Posts

As we head into the home stretch for this year’s SOX programs, we thought it would be helpful to highlight some key areas of focus by auditors that deserve particular attention this year. No year is ever the same: From dealing with pandemic-related risks to implementing new accounting standards, companies always have new considerations when it comes to complying with SOX. Based on my SOX crystal ball, here’s what I expect will be key areas of focus in SOX assessments.

How Is Your SOX Compliance in These Key Areas?

Not surprisingly, auditors’ areas of focus tend to align with the areas that the Public Company Accounting Oversight Board has been prioritizing during its inspections. Here’s what the PCAOB says about that:

“While inspections vary by firm, we may focus on auditor’s risk assessment processes, financial reporting, and audit areas affected by economic trends or pressures, audit areas that present challenges and significant risk, new accounting standards, and areas of recurring audit deficiencies.”

What does this thinking mean for SOX compliance in 2021? Well, let’s start with areas of recurring audit deficiencies—we’ve seen internal controls over financial reporting on that list for many years, and no matter how much effort companies put into making improvements, it still isn’t enough in the PCAOB’s view. With all this mind, here some aspects of ICFR that merit your attention this SOX season:

Risk assessment process: Spend the time to prepare a thorough risk assessment and include robust documentation. Have you identified all the areas for potential material misstatements? Do you have controls to mitigate your significant risks? Are all your financial statement assertions covered?

Many companies have addressed the risks in their control set associated with the sudden shift to remote work made because of COVID shelter-in-place orders, but the pandemic continues to present risks to the business. We continue to see supply chain shortages crop up as well as other new impacts of our pandemic life. Be sure you have addressed key changes to your business in your risk assessment.

If you’ve recently adopted new accounting standards, such as ASC 606 (Revenue) or ASC 842 (Leases), or refined your workflow and processes in these areas, make sure you’ve updated your design of controls to reflect the new risks and process flows as part of your sox compliance program.

Management review controls: This has been on the PCAOB list for quite some time—so expect to see further scrutiny here. Look to stated precision levels utilized in the management review process and what the reviewer does when something falls outside those threshold levels, or what happens when the process doesn’t follow the “normal” process. Your auditors will likely expect to see documentation showing that you’ve done these steps for each review.

Completeness and accuracy of IPE: From a SOX perspective, IPE, or “information produced by the entity,” means documenting how control operators satisfy themselves that the data used in the execution of the control is complete and accurate. It sounds simple enough, and yet this is an area that gives most people trouble. We see the whole range of reactions in our client base—from control owners who say, “I get this report from our IT team—it’s their job to make sure it’s complete and accurate” to “It’s a canned report from a leading cloud company—of course it’s complete and accurate.” The reality is, the responsibility for completeness and accuracy is shared between the application owner and the application user.

Let’s break this down even further:

For canned reports—standard reports that you run from a third-party application—you’ll need to demonstrate the report was generated using the appropriate parameters, that the calculations performed in the report are accurate, and that the vendor has effective access and change management controls in place.

  • Parameters: Verify that the parameters used to generate the report are correct, and indicate that you have reviewed them. You can do that by tick mark, a highlight, whatever works for you. But you really do need to look at the parameters—we’ve seen companies run Q1 reports with the dates of January 1 to March 30. The after-the-fact argument of “there was no activity on March 31” isn’t going to fly—the only way to prove that is to run the report using the right date. We’ve also seen stock reports run without a complete population (e.g., it’s missing one of the stock plans).
  • Accuracy of calculations: Verification of calculations performed can be accomplished a few ways—it could be the vendor actually does this verification and includes it in the SOC 1 report. If that’s the case, you can rely on that. Most of the time, a SOC 1 report doesn’t cover this, so you’ll need to do your own verification. Generally a “test of one” will suffice—but be sure you do a “test of one” on all the use cases, not just one. (Here’s a simple example: You can manually recalculate monthly depreciation expense for a single asset and compare your calculation to the report output—if it matches, you’re good. But also include a test for a fully depreciated asset, for an asset added during the month and for an asset retired during the month.)

Digging Deeper into SOC 1 Reports

Effective assessment of a SOC 1 report could be a blog topic in and of itself—so we’ll just hit some highlights:

Make sure the SOC 1 report covers the period you are relying on and it has a bridge letter to get you to the end of your fiscal year. Many vendors will issue a SOC 1 report covering the period through September or October, and then issuing a bridge letter saying there were no changes through December 31. For a calendar year-end company, that should work. If your fiscal year-end is different, you’ll need to do additional work here.

You should also evaluate if the design of controls listed in the report covers the key risks you need covered, and whether any testing exceptions were noted. If there are missing controls, you’ll need to do something more on your end (such as verification of calculations). If there are testing exceptions, then evaluate the impact to your organization—it could be the exception is in an area you are not relying on, or you might have compensating controls in place to mitigate the risk.

The SOC 1 report will also list out any sub-service organizations the vendor relies on, and whether the report includes controls from the sub-service organization. Often they are excluded, so you will need to obtain and review those SOC 1 reports separately. Finally, look at the list of User Control Considerations—controls that the vendor expects you to have in place, typically around access, and evaluate whether your controls address those areas.

You’ll need to go through a similar process for information used in control execution that is developed in-house and for calculations in Excel workbooks, such as tax provisions, data from a data warehouse that was extracted from other systems, custom reports, queries and scripts, etc.

Always Be on Top of SOX Trends

SOX compliance is always evolving. The SOX experts at RoseRyan can help your company master the latest key areas of focus and ensure that your company not only meets compliance requirements but does so in an efficient way that can be carried over to future years. To learn more about how we can create a tailored SOX program for your company and our SOX philosophy, see our latest video , and contact us to help you with your SOX program.

Pat Voll is a vice president at RoseRyan, where she guides and develops new solutions for our strategic advisory practice, which includes corporate governance, strategic projects and operational accounting. She also manages multiple client relationships and oversees strategic initiatives for the firm. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.

Is there room for improvement in your IT and business processes? Are your internal controls effective? Are you effectively meeting your compliance obligations? These are some of the top-of-mind questions for an internal audit function designed to mainly focus on the risk management, corporate governance, and internal control processes at the company, but there is so much more that can be gleaned from this valuable resource—if your internal audit function is set up a certain way. Here is how to improve and enhance the internal audit process and function at your company.

How Can I Improve the Internal Audit Function?

 

  1. Reset your view of the internal audit function. Whether your internal audit function is fully outsourced, completely in-house or “co-sourced,” this area of the company can be a tremendous resource. Today’s internal auditors have greatly expanded their responsibilities to fill in the types of knowledge gaps that prevent companies from understanding not only significant current risks but emerging risks and opportunities that deserve attention. When they have a deep understanding of the business, the internal audit team can offer a fresh, unique perspective and specialized expertise to help business leaders think through important issues and key risks, while gaining a more complete picture of how they should move forward. 
  1. Transform your internal audit function to be a strategic business asset. To get to this point, your company could benefit from an outside expert perspective, to undertake an internal audit assessment, look at your internal audit procedures, and bring the internal audit function to the next level. The idea is to get the business to focus on the risks that matter along with the strategic opportunities that it could be missing otherwise. 
  1. Open up collaborations between the internal audit team and business leaders to uncover emerging risks and opportunities. Here’s where a properly developed, modern internal audit function can really shine. Internal audit experts bring their accounting and corporate governance backgrounds, along with their curiosity and understanding of the business, to ask the kinds of questions of business leaders that few, if anyone, are asking. Different organizations within the business rarely have time to compare notes with each other. As a result, one organization may not be aware of a potential risk that could critically affect them. By understanding everyone’s top concerns and risks, through meaningful conversations, the internal audit team can bring to the surface important issues as they help decision-makers prioritize some of the most pressing problems. 
  1. Leverage internal audit insights for a positive influence on business growth. Internal auditors are not only looking out for risks and problems. They’re also on the lookout for opportunities, and they can help you think them through with scenario planning. As they conduct their SWOT (strengths, weaknesses, opportunities and threats) analysis, they take a forward-looking approach and will alert the company to potential ways of building on its strengths and seeking new opportunities (e.g., a new product line). 
  1. Lean on seasoned pros to help transform your internal audit process and function and mentor your team. It’s rare that an internal audit function would grow organically within a company; the audit planning process development can require a specific skill set and knowledge. Experts who have led internal audit teams and have served as internal auditors can get the ball rolling, by introducing objective critical thinking; deep, actionable insights; along with mentoring of new members of the team. They can shift the focus of the internal audit function or establish it from the ground up, moving away from the traditional compliance-only focus to influence strategy and lead change. In this way, the company will gain a true partner for strategic initiatives, including M&A support, new system implementations, new product introductions and process improvements.

Ready for a More Proactive Internal Audit Team?

If your in-house resources do not have the skills to keep up with emerging risks, it’s probably time for a change. It’s true that internal audit needs to cover compliance and risk management—but the function can be set up to be broader, more effective, more proactive, and more strategic minded.

The internal audit and corporate governance experts at RoseRyan can help your company set the foundation for an internal audit function that will not only prepare your company for the audit of internal controls and audit the efficiency of your internal control system, but also take on much more—to make your company more aware of new emerging risks to the business strategy and how to address them. Find out more about the RoseRyan Internal Audit Solution, and let us know how we can help.

 

Without a doubt one of the most major milestones in a company’s growth journey is going public. That ringing of the opening bell (either literally or figuratively) for your IPO leads to another milestone the company will soon have to hit: becoming SOX compliant.

While the Sarbanes-Oxley Act of 2002 features many provisions designed to prevent financial fraud and enhance corporate governance, Section 404 in particular becomes a pressing concern soon after an initial public offering. This is when management will weigh in on the effectiveness of the company’s internal controls over financial reporting and, eventually, the company’s external auditors will offer an opinion as well.

Challenges in Establishing an Effective SOX Compliance Program

Here are a just a few of the challenges companies face when setting up an effective SOX compliance program:

A shift in some practices. Any change can be tough. The team may have been doing something a certain way for a long time and haven’t yet realized the practice could have a detrimental effect on the financial operations or the veracity of the financial information. New systems may need to be put in place that could take some time to learn. A cultural shift will need to occur if the “tone at the top” (namely the CEO and CFO) isn’t encouraging the best behavior throughout the company.

For the most part, professionals know what the ethical, right thing to do is—however, when systems are put in place to formalize that, it can require some adjustments. SOX experts who are practical in nature and flexible to the companies they work with know this already and come up with solutions that work for the company (its size, industry, complexity).

Disparate ways of working. Cultural differences among geographically dispersed offices can affect the company’s overall need to comply with SOX. Remote offices may follow customs and practices that don’t yet align with where the company needs to shift.

Ever-evolving risks. Here’s where SOX compliance is rarely if ever the same year to year. The top risks affecting the company are frequently changing as are emerging risks that the company may need to address. External experts are often invaluable in this regard as they work with multiple companies and see everything—they can seamlessly incorporate best practices they’ve picked up in the field and adjust them to your company.

Benefits of a SOX Compliance Program

In addition to meeting corporate governance compliance requirements, a SOX program offers multiple benefits, including the ones listed below.

Minimizes the risk of a material misstatement of the financial statement and fraud risk. With the right systems and processes in place, your company can prevent (or better detect) incidents of fraud and prevent errors from occurring that could affect the reliability of your financial reporting. All of the work that goes into SOX compliance contributes to this goal—SOX’s main purpose. It also contributes to protecting the company’s and top management’s reputation.

Introduces efficiencies. With a SOX program tailored for your company that integrates with your workflow, ongoing pain points will be eased and simplifying of controls will be achieved.

Gains trust in the marketplace. Whether your company has always instilled a sense of financial integrity or only now is shoring up its internal controls, potential stakeholders will know they can rely on the information you are sharing with them—and that can have a positive effect on your valuation.

Tips for Creating, Maintaining an Effective SOX Compliance Program

You may be wondering, how do I set up or improve a SOX compliance program? This post highlighted many of the challenges along with the benefits of taking on SOX compliance. SOX experts can help from the very beginning, even before your company is ready to go IPO and also be there when it’s time to bring in your external auditors to meet your SOX 404(b) requirements.

By working closely with SOX experts who have helped a wide range of companies, in various stages of SOX compliance, you can establish a workable, practical SOX compliance program that can be effectively maintained year over year. We’ve helped companies design, document and execute controls, often during a time crunch.

For an assessment of your program or the start of a SOX 404 compliance program, reach out to our corporate governance pros today.

Sarbanes-Oxley compliance has come an incredibly long way since the corporate governance law was passed nearly two decades ago. That doesn’t mean startups are in a hurry to become SOX compliant. Still, for a high-growth startup that may one day go public, its SOX-like compliance efforts can give assurance to management and investors that the company’s financial reporting can be relied upon.

What makes SOX compliance more clearly beneficial, compared to the early days of the anti-fraud law, is the significant financial operational efficiencies that open up when companies assess and tighten up their internal controls over financial reporting. With the help of financial integrity experts, they can realize such efficiencies as they start understanding and documenting their internal controls.

As your early stage startup contemplates the future, including potential exit strategies, what would you need to do to become SOX compliant?

SOX Compliance for Startups

Tip 1. Firm up your financial foundation. Your emerging growth company’s venture into the public markets might seem far away. Strategic opportunities can unexpectedly arise, however, in the form of a SPAC (special purpose acquisition company) merger, accelerating your company’s need to be IPO ready or SOX ready. Despite whatever strategic plan is in the works, the financial foundation of your startup should be sound so that you have the level of financial information and analysis needed to confidently move the company in the right direction.

Have investments in technology kept up with the size and complexity of the company and where it’s headed? Are your accounting processes practical and leading to timely, credible financial reports that are auditable? Do you have access to the kind of strategic financial expertise required to help you move the startup forward?

Tip 2. Keep current on your key risks. As your startup quickly moves ahead, your risk management efforts need to be adjusted. Risks change as the markets change, as new employees are brought in, as the economy shifts, and as customer demographics evolve. A large part of SOX compliance involves understanding the current major risks facing the company, so risk management for IPO-headed startups is also important.

Tip 3. Seek expertise early and often. Whether your company needs a version of “SOX lite” right now, an idea of whether it’s headed in a smart direction in its growth journey, or simply some expert advice, you need the right expertise to help you. Amid fast growth and your assessment of your high growth startup compliance, you’ll likely find that you need more insights than you can find in-house.

You’ll need to connect with experts who will adjust their guidance to where your startup is right now and then will be there with relevant solutions as those needs change. Seek out a finance and accounting consulting firm that understands emerging growth companies like yours as well as the version of the company you hope it will become.

Do the consulting firm’s experts have experience in your industry, with companies like yours? And if they don’t, how can they meet your needs? Look for a consulting firm that tailors its solutions to their clients rather than trying to bend a company toward its solutions.

Tip 4. Be prepared to act like a public company. Does your team have the skills and resources to meet the ongoing financial reporting demands and SOX requirements of a newly public company? The deadlines are not flexible once your company goes public, and the scrutiny is higher. Pre-IPO companies can ease into meeting the higher expectations by truly understanding what it takes to act like a public company, including SOX 404 compliance and all that entails.

Some of the main internal controls that a public company is expected to adopt are simply best practices that every company should be doing, such as segregation of duties. Undertaking good habits as early as possible can minimize the risk of a material misstatement of the financial statements.

Tip 5. Communicate with your external auditors. Here’s a tip that not everyone intuitively realizes is a possibility: You can proactively check in with your external auditors to understand their expectations.

SOX experts can help you keep these communication lines open, while retaining independence between your startup and the auditors. This way you can understand what auditors want to know and minimize any back and forth that would require your attention. After all, you have so many other responsibilities besides SOX compliance for startups.

How Does Sarbanes-Oxley Affect My Startup?

You may be wondering, “How do I implement SOX in my high-growth startup?” The short answer is startups do not have to be SOX compliant until they are public. Depending on your current growth plans, however, you could find that your startup should work toward becoming SOX ready. To set the wheels in motion, reach out to SOX and financial integrity experts who can help guide your company through what you can and should do now, based on your current growth plans.

It’s that time of year again. Remember last year, after the auditors came and went, when you promised yourself next year would go a lot smoother? Well, here we are, with an opportunity to set up all of your department’s information as organized and as clean as possible so that you can keep any bumps between your team and the audit team to a minimum. To help with this process, I have put together a list, primarily for accounting managers, to prepare for the year-end audit.

Be sure you are on the same page as the auditors: Every quarter, you have provided documentation per the audit request list (also known as PBC, or Prepared by Client). Check with the auditors that they will be using the data that you’re taking the time to put together for them. Oftentimes, those of us who are tasked with working with auditors find out only after we have provided a schedule with multiple tabs of information that they will not be using those tabs. They may instead rely on other data points they have collected over the year or they are just not fully aware of the additional information. Communication here will prevent everyone from wasting time.

Take a look back at the past year: In the preparation of year-end, review the information that was provided to the audit team on a quarterly basis as well as any comments the auditors or your internal SOX team made afterward. Keep in mind quarterly reviews do not necessarily find all issues or errors. They are more likely to crop up during the year-end, when the audit team really digs into the details.

Check your work: When creating the year-end schedules, look at the logic of the worksheet, the formulas used in each calculation, and verify the totals match the financials. Hint: if using Excel, select the “formulas” tab and select the “show formulas” option. This will change the worksheet from showing the resulting number to the formula used in each cell. Look for any changes made since the last quarter’s review in methodology, calculations, method of gathering the data (because of a different report or an updated system), or presentation on the schedule. Then, if you are the person creating the audit schedules, have someone else take a look who is familiar with the process. That person will probably find little things that you didn’t see simply because you are too familiar with the information.

Address any mistake in the schedule ahead of time: If a discrepancy is found during the internal review process, create a new year-to-date schedule by quarter with the changes identified, documented, and quantified. Discuss your findings with management so they can determine if the changes are material and how best to communicate them with the audit team.

Be organized: Make an audit binder or a folder on your secured internal site with the schedules and any information that would help someone else prepare them. Keep track of when you submit your schedules to the audit team and what version you give them. If there are any questions, you will both need to be looking at the same schedule.

Don’t forget about the effect on the first-quarter review: Lastly, when creating your first-quarter review schedules, verify they contain any updates from the year-end review – both yours and the audit team’s. In other words, don’t automatically pull the previous first quarter schedules to use.

These tips will hopefully make your audit process much smoother than last year. For more information about this topic, check out our intelligence report Audit time? Don’t sweat it.

Monica Zorn is a member of the RoseRyan dream team. She specializes in controllership issues, reconciliations and audit prep, and SOX.

NASDAQ recently filed a proposed rule change with the SEC that’s seemingly aimed at SOX compliance. If implemented, each NASDAQ-listed company will be required to establish and maintain an internal audit function “to provide management and the audit committee with ongoing assessments of the Company’s risk management processes and system of internal control.” Companies listed as of June 30, 2013, will be required to establish an internal audit function by December 31, 2013; companies listed after June 30, 2013, will be required to establish that function prior to listing. In NASDAQ’s view, the proposed rule change will place no unnecessary or inappropriate burden on competition.

To me, this proposed rule change signals that the NASDAQ is weighing in on the JOBS Act provision that exempts certain companies from SOX 404(b), an auditor attestation regarding internal controls that was intended to foster growth by lowering administrative burdens on emerging growth companies (those with revenues less than $1 billion) entering the public market. These companies were granted as many as five years’ relief from a number of rules, including independent auditor attestation on the design and effectiveness of internal controls over financial reporting.

The more than 30 comments posted by the recent close of the SEC comment period were primarily from CFOs of small NASDAQ-listed companies, who said the proposed rule was costly for their enterprises and duplicative of existing SOX requirements. Some comments reflected concern that the rule reduced audit committees’ flexibility to direct the focus of the internal audit function.

Here’s my take: the proposed rule change was not intended to force companies to go beyond what is currently considered best practice—and what most companies do in support of SOX 404(b). (In general, companies that comply with 404(b) have a much more robust set of internal controls and are more diligent in consistently adhering to them—and therefore have greater financial statement integrity—than companies complying only with 404(a).) Although the proposed rule specifically excludes companies’ external audit firms from providing internal audit services, it does allow outsourcing to a third party.

The NASDAQ’s attempt to close the SOX loophole should not significantly affect RoseRyan’s SOX clients. These companies typically engage us to help them ensure that their internal controls are appropriately designed, to independently test the controls’ effectiveness and to periodically meet with their audit committees. I don’t see the proposed rule greatly changing that scope of work. However, the rule will add to the workload of many newly public companies currently exempt from 404(b). I view that change as a step in the right direction for investor protection and for leveling the playing field for companies traded on the NASDAQ, regardless of when they went public.

On September 1, 2012, the state of California started to collect sales tax from Amazon after a years-long argument over whether the Internet company should pay such a tax. In just the first four months of collection that tax amounted to $96.4 million. A good deal? Maybe, but you could argue that this apparent win for California was not so good, as the state agreed not to pursue Amazon for back taxes, penalties and interest that it may have been owed—a potentially huge sum given the number of years Amazon has been in business. 

California is pursuing other out-of-state Internet business companies for sales tax on business performed in the state. It is not alone. Many states are realizing that out-of-state Internet companies with in-state sales are a huge potential source of income to themselves if they can somehow establish that the companies have a business presence, or nexus, in them. 

The Internet businesses potentially affected include not only those selling tangible goods, like Amazon, but others that sell or license products such as software and social gaming—products that did not exist when states first established their sales tax rules. Not surprisingly, states are rushing through legislation to pursue these new forms of revenue. Unfortunately, this means that sales tax rules will vary from state to state, making compliance a nightmare.

The rules for determining nexus in each state can be complex and subtle and can involve relationships that you wouldn’t think would affect tax status but in fact do. Take a California-based Internet company that sells to New York-based consumers. If it advertises in New York via a fixed-fee advertising agreement with a New York-based company, it probably has not created nexus in New York under that state’s nexus rules. However, if the fee is found to be commission based, even in the remotest way, the company probably has created nexus, as the arrangement amounts to a reward-based referral. What seems like a minor variation in the terms of an advertising agreement can have very large tax liability consequences. 

The size of the deal is irrelevant for determining nexus. Once you have nexus, you pay sales tax on all your sales to consumers in the state, not just those sales generated from the agreement. So the price of bad tax planning can be high.

Some sales tax rules remain straightforward. For example, if your company employs someone resident in another state—someone who assists in any way with the company’s sales process or sales cycle—you have nexus in that state. But with new sales-tax rulemaking afoot across the land, you will need to consider many other factors to determine your liability. 

Internet businesses have choices. Good tax planning will pay off, but it’s not cheap. Some businesses pay third-party organizations to help them comply with ever-changing state tax rules. Unfortunately, many businesses choose to ignore the rules altogether and hope they don’t get caught. That’s not a smart choice, because when they are caught, the back taxes, penalties and interest will be considerable. 

Not everyone can get the past eradicated like Amazon did. 

The holidays are fast approaching, and with them, all the stress of the season. Santa is making his list and checking it twice, and we accountants can follow his lead to keep a little sanity in our 2012 closeout activities.

Here’s my recommended year-end to-do list:

Account reconciliations—Yes, ideally these were performed on a monthly basis, but if other priorities shunted them aside, now is the time to get them done. And it’s a good idea to review all your current reconciliations to see if any items need resolving before you ring in the new year.

Impairment analysis—Have you attempted to identify indicators that might affect your asset valuation? Have you documented your findings in an accounting memo for your records? No? Get on it!

Inventory of non-routine business transactions with accounting or disclosure implications—If you haven’t already, prepare an accounting memo summarizing each of these transactions, and for each, outline the accounting policy and its basis in GAAP. It’s best to prepare these memos close to the time of the transaction, while the information is readily available and the details are fresh in your mind, but if other demands took precedence, catch up—before you close your books and invite your auditors in.

Revenue recognition—Have you been keeping good documentation for large or unusual transactions? If not, now’s the time to tackle this task. Review your revenue transactions and make sure you have a well-written accounting memo documenting the basis in GAAP for your revenue recognition conclusions. Also, make sure you have copies of the relevant contract or other pertinent information. Is VSOE important to your revenue recognition policy? If so, ensure that you have maintained it by updating or testing it.

SOX annual controls—By definition, these controls are performed once a year. Take a look through your SOX documentation and make sure you have a complete list of everything you need to do. It’s easy for something to fall through the cracks. Speaking of which, do you have SOC 1 reports from all your in-scope third-party providers? Have you reviewed and evaluated them for any adverse impact on your internal controls?

Stock-based compensation accounting—Let’s be blunt: this task is a hotbed of opportunity for things to go awry. If you haven’t been through your equity records with a fine-tooth comb in a while, examine them now. Problems we commonly find range from data entry errors to missing or incomplete paperwork, surprise (at least to the accounting department) option modifications, and unsupported Black-Scholes assumptions. Check out our guide, Stock Options: Do You Have a Problem?to avoid these and related pitfalls.

This list should help you stay on track for a smooth year-end close. Happy holidays!

 

The passage of the Sarbanes-Oxley Act 10 years ago dramatically improved corporate governance in U.S. companies, restoring investor confidence in U.S. capital markets in the wake of headline-making accounting blowups (Enron, WorldCom, et al). SOX instituted rules on the composition of audit committees, established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of audit firms and spelled out civil and criminal penalties for CEOs and CFOs. But when SOX is mentioned, most people immediately think of Section 404 (internal controls over financial reporting), which continues to take heavy criticism—not always deservedly.

Initially, implementation of SOX 404 was difficult, cumbersome and expensive. Companies had to formalize their system of internal controls over financial reporting and invest resources in designing, documenting and testing the effectiveness of controls, even in areas that would not reasonably give rise to a misstatement of financial results. Over time, though, the rules were revised and both managers and auditors learned how to apply judgment to principals-based regulations and develop supportable positions. Companies incorporated internal controls into their normal workflow and created cost-effective programs to improve the integrity of their financial reporting. A November 2009 study published by Audit Analytics found that the rate of financial restatements was 46 percent higher for companies that did not comply with all of the SOX internal control provisions than for companies that did.

Some companies comply with the letter of the law, but do not embrace the spirit of SOX 404, viewing it as a check-the-box exercise. They use lower standards of evidence (for example, inquiry only rather than re-performance), and their SOX testing is neither meaningful nor insightful. That means their results are not informative. This approach would not pass muster under an independent audit, and since all but the smallest public companies (those with less than a $75 million public float) have been subject to audit attestation, most public companies have ended up with meaningful SOX results.

Now, recent developments are sending conflicting messages about the direction of SOX rules.

The JOBS Act granted a five-year exemption from SOX audit attestation for newly public companies with less than $1 billion in revenue—a huge swing in the direction of more leniency.

In the other direction, PCAOB reviews of Big Four audit firms have led auditors to ask for more robust documentation of internal controls and more thorough testing of the data used to support the effectiveness of controls. And COSO, which publishes the most widely used framework for designing and assessing internal controls, has issued an exposure draft of an updated internal control framework intended to address changing technology and globalization, as well as to provide greater clarity on designing and maintaining an effective system of internal controls. Given that the draft runs to more than 500 pages, reviewing, revising and implementing the guidance from the new framework is no small undertaking.

So where are we headed? My fear is that we are taking a big step backward. By exempting some companies from SOX audit attestation, we turn a blind eye to ineffective internal controls and erode investor confidence in financial statements. At the same time, the updated COSO framework and requirements for more robust SOX documentation seem to be pushing nonexempt companies back to the difficult, cumbersome and expensive path, without any increase in financial statement integrity. Neither of these directions is in the best interest of companies or investors.

RoseRyan has two new gurus to introduce: Cedric Armstrong and Sharon Knestrick.

Cedric is an IT compliance specialist who likes nothing better than to assess systems for risk and develop policies and procedures for IT security and computer operations; he’s also got SOX IT down. He has abbreviations like CISA, CISSP, CTGA and CFE following his name, so you’d think he’d be, well, geeky. He isn’t. Cedric has lived in eight countries, and he was with EY, then Deloitte, before he became a consultant some years back.

Sharon’s background is in accounting manager and controller roles at emerging growth companies, so she’s been instrumental in helping businesses get off the ground, she thrives on change and she understands how everything works together. She also has a strong systems background, so she can tackle just about any software known to accounting. The Financial Literacy Project for teenagers sponsored by the American Society of Women Accountants in San Francisco is near to her heart.