Posts

As we head into the home stretch for this year’s SOX programs, we thought it would be helpful to highlight some key areas of focus by auditors that deserve particular attention this year. No year is ever the same: From dealing with pandemic-related risks to implementing new accounting standards, companies always have new considerations when it comes to complying with SOX. Based on my SOX crystal ball, here’s what I expect will be key areas of focus in SOX assessments.

How Is Your SOX Compliance in These Key Areas?

Not surprisingly, auditors’ areas of focus tend to align with the areas that the Public Company Accounting Oversight Board has been prioritizing during its inspections. Here’s what the PCAOB says about that:

“While inspections vary by firm, we may focus on auditor’s risk assessment processes, financial reporting, and audit areas affected by economic trends or pressures, audit areas that present challenges and significant risk, new accounting standards, and areas of recurring audit deficiencies.”

What does this thinking mean for SOX compliance in 2021? Well, let’s start with areas of recurring audit deficiencies—we’ve seen internal controls over financial reporting on that list for many years, and no matter how much effort companies put into making improvements, it still isn’t enough in the PCAOB’s view. With all this mind, here some aspects of ICFR that merit your attention this SOX season:

Risk assessment process: Spend the time to prepare a thorough risk assessment and include robust documentation. Have you identified all the areas for potential material misstatements? Do you have controls to mitigate your significant risks? Are all your financial statement assertions covered?

Many companies have addressed the risks in their control set associated with the sudden shift to remote work made because of COVID shelter-in-place orders, but the pandemic continues to present risks to the business. We continue to see supply chain shortages crop up as well as other new impacts of our pandemic life. Be sure you have addressed key changes to your business in your risk assessment.

If you’ve recently adopted new accounting standards, such as ASC 606 (Revenue) or ASC 842 (Leases), or refined your workflow and processes in these areas, make sure you’ve updated your design of controls to reflect the new risks and process flows as part of your sox compliance program.

Management review controls: This has been on the PCAOB list for quite some time—so expect to see further scrutiny here. Look to stated precision levels utilized in the management review process and what the reviewer does when something falls outside those threshold levels, or what happens when the process doesn’t follow the “normal” process. Your auditors will likely expect to see documentation showing that you’ve done these steps for each review.

Completeness and accuracy of IPE: From a SOX perspective, IPE, or “information produced by the entity,” means documenting how control operators satisfy themselves that the data used in the execution of the control is complete and accurate. It sounds simple enough, and yet this is an area that gives most people trouble. We see the whole range of reactions in our client base—from control owners who say, “I get this report from our IT team—it’s their job to make sure it’s complete and accurate” to “It’s a canned report from a leading cloud company—of course it’s complete and accurate.” The reality is, the responsibility for completeness and accuracy is shared between the application owner and the application user.

Let’s break this down even further:

For canned reports—standard reports that you run from a third-party application—you’ll need to demonstrate the report was generated using the appropriate parameters, that the calculations performed in the report are accurate, and that the vendor has effective access and change management controls in place.

  • Parameters: Verify that the parameters used to generate the report are correct, and indicate that you have reviewed them. You can do that by tick mark, a highlight, whatever works for you. But you really do need to look at the parameters—we’ve seen companies run Q1 reports with the dates of January 1 to March 30. The after-the-fact argument of “there was no activity on March 31” isn’t going to fly—the only way to prove that is to run the report using the right date. We’ve also seen stock reports run without a complete population (e.g., it’s missing one of the stock plans).
  • Accuracy of calculations: Verification of calculations performed can be accomplished a few ways—it could be the vendor actually does this verification and includes it in the SOC 1 report. If that’s the case, you can rely on that. Most of the time, a SOC 1 report doesn’t cover this, so you’ll need to do your own verification. Generally a “test of one” will suffice—but be sure you do a “test of one” on all the use cases, not just one. (Here’s a simple example: You can manually recalculate monthly depreciation expense for a single asset and compare your calculation to the report output—if it matches, you’re good. But also include a test for a fully depreciated asset, for an asset added during the month and for an asset retired during the month.)

Digging Deeper into SOC 1 Reports

Effective assessment of a SOC 1 report could be a blog topic in and of itself—so we’ll just hit some highlights:

Make sure the SOC 1 report covers the period you are relying on and it has a bridge letter to get you to the end of your fiscal year. Many vendors will issue a SOC 1 report covering the period through September or October, and then issuing a bridge letter saying there were no changes through December 31. For a calendar year-end company, that should work. If your fiscal year-end is different, you’ll need to do additional work here.

You should also evaluate if the design of controls listed in the report covers the key risks you need covered, and whether any testing exceptions were noted. If there are missing controls, you’ll need to do something more on your end (such as verification of calculations). If there are testing exceptions, then evaluate the impact to your organization—it could be the exception is in an area you are not relying on, or you might have compensating controls in place to mitigate the risk.

The SOC 1 report will also list out any sub-service organizations the vendor relies on, and whether the report includes controls from the sub-service organization. Often they are excluded, so you will need to obtain and review those SOC 1 reports separately. Finally, look at the list of User Control Considerations—controls that the vendor expects you to have in place, typically around access, and evaluate whether your controls address those areas.

You’ll need to go through a similar process for information used in control execution that is developed in-house and for calculations in Excel workbooks, such as tax provisions, data from a data warehouse that was extracted from other systems, custom reports, queries and scripts, etc.

Always Be on Top of SOX Trends

SOX compliance is always evolving. The SOX experts at RoseRyan can help your company master the latest key areas of focus and ensure that your company not only meets compliance requirements but does so in an efficient way that can be carried over to future years. To learn more about how we can create a tailored SOX program for your company and our SOX philosophy, see our latest video , and contact us to help you with your SOX program.

Pat Voll is a vice president at RoseRyan, where she guides and develops new solutions for our strategic advisory practice, which includes corporate governance, strategic projects and operational accounting. She also manages multiple client relationships and oversees strategic initiatives for the firm. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.

Does your fast-moving company have what’s needed to keep its current pace in a sustainable way? Or are you losing sleep at night worrying about all the aspects of the business you simply do not know enough about or have time to deal with? In between starting up and scaling up quickly (or flaming out), emerging growth companies realize they are missing a level of guidance and perspective that only an experienced CFO can provide. Here are some of the many reasons your company could benefit from CFO input, which could occur on a part-time, interim or occasional basis.

CFOs shift the focus of finance from looking at history to looking toward the future. The accounting record of how the company has performed so far may be in good shape, but what do the numbers tell you? As a member of the team, a seasoned CFO will ask the questions no one else is asking: What are the areas that can most impact our profitability—how can we optimize our profit and minimize our risk? What resources do we need to turn our plans into reality, and what is the best way to obtain those resources? How can we create more value without expenses getting out of control? Are we charging a fair and competitive value for our product or service or is Sales giving away the store (or asking for the moon)?

When the accounting/finance team is running a million miles a minute to keep the financial operations running smoothly, there is no time left to get at these important, big-picture questions that are critical for setting a successful path for the company. This is where CFO guidance can be invaluable: When they become a part of the team, CFOs introduce a future mindset. The CFO will bridge what the historical data tells us today with what is needed for the future through analysis and the buildout of likely scenarios to demonstrate their implications for strategic decisions that senior leadership is considering.

CFOs have a knack for uncovering cost efficiencies and missed opportunities. As an experienced CFO, I always review contracts when putting together a budget, and recently this habit led to the discovery of a significant underbilling situation. The client company was entitled to higher management fees. The fact is, it’s in a CFO’s nature to pay attention to the details that others have forgotten or lack the time or skills to properly review.

CFOs will help you realize the true value of your product, company or idea. When companies are starting out, there’s a tendency to do whatever’s necessary to secure those initial sales and allay that fear of not being able to get enough business to survive, let alone thrive. However, a company may fall into the trap of undervaluing what it’s selling—in order to score those initial sales wins or reach a top line goal.

But what’s the result of those actions? Not charging what your product or service is worth not only devalues your company but leads your team to think that cost is the way to compete instead of creating value. CFOs can help your team to stay on the right track by focusing on the value you bring to the market and helping you set the pricing and terms for your services appropriately. It may not help the company to make a sale if you have to tie up your working capital for six months before you get paid or engage with a client that will not pay you. A good CFO will help you gauge those additional factors before the contract is signed.

You may occasionally have strategic reasons for wanting to do business with a customer for less than your normal pricing. Your CFO should ensure that you articulate those reasons so that the company discounts appropriately and not excessively. A good CFO should also help the executive team recognize when it is time to walk away from an unprofitable business or an unprofitable product line, or define the criteria necessary to make that business worthwhile. Understanding the value of your product or service and charging for it properly will ensure your survival.

When It’s Time to Seek a Senior Level CFO

We work with a lot of entrepreneurs who have amazing ideas and promising businesses. A common issue as they make progress on scaling their companies is knowing when or how to offload some of their oversight responsibilities and worries. For example, a technologist-turned-CEO who has a brilliant product that could be life-saving needs to keep most of his focus on getting out in the field to sell his product and drum up interest with investors. But there are so many other responsibilities that need attention, including HR, legal, compliance and risk management. With wide-ranging skill sets and experience, an interim or fractional CFO can take on oversight of these areas and help the company run more smoothly.

What’s one of the biggest benefits of having access to a CFO, whether it’s for a certain number of hours a week or on an as-needed basis? It’s their ability to help you sleep at night. They can let you know, “these are the things we need to worry about and these are things we do not need to worry about.” They can narrow down the key risks facing the company while also helping you manage them.

Learn all about our tailored finance and accounting solutions for emerging growth companies, and reach out to RoseRyan to inquire how interim CFO expertise can help your company’s quest toward greatness.

Andrew Katcher, a consulting CFO for RoseRyan, blends financial, supply chain and systems skills with vast international experience, having held Fortune 500 division-level controller positions in Japan, Korea, Australia, Europe, Israel and Singapore, in addition to serving as an interim CFO for U.S.-based companies. Past consulting clients include Facebook (Oculus division), SanDisk, Logitech, Amazon/Lab126, SunPower, NYK Logistics and Core-Mark. He recently led a company through an acquisition while guiding two other companies through successful Series A financing rounds.

Getting a small business or startup past the two-year mark is just one of many promising milestones. So many young companies fail early, so passing certain goalposts can be gratifying to the owners and entrepreneurs of an “emerging growth company,” a fast-moving business that may be venture backed or will soon seek significant funding. How can you ensure a bright future as you build your business? Here are a few strategies that have worked for others who have successfully built a business.

The Basics of an Emerging Growth Company

There are various definitions of an emerging growth company. The most prominent comes from the U.S. Securities and Exchange Commission, which considers an emerging growth company to have less than $1 billion in total annual gross revenue in its most recent fiscal year. This qualification allows a pre-IPO company to follow reduced disclosure and reporting requirements for its registration statement with the SEC.

Another way to characterize an emerging growth company is by its stage in the business lifecycle. An emerging growth company not only shows promise, it is in the process of developing or solidifying a strong foundation on which to further build the business.

Still running on minimal resources, it’s received some validation from investors and customers, and it may or may not go public one day. The business is moving at a fast clip and probably wants to get on more solid footing. It’s around this time that leaders of the company realize they could use some help with understanding their business and how it’s performing. There are strategic decisions to be made, to take the company in the right direction, but any moves need to be based on timely, reliable financial data and what that data means.

The company may not yet be ready for a full-time CFO at this point, however. An outsourced accounting team with a part-time controller could be the right fit for getting the finances in order and gaining a better understanding of the business. Are the current plans realistic? What do we need to adjust in order to reach our main goals?

When companies are first starting out, really early on, there may not be much of a plan—more of a hope to explore if a tech innovation can turn into a marketable product. Or the start of a potentially life-saving drug that will need full funding and interest to get it through the development phases. Such companies start out by just getting by with minimal resources for completing payroll, recording transactions, and paying the bills. As the company builds up, however, the need for a different level of financial expertise quickly becomes clear. Establishing finance and accounting processes, getting on the right systems for the company’s size and complexity, and having CFO-level expertise when needed as the company prepares to seek funding are all steps toward  building a successful emerging growth business. These are steps for moving beyond the “building a startup” phase toward a brighter future.

The Essentials of Building a Successful an Emerging Growth Company

Is your emerging growth company prepared for the changes ahead? Do you wonder “How do I properly build my company?” or “What are the best ways to grow my business?” Start off by considering if you have some of the essentials:

  • A tailored plan for growth—that takes into account your talent, your goals, and where the company is at this moment
  • A tech stack of integrated applications (including software for accounting, payroll, expense management) to keep your financial operations running smoothly
  • Senior level financial expertise that can offer timely guidance as the company pursues growth plans or goes after funding
  • An honest, practical understanding of the business performance and forecasted future

Financial Reporting Requirements for Emerging Growth Companies

The expectations of an emerging growth company expands quickly once it pursues either debt or equity funding. It may need a higher level of financial help as it brings in more people and more talent to meet rising customer demand, ramp up sales and marketing efforts, or pursue an acquisition. While the company scales up, it also requires more structure and an understanding of whether and how it can keep up the pace with the resources it has and is planning to take soon. The company’s growth depends on making the right decisions.

Its financial reporting efforts need to be robust for the sake of decision-makers but also for its growing circle of stakeholders. Lenders will likely want to see audited financial statements, for instance, and the company would have to embark on a long and potentially complicated process to get that first audit complete. Many inquiries are likely to follow, so you’ll want a dedicated expert around who can support the company during the audit process, so everyone else can focus on their day jobs.

How Do You Build a Successful Business?

The million-dollar question any new entrepreneur wants to know: How do you build a successful business? Those who have done it know that it’s more than the product you sell or the idea you come up with. Your company could have the greatest, most unique idea for an app that every American will want to subscribe to over the next year. But, as your company considers adding this on to its portfolio, will it be able to keep up with demand? Does it have the capability of forecasting how long that demand will last? If your outlook is unrealistic, you could be setting up the company for a lot of disappointment—and disappointed users.

Make sure you have the information you need, exactly when you need it. When it’s time for your emerging growth company to further develop the finance function, bring in more finance and accounting expertise, and lean on growth consulting pros, you know where to reach us.