Key Considerations for SOX Compliance
Co-authored by Zach Porter
The Sarbanes-Oxley Act of 2002 (SOX) remains a cornerstone of corporate governance and financial reporting for publicly traded companies in the United States. Its primary aim is to protect investors by enhancing the accuracy and reliability of corporate disclosures, with a particular emphasis on internal controls over financial reporting (ICFR).
Section 404
Section 404 is central to SOX compliance, requiring both management and external auditors to assess and report on the effectiveness of a company’s internal controls. Management must establish, document, and test controls, supporting an annual assessment over internal control compliance. External auditors independently evaluate these controls and issue their own opinion, adding a layer of assurance for company stakeholders.
Smaller public companies (those with a public float of less than $75 million or annual revenue below certain thresholds), may be exempt from the external audit requirement, reducing their compliance costs.
Components of internal controls
Companies use the COSO (Committee of Sponsoring Organizations) framework as the basis for designing, implementing, and assessing internal controls. The COSO model emphasizes five key components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
Effective SOX compliance requires that these elements are not only present but also well-documented and regularly reviewed by management, to ensure business, information technology and entity level controls have been appropriately implemented across the organizational.
Key challenges in SOX 404 compliance
SOX 404 compliance can be challenging because of the resources required to implement processes, identify and evidence key controls, while keeping up with the complexity of an ever-changing technology environment. With the use of AI and more automated and integrated systems, businesses are trying to increase efficiencies within their teams, while having to consider the required documentation needed to support the evidence used in financial reporting. With this increased reliance on systems for reporting, companies are faced with a more complex IT environment to evaluate, monitor and test.
External auditors have increased scrutiny on the information provided by the entity (IPE) for completeness and accuracy, requiring enhanced validation procedures and clearer documentation of how IPE is generated and validated. This includes documenting report parameters, scripts, and completeness checks, as well as reinforcing management’s responsibility for validating the IPE used in control execution.
Information technology general controls (ITGCs), particularly access provisioning, change management, and user access reviews, are also subject to heightened review. Companies are expected to demonstrate strong governance over IT systems and controls, utilize standardized templates for access and configuration reviews, and maintain evidence of approvals and independence.
What best practices should companies consider?
There are a few best practices that companies can keep in mind when evaluating if they are in compliance with SOX requirements. First, early planning is critical. Companies should begin planning for SOX compliance well in advance of the reporting deadline. Generally, documentation of internal processes and identification of controls should take place 12-18 months before the date of management’s assessment, to allow the business sufficient time to evaluate the suite of controls and scoping of financial reporting systems.
Strong internal communication and transparency is also extremely important. Clear communication and coordination between all departments involved in financial reporting and internal controls is key to making sure the business is aligned on the requirements and timeline for compliance. In addition, involving your audit team in the discussion early will allow both teams to plan and collaborate on key areas of focus or challenge.
Next, don’t wait for deadlines to conduct regular updates or review key documents. The companies that we work with who have the most streamlined compliance process are continuously updating and reviewing internal control processes to respond to changes in their business environment or organizational structure. Working with service providers to understand and evaluate SOC reports, evaluating key reports used by the business in financial reporting, and sufficiently scoping and evaluating IT systems, are all steps to ensuring key internal controls aren’t overlooked. Compliance is an ever-evolving landscape and those who don’t evolve will likely experience the most challenges during the audit process.
It’s also important to take advantage of technology to automate aspects of control testing, documentation, and reporting. Having a system to easily track financial close activities, of which the documentation will be used to satisfy internal control evidence requirements, can often help management ensure information is all documented in one place. Many systems now are integrating the financial statement close process with internal control testing evidence, to facilitate management’s assessment of controls with relevant and linked supporting files. While automation does help reduce operational burden, it is important to note that it does not eliminate SOX evidence requirements nor the need for annual testing and change-related re-testing. Companies should ensure that underlying ITGCs remain strong, that they document the distinction between automated and manual steps, validate IPE produced by automated systems, and confirm that third-party tools providing automated control functionality have appropriate SOC 1 coverage.
What are the consequences of non-compliance?
Failure to comply with SOX can result in legal and financial penalties, reputational damage, and operational disruptions. For teams that are not well-versed in understanding internal controls, the documentation requirements, or how to sufficiently evaluate data used in decision making, costly mistakes can occur leading to a direct impact on your financial results.
SOX compliance is a multifaceted challenge that requires a robust control environment, meticulous documentation, regular testing, and a proactive approach to both business and IT controls. By adhering to established frameworks and best practices, and engaging with independent and transparent partners, organizations can not only meet regulatory requirements but also strengthen their overall governance and financial integrity.
Ready to take the next step?
BNN’s internal audit and SOX specialists work with public companies and their other financial auditors and advisors across New England. Our partnership focuses on transparency, communication, and efficiency so you can focus on your operations and growing your business. Learn more about how we support organizations like yours.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.
