Transcription
SOX InsightsPlan Early: Know and UnderstandRequirements to Implement a SOX ProgramFOR NEWLY PUBLIC OR SMALLERORGANIZATIONS, conducting Sarbanes-Oxleyrelated activities in-house may be overwhelmingand impractical.In such instances, developing a compliance plan,assessing related risks, devising controls, and maintainingdocumentation or other necessary activities can beoutsourced to attain efficiency and optimize internalresources.
The professionals on Weaver’s Risk Advisory Services teamcan assist you in evaluating your SOX sustainability to helpimprove the internal control structure of your organization.A well-designed SOX program provides management withpeace of mind that operating policies are being followed.It is a sound monitoring practice and is a part of goodcorporate governance.Whether your business is facing year one of SOXcompliance or working on year two and beyond, focusing onremediation, sustainability and scalability allows complianceto become a process that is maintained–and not recreated–from year to year.By fine-tuning and nurturing SOX compliance throughout theyear, you can: Effectively manage the project scope Avoid potential unforeseen difficulties Approach SOX compliance as an on-going processWhat Are the SOX Requirements?THE SOX ACT REQUIRES PUBLICLY TRADEDCOMPANIES to provide an annual attestation of theadequacy of design and operating effectiveness of internalcontrol over financial reporting. Depending on the sizeof your company, you may also be required to obtain anopinion from your external financial statement auditor on thedesign and effectiveness of controls. These requirementsare specifically described in sections 404(a) and 404(b) ofthe Act.404(a) – Management’s AssessmentManagement must establish a system of internal controlover financial reporting and annually attest that the systemof control is adequately designed and operating effectively.This attestation requires that the company’s officers,typically the CEO and CFO, sign off on the effectiveness ofcontrols as of the financial reporting date, which is includedin the company’s 10-K filing.Establishing the control system in the initial years followingthe IPO can be time intensive and require a cultural changein the approach to executing day-to-day activities from howthey were performed as a private company.Starting early is critical in developing management’sassessment. Under current requirements, management’sassessment must be included in the company’s secondannual report (10-K) following the initial public offering.404(b) – External Auditor’s AssessmentThis section of the Act establishes the requirements forsome companies, based on their size, to undergo anintegrated financial statement audit, which includes bothan opinion as to the material accuracy of the company’sfinancial statements, as well as the design and effectivenessof internal control over financial reporting.The external auditor’s assessment can be rigorous andcostly. Developing a SOX implementation plan thatcontemplates if and when a company may become subjectto the integrated audit requirements of 404(b) is critical.The primary determining factor for companies that aresubject to the integrated audit requirement is called “filingstatus”. Historically, publicly traded companies that areclassified as Large Accelerated or Accelerated filers aresubject to an external audit of internal controls beginningwith their second annual filing.2
Large Accelerated Filer 700 Million aggregateworldwide market value of votingand non-voting common equityAccelerated Filer 75 Million or greater,but less than 700 MillionRecent legislation has provided a reprieve for newly publiccompanies and extended the timeline for which companiesmay prepare for an integrated audit.In April 2012, the Jumpstart Our Business Startups Act (JOBSAct) was signed into law. Under these new guidelines,a company may file for status as an Emerging GrowthCompany (EGC), which provides a 5-year exemption to theintegrated audit requirements of SOX 404(b).Coordinating efforts with your external auditors is a criticalpart of the planning process. For companies that are currentlysubject to an integrated audit or will become subject to onesoon, having discussions with your auditor about areas wherethey can rely on work performed by management’s assessmentcan go a long way to reducing audit fees in total.3. Identify a Framework – The company must establisha framework as the basis for its assessment of internalcontrol over financial reporting. The most commonlyused framework is the COSO Integrated Internal ControlFramework, most recently updated in 2013. A frameworkwill provide an underlying methodology for developing andaccessing controls.The COSO (2013) framework takesa risk-based approach, which is themost widely accepted and effectivemethod for assessing internalcontrol.A company can maintain its EGC status and integratedaudit exemption for five years after its IPO date unless thefollowing are triggered: Annual gross revenues equal or exceed 1 Billion Non-convertible debt issued over the previous three-yearperiod exceeds 1 Billion Achievement of Large Accelerated filer statusThe benefits for extending this deadline can be significantas management will have more time to prepare for thisstep and adequately train employees. Preparing for anintegrated audit in a short window is likely to substantiallyincrease the cost of compliance as well as the likelihood forerrors and un-remediated deficiencies.Developing a SOX Compliance Program *1. Start Early – Implementing a SOX compliance programcan be a large undertaking, especially in the initial years ofbeing a public company. Starting early enables the companyto integrate changes over time. Even companies with amature SOX program must revisit their plan annually andevaluate changes for the current year.2. Develop a Plan – SOX planning should include bothshort-term (current year) and long-term goals for changesexpected in subsequent reporting years. Know where youstand in the timeline of compliance based on filing statusso you can plan for management’s assessment and, ifnecessary, an integrated financial statement audit.4. Conduct a Risk Assessment – Identifying the significantprocesses that are in-scope for SOX is a critical step in theprocess. This is traditionally accomplished by identifyingkey financial reporting processes and assessing theirinherent risk based on materiality, transaction volume,complexity and fraud. The results of the risk assessment willbe used to determine the nature and extent of proceduresrequired to implement and evaluate internal controls foreach significant process.* The extent to which these steps must be performed andimplemented is subject to management’s discretion in yearswhere they do not have an integrated audit requirement.3
5. Assess Entity-Level Controls – Developing anunderstanding and evaluating the underlying controlenvironment of the organization is a key step in assessinginternal controls. Identifying and implementing entitylevel controls that ensure specific cultural, strategic andorganizational activities are in place to support processspecific control activities is a foundational component of thecontrol environment.Internal control is defined as aprocess effected by an entity’sboard of directors, managementand other personnel, and isdesigned to provide reasonableassurance regarding is theachievement of objectives inthe following categories: Effectiveness and efficiencyof operations Reliability of financial reporting Compliance with applicable lawsand regulations6. Document Significant Processes and Key Controls –Financial reporting processes identified as in-scope forSOX should be documented and evaluated for adequacyand coverage of the internal control design. The processdocumentation should provide a clear depiction andunderstanding of the flow of transactions within the process,the separation of responsibilities between the individualsinvolved in the process, as well as the impact of the processon financial statements and reporting. Controls for eachof these processes should be identified and mapped torelevant financial statement assertions and risks, includingfraud.7. Assess IT General Controls – Identification of the ITsystems and applications that impact financial reportingprocesses is a significant step in developing a SOX program.IT general computer controls should be evaluated andimplemented to cover the company’s network, significantapplications and underlying databases. Additionally,properly designed IT general controls will provide validationand support electronic data and reports used in financialreporting and the performance of key controls.8. Identify Third-Party Service Providers – In someinstances, the company may find that significant financialreporting processes have been wholly or partiallyoutsourced to a third party. In these instances, the companymust assess the adequacy of the third party’s internalcontrol, typically by reviewing a Service OrganizationControl (SOC) report. The evaluation of a third-party’sinternal control should include both business / financialconsiderations, as well as IT controls and processes.If a SOC report is not available, then the company mustimplement sufficient controls to review and validateoutsourced activities.4
9. Test the Effectiveness of Internal Controls – Uponcompleting a thorough design evaluation, the companyshould test controls to verify they are operating effectively.Both management’s and the auditor’s assessments requirean attestation as to the effectiveness of internal control.Selecting key controls within each process for testing andensuring that they are operating as designed is required toattest control effectiveness.10. Evaluate the Significance of Identified DeficienciesControl deficiencies can be identified during the designevaluation or during effectiveness testing. In bothinstances, management should have a process to evaluatethe significance of identified deficiencies. Significantdeficiencies must be reported internally, and materialweaknesses must be disclosed in the 10-K.11. Communicate Results – The results of SOX proceduresshould be communicated routinely to the members of seniormanagement responsible for financial reporting oversight,as well as the company’s Audit Committee.What is New for SOX?THE SARBANES-OXLEY ACT has been in place in since2002, but recent guidance has resulted in modificationsto the historical approach to assessing internal controlover financial reporting, including PCAOB Audit PracticeAlert No. 11.In response to an increase in the volume of failure ratingsdetected by the PCAOB during their inspections ofintegrated audits, Audit Practice Alert No. 11 was issued inOctober 2013.Due to the PCAOB’s inspectionresults, we have seen a significantshift in the external auditor’s focusfrom substantive procedures tointernal controls; and specifically, onmanagement review controls andsystem generated data and reports.1. Management Review Controls – The sufficiency ofdesign and operating effectiveness tests over managementreview controls has been drastically increased in responseto the PCAOB’s findings. Under current guidelines,management review controls must be documented to a highlevel of precision. While the actual performance of mostmanagement review controls has always been more robustthan what is represented or documented for SOX purposes,the current expectation is that all actions and considerationsshould be documented.In addition to expanding the precision of the controldocumentation, management will be expected todemonstrate that each attribute defined within the controlactivity was performed. Independent re-performance of theattributes is not considered sufficient to determine that thecontrol is operating as designed; therefore, managementneeds to document each element of the review. Forinstance, management may need to include tickmarks ornotations to indicate that the reviewer performed eachattribute (e.g., footed the reconciliation, tied ending balanceto trial balance, etc.).5
2. System Generated Data and Reports – The sufficiencyof test controls over system generated data and reportsthat support important controls was the second area offocus from the PCAOB. As a result, there is an enhancedexpectation for management’s control activities to includeprocedures to verify the completeness and accuracyof system-generated data used in the performance ofsignificant processes and key controls.To keep your SOX universe spinning, each companyshould identify remediation needs, promote continuousimprovement and ensure the same weaknesses donot continually present difficulties. By devising andimplementing remediation strategies, compliance effortscan be effectively and efficiently sustained.This includes the use of spreadsheets, which has createdin many companies a requirement for additional reviewprocedures and evidence of review to ensure thatspreadsheets are based on valid data, calculating correctly,and linking to accurate information.A TOP-DOWN, RISK-BASED APPROACH focuses onthe controls necessary to prevent or detect materialmisstatements. This approach presents the opportunityto focus the company and its auditors on what is mostimportant and what most impacts the company and itsinvestors. Organizations benefit by reviewing and improvingtheir entity-level controls and risk management processes.How Do We Maintain SOX Compliance?SOX COMPLIANCE can become an embedded elementof normal business operations, extending beyond greaterfinancial reporting accuracy and continual compliance.SOX is a continual mandate with requirements that must bemet year after year.Sustaining compliance withoutoverextending available resourcesrequires approaching SOX as anongoing process that is maintained–and not recreated each year.What This All Means to YouAs organizations grow, complianceefforts must be scalable toaccommodate that growthor any other change. Makingcompliance a scalable processrequires embedding controls andaccountability for compliancethroughout the organization.6
In addition, by working with the external auditors, companiescan focus on fewer key controls and reduce testing, directlyimpacting their compliance costs. The business benefitsfrom improved risk management will result in enhancedoverall organizational performance.The Risk Advisory Services team at Weaver understandsthe importance of sustaining compliance and ensuring yourcompany’s investment reaps benefits for your organization.We can assist your company in maintaining effectivenessof your internal controls, complying with disclosure controlsrequirements, integrating internal control testing andinternal audits, and leveraging the company’s overall SOXinvestment.How Can Weaver Help?THE RISK ADVISORY SERVICES TEAM at Weaver hasextensive experience in implementing SOX programswithin a vast array of businesses. We can help a new publiccompany develop and implement a SOX program, as wellas assist in the development of an initial or ad-hoc SOXprogram into a mature function.Weaver can enhance your SOX effort in a co-source mannerby assisting other internal individuals with implementation,or by owning the SOX effort through full outsourcing. Ineither model, we would assist the organization with:1. Developing a Plan and SOX Strategy Select a champion for the project Organize the committee/project team Develop a project plan with short-termand long-term goals2. Preliminary Risk Assessment Define expectations Identify business processes and risks Solicit management’s concerns3. Evaluation of Controls Identify how management is controlling risksIdentify business control processesAssess the control environmentCommunicate and validate issuesDefine the testing strategy4. Measurement of Effectiveness of Controls Execute test programsEvaluate transactionsAnalyze the resultsConclude on sufficiency of the control environment7
Contact UsFor SOX services,visit our website to identifyour SOX Practice partnersContact:Alyssa G. MartinNational Strategy Leader,Large Market and Public Entities972.448.6975alyssa.martin@weaver.comJohn Wauson, CPAPartner-in-Charge, Risk Advisory rtwitter.com/weavercpasWeaver.com
Developing a SOX Compliance Program * 1. Start Early - Implementing a SOX compliance program can be a large undertaking, especially in the initial years of being a public company. Starting early enables the company to integrate changes over time. Even companies with a mature SOX program must revisit their plan annually and
