Initial SOX compliance can wallop companies not used to complex public company reporting
Global expansion complicates SOX compliance exponentially
Bringing on a SOX compliance advisor can alleviate stress and ensure accurate, timely performance
Sarbanes-Oxley (SOX) compliance can be shockingly complicated and staggeringly time-consuming—especially for a private entity taking a company public, where every element of the SOX process is new.
Compliance is an obligation, but the process also allows companies to get their numbers right and maintain shareholder value. Compliance cements shareholder trust and gives the attesting executives confidence and peace of mind since no one wants to get fined, censured or jailed.
Let’s review common questions and issues that newcomers encounter, a structured approach to the SOX compliance process and some tips for success—especially if your operations involve overseas offices.
SOX compliance can be especially daunting for middle market firms that don’t have the deep staff or public accounting expertise of Fortune 500 companies.
Global growth compounds a middle market company’s challenges. Every country your business expands into exponentially increases the complexity of SOX because in each country the process must start from scratch. Leadership must understand the new requirements introduced by global expansion, particularly if an acquisition is involved, since a new company will have its own local management and HR team, IT system and unique financial processes—including accounts payable, inventory and close.
Even companies with an experienced and efficient internal audit department can be overwhelmed by the extra SOX/compliance work that an international expansion brings. The controls piece alone—understanding, integrating and then implementing—can feel very much like a merger with another company.
SOX compliance is a long and arduous process. Companies tackling it in-house or working with an advisor benefit from breaking down their approach into distinct steps and anticipating the time needed to adequately complete each step.
Risk assessment and scoping: A scoping exercise establishes a foundational understanding of where risk exists within financial reporting for all accounts and processes. After illuminating and documenting the risk areas for material misstatement, an organization identifies where it needs help to mitigate these risks. It’s critical to be thorough in this first step to set a clear path for efficient action in future steps.
Design key internal controls: After a company has documented its risk areas, it needs to prepare risk and control matrices and create supportive process documentation like narratives and flow charts, which guide the risk mitigation actions. This step is more labor-intensive and time-consuming than most companies realize.
Evaluate effectiveness and gap analysis: Are your controls effective at mitigating your risks, or are there gaps? What improvements or enhancements need to be made? Would process automation help? This step includes detailed findings and recommendations for fixes. Investing the time needed in the first two steps prevents surprises from cropping up in step 3.
Test and evaluate operating effectiveness: Are the new controls working correctly? Are there control deficiencies? What still needs work? This step spans the full test period and should include remediation plans to correct shortcomings with specifics on how those plans should be executed.
A: ASAP but generally six months prior to going public.
A: With a risk assessment to determine focus areas and to design the internal controls.
A: Varies greatly depending on the organization and whether any pieces will be handled internally or will be outsourced or co-sourced.
