Sarbanes-Oxley compliance—obligatory and complex

May 12, 2023

Key takeaways

Initial SOX compliance can wallop companies not used to complex public company reporting

Global expansion complicates SOX compliance exponentially

Bringing on a SOX compliance advisor can alleviate stress and ensure accurate, timely performance

Risk consulting Business risk consulting

Sarbanes-Oxley (SOX) compliance can be shockingly complicated and staggeringly time-consuming—especially for a private entity taking a company public, where every element of the SOX process is new.

Compliance is an obligation, but the process also allows companies to get their numbers right and maintain shareholder value. Compliance cements shareholder trust and gives the attesting executives confidence and peace of mind since no one wants to get fined, censured or jailed.

Let’s review common questions and issues that newcomers encounter, a structured approach to the SOX compliance process and some tips for success—especially if your operations involve overseas offices.

Unique challenges for the middle market

SOX compliance can be especially daunting for middle market firms that don’t have the deep staff or public accounting expertise of Fortune 500 companies.

Global growth compounds a middle market company’s challenges. Every country your business expands into exponentially increases the complexity of SOX because in each country the process must start from scratch. Leadership must understand the new requirements introduced by global expansion, particularly if an acquisition is involved, since a new company will have its own local management and HR team, IT system and unique financial processes—including accounts payable, inventory and close.

Even companies with an experienced and efficient internal audit department can be overwhelmed by the extra SOX/compliance work that an international expansion brings. The controls piece alone—understanding, integrating and then implementing—can feel very much like a merger with another company.

SOX compliance requires a structured approach

SOX compliance is a long and arduous process. Companies tackling it in-house or working with an advisor benefit from breaking down their approach into distinct steps and anticipating the time needed to adequately complete each step.

Risk assessment and scoping: A scoping exercise establishes a foundational understanding of where risk exists within financial reporting for all accounts and processes. After illuminating and documenting the risk areas for material misstatement, an organization identifies where it needs help to mitigate these risks. It’s critical to be thorough in this first step to set a clear path for efficient action in future steps.

Design key internal controls: After a company has documented its risk areas, it needs to prepare risk and control matrices and create supportive process documentation like narratives and flow charts, which guide the risk mitigation actions. This step is more labor-intensive and time-consuming than most companies realize.

Evaluate effectiveness and gap analysis: Are your controls effective at mitigating your risks, or are there gaps? What improvements or enhancements need to be made? Would process automation help? This step includes detailed findings and recommendations for fixes. Investing the time needed in the first two steps prevents surprises from cropping up in step 3.

Test and evaluate operating effectiveness: Are the new controls working correctly? Are there control deficiencies? What still needs work? This step spans the full test period and should include remediation plans to correct shortcomings with specifics on how those plans should be executed.

For companies new to SOX, the three most common questions are:

Q: When to get started?

A: ASAP but generally six months prior to going public.

Q: Where to start?

A: With a risk assessment to determine focus areas and to design the internal controls.

Q: What is the time commitment we should prepare for?

A: Varies greatly depending on the organization and whether any pieces will be handled internally or will be outsourced or co-sourced.

Tips for success

  • Be prepared. Awareness is power. Arm your leadership with the knowledge that SOX compliance is a heavy lift. You can’t wing it, and a significant investment of time and resources will be required.
  • Help leadership understand the benefits of global expansion as well as the significant challenges of meeting compliance requirements with offices in multiple countries.
  • Educate your overseas teams on the history of SOX and enlist local champions to frame the issue and gain acceptance.
  • Expect cultural differences and resistance. Other countries have their own compliance laws and often bristle at the fact that they must also abide by U.S. laws. Your overseas team is likely unfamiliar with SOX and may not understand why it’s needed or how the process adds strategic value.
  • Be cognizant of the effort you’ll expend on system preparation. Complex systems that were designed for individual country needs and regional authorities will now have to accommodate SOX too. The analysis and adjustments to accomplish this are rarely simple or fast.
  • Acknowledge the heavy lift of software readiness, which can be complicated by disparate systems and programs that contain crucial information for SOX reporting. How data is ingested by your system during the audit phase and how controls will be rolled out during testing require major staffing and cost investments. Anticipate the complexity and extended timeline so you’re prepared.

Related insights

Live webcast | Wednesday, March 27

Are you ready for what's new and what's next?

As you head into 2024 planning, it's time to start thinking about Sarbanes-Oxley Act compliance and how to prepare for the new regulations and focus areas that lie ahead.