Publicly traded organizations, and those planning to go public, have no doubt heard of Sarbanes-Oxley or SOX, both short for the Sarbanes-Oxley Act of 2002, a federal law designed to improve public accounting and financial reporting to protect investors from fraud.
In particular, Section 404 (often referred to as SOX 404) mandates that companies develop internal controls to prevent and detect accounting and financial reporting errors or fraud. SOX 404 also requires specific methods for reporting to make sure those controls are functioning effectively.
It’s crucial for publicly traded companies, including companies preparing to go public via an IPO or SPAC, to get ahead of SOX regulations and compliance. Challenges with scoping, implementing, and testing controls or with reporting can lead to serious deficiencies and material weaknesses. These in turn can cause material misstatements in your company’s financial statements. The stakes are real and high for SOX 404 oversights. Management and board members who lose credibility, unhappy investors, and negative impacts on a company’s opinion on internal controls over financial reporting (ICFR) that stem from material misstatements — all are on the running list of potential consequences.
Resolve (or better, prevent) these issues before they escalate to material weaknesses, and SOX 404 compliance becomes a lot more straightforward.
People, process, technology issues related to SOX compliance can combine and compound
Let’s look at a few examples. Take an organization that goes public without preparing for SOX compliance reporting, so it lacks the requisite processes and technology to develop and maintain internal controls. With a small staff, the company also doesn’t have an internal resource (people) with SOX expertise. If existing controls are faulty — say, purchase orders slip through and get paid without a supervisor’s signature — they can lead to material weaknesses.
Let’s look at another example, this one related to segregation of duties (SOD), a major controls area. As IT systems become more complex and customized (technology), SOD can become increasingly difficult. IT staff may not understand the full extent of what certain access rights actually enable a user to do. Staff may be granted rights to carry out or approve processes or access data outside the scope of their role (people). Add inadequate controls to the mix (process), and it becomes possible for an individual to make and conceal errors or commit and cover up fraud, which can potentially create a material weakness in SOD.
Now take the other end of the spectrum: A company is using an archaic IT system that doesn’t support SOD, so the organization operates without proper SOD or develops manual processes as a workaround. Both the reliance on inadequate technology and failure of a manual process could create material weaknesses. If the manual processes don’t have systematic flags for noncompliance or they lack tracking capabilities, the likelihood of a material weakness leading to a material misstatement only increases.
Or take the small, newly public company that tries to prepare for SOX compliance but lacks adequate staffing for proper SOD. The company may have to carry a material weakness forward quarter over quarter until it reaches a point where it can remediate the issue.
Say a newly public company lacks an audit committee. Forming the committee is on leadership’s to-do list, but as the company grows, the need gets lost in the shuffle. Since there’s no committee, issues requiring remediation go unnoticed or unaddressed, until they reach a boiling point.
We see other companies that have an audit committee, but it’s populated with people who lack the expertise to provide effective oversight. Other priorities, including the bottom line, take precedence over internal controls effectiveness and SOX compliance. The results? Compliance is handled suboptimally and doesn’t align with business strategy. Audit committee members may sign off on flawed assertions or on assertions they don’t fully grasp.
Any of these scenarios can have critical impacts, including increased audit fees and untimely filings.
Organizational culture of SOX compliance
Too often we see the lack of an overall organizational culture of compliance, which can impact all three areas, and therefore SOX compliance. For example, a company may not yet have strategically identified control owners in place (people), or it may lack structure around the control environment (process), or not have a suite of enterprise programs capable of promoting an effective control environment (technology). The lack of leadership buy-in across the organization and subpar documentation can lead to flaws in financial reporting policies. Pervasive control failures typically intersect, compound one another, and accumulate to form at least one material weakness — and often more than one.
SOX 404 compliance is complex, and organizations need governance, culture, and expertise (people) as well as structure (process) and technology to design an internal controls framework that fits the business and aligns with strategy. The good news is, organizations that work to identify their people, process, and technology problems not only check the box for SOX compliance but also better position themselves to achieve business objectives and success. Looking for guidance? Our experts can help you get started.