In a certain sense, Sarbanes-Oxley compliance is an annual rite of passage, akin to the arrival of spring or the fall television season. The same experience changes from year to year, but it always happens.
Indeed, for SOX compliance professionals under the age of 35 or so, it might seem like documenting and testing internal controls is all there is to SOX compliance. SOX has brought significant and long-lasting changes to how auditors work.
So as SOX turns 15 this fall, let’s widen the lens to capture what SOX is about: its history, goals, and the most critical points to remember for an effective SOX compliance experience.
Congress enacted the Sarbanes-Oxley Act in 2002 amid deep suspicion that corporations, and the financial statements they published, could not be trusted. The goal of SOX was to place accountability for corporate behavior with the highest levels of the business: the board, the CEO, and the CFO.
The law goes well beyond Section 404. Among them: CEO and CFO certifications that all financial disclosures are accurate (Section 302); prompt disclosure of material changes in a company’s financial situation (Section 409).
It also created essential protections such as whistleblower systems for anonymous reporting of possible fraud (Section 301) and penalties for retaliation against whistleblowers (Section 806).
All those sections create more reliable corporate financial statements by putting greater accountability on senior corporate executives and board directors.
If the principal goal of SOX was to make financial statements more reliable, then it succeeded. According to analysis from Audit Analytics, restatements fell from 11.9 percent to 6.8 percent. Key metrics have improved too: Average number of days restated, the average time to complete the restatement, the average size of the restatement in dollar terms, the average number of issues cited in the restatement—all have fallen from the mid-2000s.
Research suggests that strong internal controls also reduce the risk of accounting fraud. A study from the University of Texas at Austin found that companies disclosing fraud were 80 to 90 percent more likely to have previously disclosed material weaknesses. Thirty percent of the companies studied also had prior auditor warnings of material weakness in internal control.
In 2003, officials from the Securities and Exchange Commission estimated that the annual cost of SOX compliance would average about $92,000 per company. They were wrong: SOX compliance costs have been far higher. According to Protiviti’s 2017 Sarbanes-Oxley compliance survey, annual compliance costs now average $700,000 for non-accelerated filers, $1.14 million for large accelerated filers.
Current SEC leadership wants to reduce compliance requirements. Altering how the Public Company Accounting Oversight Board applies auditing standards around ICFR is one possibility.
Much anti-SOX discourse springs from the premise that the benefits aren’t worth the costs incurred — these are much greater than predicted when the law went into effect.
The standard definitions for each type of internal control weakness are clear:
A deficiency is when the design or operation of an internal control doesn’t allow employees to prevent or detect misstatements on a timely basis.
A significant deficiency is a deficiency severe enough to warrant attention from senior executives who oversee financial reporting.
A material weakness is one or more deficiencies so severe that there is a reasonable chance of a material misstatement of financial data that won’t be caught promptly.
Understanding the differences can make an audit much more efficient. For example, a company only needs to disclose material weaknesses to investors, not significant deficiencies. But suppose a significant deficiency contributes to that material weakness. In that case, the company “must disclose the material weakness and, to the extent material to an understanding of the disclosure, the nature of the significant deficiencies.” (Per the SEC’s guidance on management’s report on internal control.)
Knowing the difference means that reports can be thorough and compliant without overwhelming the audit’s capabilities.
Clear communication between the audit firm, audit committee, and management is paramount.
For example, SOX compliance officers must regularly talk with external auditors to determine which controls should be in scope for an ICFR audit and the extent to which the audit firm will rely on work performed by the internal SOX compliance team. Those decisions directly impact how much time and money the company will spend on SOX compliance.
Meanwhile, management and audit firms both talk to the audit committee about the company’s financial reporting.
The audit committee plays a crucial role in smooth communication. If management and auditor disagree about whether a specific deficiency is significant, the audit committee could ultimately referee that dispute. On the other hand, if they disagree about the definition of a significant deficiency for a specific control, that requires more discussion between the SOX compliance team and the external auditor.
The rise of outsourced service providers (OSPs) has significantly changed the business environment since SOX was enacted in 2002. OSPs, delivering data processing and other business functions via the cloud, create new security considerations for SOX compliance.
Cloud computing increases access to private data, which raises a company’s concerns about access control and oversight of third parties. This process, in turn, requires more attention to your controls and more careful risk assessment and testing of the OSP’s access controls.
Hence we saw the arrival of audits of an OSP’s security controls. SOX compliance officers must ensure those audits are scoped correctly to provide useful information to you.
Manual processes are the bane of SOX compliance. They allow more chances for error and loss of version control. Automating controls and procedures can save endless headaches and lost time to human error.
For example, companies might have a control that works in two phases, where Employee A must certify his component’s effectiveness before Employee B certifies hers. Done manually, this creates the risk that Employee B might certify her component before Employee A (emailing an attestation, say, while Employee A is on vacation). A SOX compliance director doesn’t catch the discrepancy.
An automated approach might build logic into a certification and documentation system, so Employee B can’t certify her control component until Employee A completes his certification first.
Simplifying internal control processes to reduce the opportunity for error should be a guiding principle for all a company’s efforts to rationalize and reduce key controls. Reducing the room for error keeps the whole process running smoothly.
In the same way that SOX was about more than effective internal control over financial reporting, SOX compliance creates value beyond reliable financial results.
SOX encourages reporting of workplace harassment with whistleblower hotlines. It prevents cybersecurity breaches with attention to IT general controls. Academic studies have found SOX compliance — specifically Section 404(b)’s outside audit of ICFR — contributes to higher market valuations and stronger credit ratings.
SOX compliance makes a difference. As time goes on, reliance on financial statements, the interdependence of risk, and services delivered over the cloud all continue to grow. Compliance officers should prepare for the continued growth of their profession we enter the next 15 years of SOX.