the senior leadership of multinational companies on their toes.

Is your internal audit plan working at cross purposes with your company strategy? Missed communication opportunities may make it appear that way. I was drawn to that observation in Aligning Internal Audit: Are You on the Right Floor? a new PwC white paper that suggests that the role of internal auditors is changing as stakeholders increasingly appreciate their risk management contributions.

Internal auditors add value to their companies by identifying risks as business strategies evolve. That value is diminished if they’re unaware of key decisions taken on the top floor. The objective of a program audit will change if, for example, the company is divesting itself of the program. Bottom line? Seeking strategy intel is vital to earning respect for internal auditors.

Communication style is the other key to helping execs view internal auditors as team players. When reporting results, consider the audience. That means headlining findings for top brass. All the gnarly details should be readily available for anyone who wants to wade through them, but spend your face time (or devote your report cover memo to) identifying the items of concern and your recommendations for dealing with them.

Internal auditors typically have access to all areas of their company. That perspective means that occasionally you’ll have good news to share—for example, efficiencies that can be implemented. The tone with which you communicate this information is just as important as the tone you take in delivering news about potential risks. Buy-in for your suggestions has a lot to do with the way they’re delivered.

Like tone, timing is crucial to maintaining trust with the rest of the company. If you want your audience to become defensive and view you as an adversary, just try springing all your concerns at the end of an audit. As a general rule, keeping business owners and execs informed as you find issues makes for a relationship of respect. No one wants to be blindsided by a problem with no corrective plan in sight.

Finally, weigh your communication options. You may have noticed, as I have, that voice inflections don’t register in digital formats, so sending an email may not always be the best choice. Sometimes picking up the phone or meeting face-to-face enhances communication, and improving the lines of communication within your company is a key step in identifying the risks it faces.

The passage of the Sarbanes-Oxley Act 10 years ago dramatically improved corporate governance in U.S. companies, restoring investor confidence in U.S. capital markets in the wake of headline-making accounting blowups (Enron, WorldCom, et al). SOX instituted rules on the composition of audit committees, established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of audit firms and spelled out civil and criminal penalties for CEOs and CFOs. But when SOX is mentioned, most people immediately think of Section 404 (internal controls over financial reporting), which continues to take heavy criticism—not always deservedly.

Initially, implementation of SOX 404 was difficult, cumbersome and expensive. Companies had to formalize their system of internal controls over financial reporting and invest resources in designing, documenting and testing the effectiveness of controls, even in areas that would not reasonably give rise to a misstatement of financial results. Over time, though, the rules were revised and both managers and auditors learned how to apply judgment to principals-based regulations and develop supportable positions. Companies incorporated internal controls into their normal workflow and created cost-effective programs to improve the integrity of their financial reporting. A November 2009 study published by Audit Analytics found that the rate of financial restatements was 46 percent higher for companies that did not comply with all of the SOX internal control provisions than for companies that did.

Some companies comply with the letter of the law, but do not embrace the spirit of SOX 404, viewing it as a check-the-box exercise. They use lower standards of evidence (for example, inquiry only rather than re-performance), and their SOX testing is neither meaningful nor insightful. That means their results are not informative. This approach would not pass muster under an independent audit, and since all but the smallest public companies (those with less than a $75 million public float) have been subject to audit attestation, most public companies have ended up with meaningful SOX results.

Now, recent developments are sending conflicting messages about the direction of SOX rules.

The JOBS Act granted a five-year exemption from SOX audit attestation for newly public companies with less than $1 billion in revenue—a huge swing in the direction of more leniency.

In the other direction, PCAOB reviews of Big Four audit firms have led auditors to ask for more robust documentation of internal controls and more thorough testing of the data used to support the effectiveness of controls. And COSO, which publishes the most widely used framework for designing and assessing internal controls, has issued an exposure draft of an updated internal control framework intended to address changing technology and globalization, as well as to provide greater clarity on designing and maintaining an effective system of internal controls. Given that the draft runs to more than 500 pages, reviewing, revising and implementing the guidance from the new framework is no small undertaking.

So where are we headed? My fear is that we are taking a big step backward. By exempting some companies from SOX audit attestation, we turn a blind eye to ineffective internal controls and erode investor confidence in financial statements. At the same time, the updated COSO framework and requirements for more robust SOX documentation seem to be pushing nonexempt companies back to the difficult, cumbersome and expensive path, without any increase in financial statement integrity. Neither of these directions is in the best interest of companies or investors.

For people, a sustainable life is all about reducing clutter, lessening your carbon footprint, recycling, conserving energy and water, and the like. For corporations, the quest for sustainability usually starts with a business transformation that not only will benefit the planet but also can reduce costs and improve competitiveness and reputation. Indeed, studies such as PwC’s 2011 Carbon Disclosure Project Global 500 report suggest a strong correlation between financial and sustainability performance.

Increasingly, macro forces such as technology innovation, globalization, resource constraints, climate change, regulation and biodiversity issues are exerting pressure on companies and their stakeholders. As a result, we are witnessing a paradigm shift in sustainability, from an environmental and social program to an integrated core business strategy and culture that looks beyond the single bottom line of profit to include key stakeholder requirements—often characterized as the “triple bottom line” of people, planet and profit. In this model, a company’s success is assessed and measured in the eyes of its beholders: suppliers, vendors, consumers and the community.

Integrated reporting: adding the triple bottom line

The future of corporate reporting is integrated reporting, which links the single bottom line of financial results to the triple bottom line of environmental, social and governance performance (ESG). The International Integrated Reporting Council (IIRC) is addressing those challenges, as is the brand-new Sustainability Accounting Standards Board (SASB). Integrated reporting is also being addressed by the Global Reporting Initiative (GRI), which provides the industry-standard Sustainability Reporting Framework that guides companies on how to identify material sustainability measurements.

Until recently, sustainability reporting has been voluntary, covering ESG performance measures such as reduction of energy, water and waste use, supply chain management, workplace safety, human and labor rights, and environmental practices. Now there is increasing demand from stock exchanges, regulators and investors to deliver transparent metrics and integrate sustainability practices into their core business strategy. For example, the NASDAQ recommends reporting on greenhouse gas emissions, water use and gender equality, and the London Stock Exchange will mandate reporting on greenhouse gas emissions effective April 1, 2013. Recently, the SEC mandated the disclosure of conflict minerals beginning in 2014. California has enacted legislation requiring disclosure of a company’s efforts to address risks related to slavery and human trafficking in its supply chains. According to Ernst & Young’s report on leading corporate sustainability issues in the 2012 proxy season, environmental and social proposals continue to dominate compared to other shareholder resolutions on U.S. proxy ballots. In April 2012, the GRI and Deloitte launched a new XBRL taxonomy that will help reveal sustainability data more quickly and easily.

CFOs add sustainability to their plate

The CFO’s responsibilities are ever increasing, from overseeing IT, facilities and procurement to corporate counsel, investor relations, HR and now sustainability. “Traditionally, sustainability issues have fallen outside the jurisdiction of the CFO. CFOs ran the numbers, letting others handle soft issues such as social responsibility and corporate citizenship,” notes a report on “How sustainability has expanded the CFO’s role” from Ernst & Young. “Sustainability issues and financial performance have begun to intertwine,” the report observes. “CFOs are getting involved in the management, measurement and reporting of the companies’ sustainability activities. This involvement has expanded the CFO’s role in ways that would have been hard to imagine even a few years ago.”

The bottom line: sustainability is here to stay. The E&Y report recommends a few actions CFO can take now to enhance their companies’ value through social and environmental programs. Companies that do not report sustainability data should consider how to measure and report on ESG performance. Companies who do should consider third-party assurance to enhance disclosures and their reputation with key stakeholders. The CFO’s organization should leverage and build its accounting system to measure and report sustainability metrics, align tax and risk management initiatives to incorporate sustainability, develop communication strategies, monitor the regulatory and risk compliance landscape and collaborate with their stakeholders: executives, employees, suppliers, customers and investors. CFOs might also consider using performance goals and other nonfinancial metrics to link company goals and social/environmental strategy.

CFOs and corporate boards, take note: it won’t be long before sustainability key performance indicators are incorporated into the Form 10-K. Take action and don’t be left in the dark.

We hope to continue exploring these issues in future posts.