CFGI recently rounded up a few of its top Sarbanes-Oxley specialists to discuss all things SOX compliance on camera. The resulting discussion led to nearly 90 minutes of insights from three former Big Four auditors turned CFGI mainstays:
- Daniel Shafrir: Partner, National Leader of the IT Risk Advisory Practice.
- Angela Barcelos: Partner, National Leader of the Risk Advisory Practice.
- Christopher Trudeau: Managing Director, Risk Advisory Practice.
Here is what they had to say about some of the most pressing subjects surrounding SOX compliance (watch the two-minute video recap here).
When to start planning for SOX compliance
For companies planning to go public
Daniel: “There are multiple steps to getting to the ultimate goal of SOX 404 compliance. Nowadays, under certain circumstances, you’re given several years to build up to that. If you know that you’re going to be an emerging growth company, for example, I find that starting the conversation several months prior to the IPO is ideal. You don’t have to go full on at that point, but you can start building the foundations in a more relaxed manner that isn’t as disruptive.”
For companies that are already are public
Christopher: “We usually tell our clients that you want to think about a risk assessment process and internal controls as soon as you can after your year-end period. Typically that’s after the dust settles. You know where the risks are, and it’s a good time in the calendar to think about how we can improve for the following year.”
High-level SOX pitfalls to avoid
Christopher: “Typical issues we see with clients addressing Sarbanes-Oxley compliance is not making their finance operations more formal in terms of documentation, or not communicating the importance of the initiative to parts of the organization outside of finance, such as HR, operations and legal.”
Daniel: “On the IT side, sometimes companies use tools and technology either from when the company was not required to be SOX compliant or used in conjunction with a process that was not material to the financials. When it becomes material enough to be scoped into SOX, that tool might need to be replaced with one that allows for better controls such as access controls, audit logs, etc.”
Top issues facing companies that are about to go public
Daniel: “The increased burden of formalizing the controls and documenting the operation of these controls and actually sticking with them all year adds time to an already busy day job. I empathize with that. It’s a big undertaking for anyone who’s in a position to be a control owner. To the degree that your SOX team is willing to think outside of the box to find ways to mitigate the risks in the least intrusive manner – and especially if you have access to automation capabilities – this burden can decrease quite significantly.”
Angela: “If you’re thinking about bringing your company public, the first thing that you really want to think about is who the stakeholders are – who will be interested in your internal control environment. That could be anyone from your bankers or your audit committee to management. It’s also really important to have a sense of the current state of your control environment. You want to be able to put a roadmap in place to address any design or execution gaps that exist in your internal control environment.”
Top issues facing newly public companies
Angela: “The most frequently asked question that I get from newly public companies or companies that are immature in their SOX life cycle is, ‘How do we reduce SOX compliance fees?’ And there’s a variety of ways that companies can do that: key control rationalization, early planning and coordination with all the relevant key stakeholders – including the external auditors – and really working on harmonizing your people, your processes and your systems across the organization.”
Christopher: “When we take on newly public companies that have either just gone public or are thinking about going public, typically the most challenging part is communicating the importance of formalizing their internal control procedures as well as communicating those goals across the organization. Another important factor is making sure that the tone at the top is really strong to ensure that it is a priority for the company.”
Top issues facing established public companies
Daniel: “Complacency can be the enemy of risk management. If you’re a mature environment that has a well-established SOX program, you run the risk of just doing what you did last year. Conducting real risk assessments with a keen eye on what has changed year over year is crucial. When people get too comfortable with the way that things work, you might not realize that a small shift such as implementing a GRC tool, for instance, to support your audit process or to allow you to gain better visibility through dashboards, can make a big difference.”
Angela: “If there are changes to their business, to people, to processes, to systems, it’s really, really important for companies to stay on top of the risks – and emerging exposures stemming from these transactions – and making sure that the SOX program appropriately reflects the changing business.”
Trends and hot topics in SOX
Angela: “Some of the things that we’re seeing is a desire and a request by the regulators for more precise controls and more documentation, and it’s putting a lot of strain and an onus on a lot of companies to really comply with SOX.”
Christopher: “Management review controls are a hot topic in the SOX compliance world right now. These are controls over significant judgments and estimates as part of the financial statements. We’re finding that there needs to be a lot of rigor and documentation into the things that the organization reviews to justify estimates and judgments as well as any change to the methodology. Information Produced by Entity (IPE) is also important. Companies need to think about how they’re documenting the completeness and accuracy of information that they are using as they execute controls.”
Daniel: “Over the years, there has been a big increase in the emphasis placed on the IT environment and the importance that it plays within the broader SOX scope. Testing requirements are much more robust. There’s a big emphasis on the completeness and accuracy and validity of information coming from the systems. Automated controls and system functionality is scrutinized in a much more significant way. And in recent years there has been a clear trend in the need to consider cybersecurity risks as it relates to the scope of the SOX environment.”
SOX activities that take more time and effort than anticipated
Angela: “One is information produced by entity or IPE, also known as key reports. It’s important for companies to ensure any report that they use to execute a control or for financial reporting is complete and accurate. And there’s a lot that goes into validating completeness and accuracy over a key report.
“The second is review over your third parties. Most companies outsource a lot of their services to third parties, and you want to make sure that there are sufficient controls in place to monitor those third parties.
“And then the third thing that takes a lot of time is that internal controls inherently are very connected throughout the organization. You have a lot of functions, and you have a lot of stakeholders who are involved in the execution of a control or a process. And really to remediate findings or to ensure that your controls are operating effectively, you need to have coordination across the entire organization and buy off across the entire organization.”
Christopher: “The things that take more time and effort than our clients typically expect include the more holistic ways that you need to address some of the risks at the organization. It can feel easy to compartmentalize issues and Band-Aid things one at a time, but most times we see the most efficient way to address risks that are pervasive in one area is to implement a new system that will help the organization handle many risks at once.”
On SOX compliance partnerships
Christopher: “When it comes to deciding on a SOX compliance partner, you really need to think about the value that they bring to your organization, not just from a financial statement, risk compliance standpoint, but overall efficiency and operational effectiveness. The flexibility of your partner is another important factor. Advanced planning is great until unforeseen circumstances come up. When they do, you’ll want a partner that can be flexible on schedule, be there when you need them and then get out of the way when you don’t.”
Angela: “A good partner is able to coordinate SOX audits very closely with the external auditors to reduce a lot of the back and forth and administrative type work associated with the SOX program. In many cases we use the external auditor’s sampling methodology and sample sizes, and they’re able to rely on our testing, reducing compliance costs for the company.”
Daniel: “Oftentimes, external audit firms for our SOX clients are Big Four firms. We’re all ex-Big Four at CFGI. We’ve been on the other side. We know what the auditors want. We know how they think and why they’re asking what they’re asking for. We know how to talk to them in their own language, and this helps bring down so many barriers.”