Initial SOX compliance can wallop companies not used to complex public company reporting.
Initial SOX compliance can wallop companies not used to complex public company reporting.
Global expansion complicates SOX compliance exponentially.
Bringing on a SOX compliance advisor can alleviate stress and ensure accurate, timely performance.
Sarbanes-Oxley Act (SOX) compliance can be shockingly complicated and staggeringly time-consuming—especially when a private entity takes a company public and every element of the SOX process is new.
Compliance is an obligation, but the process also allows companies to get their numbers right and maintain shareholder value. Compliance cements shareholder trust and gives the attesting executives confidence and peace of mind since no one wants to get fined, censured or jailed.
Below we review common questions and issues that newcomers encounter, a structured approach to the SOX compliance process and some tips for success—especially if your operations involve overseas offices.
SOX compliance can be especially daunting for middle market firms that don’t have the deep staff or public accounting expertise of Fortune 500 companies.
Global growth compounds a middle market company’s challenges. Every country your business expands into exponentially increases the complexity of SOX because in each country the process must start from scratch. Leadership must understand the new requirements introduced by global expansion, particularly if an acquisition is involved, since a new company will have its own local management and human resources team, information technology system and unique financial processes—including accounts payable, inventory and close.
Even companies with an experienced and efficient internal audit department can be overwhelmed by the extra SOX compliance work that an international expansion brings. The controls piece alone—understanding, integrating and then implementing—can feel very much like a merger with another company.
SOX compliance is a long and arduous process. Companies tackling it in-house or working with an advisor benefit from breaking down their approach into distinct steps and anticipating the time needed to adequately complete each step.
Step 1: Conduct risk assessment and scoping. A scoping exercise establishes a foundational understanding of where risk exists within financial reporting for all accounts and processes. After illuminating and documenting the risk areas for material misstatement, an organization identifies where it needs help to mitigate these risks. It’s critical to be thorough in this first step to set a clear path for efficient action in future steps.
Step 2: Design key internal controls. After a company has documented its risk areas, it needs to prepare risk and control matrices and create supportive process documentation like narratives and flow charts, which guide the risk mitigation actions. This step is more labor-intensive and time-consuming than most companies realize.
Step 3: Evaluate effectiveness and perform gap analysis. Are your controls effective at mitigating your risks, or are there gaps? What improvements or enhancements are needed? Would process automation help? This step includes detailed findings and recommendations for fixes. Investing the time needed in the first two steps prevents surprises from cropping up in Step 3.
Step 4: Test and evaluate operating effectiveness. Are the new controls working correctly? Are there control deficiencies? What still needs work? This step spans the full test period and should include remediation plans to correct shortcomings, with specifics on how those plans should be executed.
When should we start compliance efforts?
As soon as possible, but generally six months prior to going public.
Where do we start?
Begin with a risk assessment to determine focus areas and then design the internal controls.
What time commitment should we prepare for?
This varies greatly depending on the organization and whether all steps will be handled internally or some or all efforts will be outsourced or co-sourced.
If SOX compliance feels daunting—and it is—consider bringing in an advisor to assist you. Some of the capabilities RSM brings to SOX compliance are: