In my role as an Internal Audit consultant, one of the many benefits of my job is I get to talk with all kinds of companies and educate them about SOX compliance. While recently IPO’d companies tend to seek out advice, even the most seasoned CFOs often need a refresher on their SOX requirements.
Consider these interesting tidbits:
- Did you know that 40% of IPOs in 2020 disclosed a material weakness in their S-1?
- Were you aware that 45 days after going effective, the CEO and CFO personally have to sign off on the design and effectiveness of their disclosure controls and procedures?
- As a CFO, do you have a clear picture in your head of the design and execution of the key controls that are required to make this personal certification?
Have I gotten your attention yet? The lesson here is, oftentimes, people don’t know what they don’t know and are often caught completely flat-footed when it comes to SOX compliance. And when they do realize the details involved and the scrutiny applied it is often too late.
Compliance arising out of the Sarbanes-Oxley Act of 2002 (SOX) is a significant undertaking – for any company – no matter how new, mature, big, small, complicated, or simple you may be. At its core, there are really three sections we focus on from a SOX compliance perspective: §302, §906, and §404. Sections 302 and 906 compliance relate to the CEO and CFO personally accepting liability for the material accuracy and proper disclosure of any fraud or deficiencies within their financial statements and disclosures. §404 is where management must make a statement about the design and operating effectiveness of their internal control over financial reporting (ICFR). Depending on your filing status, your external auditors will have to issue an opinion over ICFR at some point as well.
The Institute of Internal Auditors (the IIA) proposed an update last summer to the decades-old “Three Lines of Defense Model” (www.globaliia.org). This new “Three Lines Model” further illustrates the importance of internal controls to companies through improved insight into “interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.” Management is responsible for the first two lines and works collaboratively with the Governing Body and Internal Audit to achieve company objectives around internal controls, compliance, and information and technology security. Internal Audit acts with independence, objectivity, and expertise as the third line of defense before potential errors could be exposed to external audit or regulators, neither of which are good scenarios.
Realizing now the importance of internal controls and the other aspects of SOX, why in the world would companies not take it seriously?? Why are there still CFOs living on an island of SOX requirement denial??
Lie #1: “What I am doing is enough.”
You would be shocked how often I hear this statement. Typically, it’s when the company has done little to nothing to document their risk and controls, and then they are not even validating that the few controls that are documented are in fact working. And typically, this also arises when they haven’t tripped the requirement for external auditor attestation on their ICFR.
The Hard Truth: No matter what, as a public company and SEC registrant, you have an obligation for SOX and corporate governance. Based on where you are in your lifecycle (new IPO company, emerging growth company, large accelerated filer, etc.), there may be some nuanced differences. However, more likely than not, you MUST complete and be able to provide support for Management’s Assessment of ICFR under Item 9a in your Form 10-K or Item 4 in your Form 10-Q. Failure to do so could have implications for everyone from the C-Suite to the Audit Committee and Board of Directors as well as underwriters and investors.
Lie #2: “The penalties aren’t worth the cost, time, and effort to do the work.”
Sadly, this poorly conceived notion is still floating around out in the universe.
The Hard Truth: Shedding of accountability opens the door for a multitude of bad outcomes:
- The CEO and CFO are now at risk for fines, penalties, investor lawsuits, and lack of favor in the public markets. Both could be barred from serving a public company.
- CFO could risk losing CPA license.
- Company could be barred or suspended from market participation.
- The company and senior leadership are exposed to SEC Enforcement actions and civil suits.
THE ULTIMATE TRUTH: People and Corporations are getting caught. Really.
It was noted in the SEC 2020 Annual Enforcement Report, that “the Commission obtained more than 475 bars or suspensions against market participants and suspended trading in the securities of 196 issuers. In addition, the Division triaged approximately 23,650 tips, complaints, and referrals and opened close to 1,200 new inquiries and investigations. Finally, the Commission obtained judgments and orders totaling approximately $4.68 billion in disgorgement and penalties – the highest amount on record.”
All.of.this.was.in.2020. And, let me assure you, 2021 is poised to be even more robust. Whistleblower awards with both company and individual sanctions are at an all-time high. Just review the list of SEC enforcement actions in February and March of this year alone. Even more alarming, SEC data clearly demonstrates that ineffective controls are likely to be persistent over time, leading to a cascade of negative effects which can undermine investor confidence and stock prices. (SEC Data Demonstrates that SOX ICFR Failures are Rarely Isolated Instruments, Jennifer Froberg, February 2021)
You may be asking yourself right now, “Ok. This is scary. What do I do?” That’s good. That’s really good. Now that you are convinced that SOX is real and denial is really a truly poor choice, you are ready for the next step: asking for help. There are several automated technology solutions available in the market that can automate much of your SOX compliance program and skilled SOX professionals available to assist you.
If you are looking for help. Just ask. Preparedness to be a public company, including ICFR and Disclosure and Controls Procedures (DCP) and IC is a complex undertaking and fraught with the potential for error.
- DON’T WAIT to get started! Best practice is to allow 9 – 12 months to complete documentation, gather evidence of control execution, identify major remediation efforts, and preliminarily assess control effectiveness in order to provide a basis for the first year filing.
- Often, significant process changes are required to effectively implement a strong internal control framework. Waiting too long to address Sarbanes-Oxley requirements can create a huge burden on already over-worked staff.
- Management should integrate consideration of internal controls into the company’s financial processes as early as possible to allow time to implement and adequately assess the effectiveness of those controls.
- Consider implications of listing requirements on ICFR and corporate governance.