Now’s the Time to Reimagine SOX and Springboard Year-End Readiness
The 20th anniversary of SOX marks the perfect time for CFOs and compliance teams to revisit how their controls frameworks can better support the year-end reporting cycle.
From providing greater comfort in the accuracy of financial statements for stakeholders to identifying risk areas that shape corporate strategies, companies generally have experienced positive impacts of the Sarbanes-Oxley Act (SOX) since it first rolled out 20 years ago. SOX ignited the corporate responsibility movement which continues to shape company ethics and regulatory compliance and now serves as a backbone for environmental, social, and governance (ESG) initiatives. In addition, the world has been reshaped drastically over the last two decades by technological innovations, economic volatility, supply chain disruptions, sustainability trends, and a host of other considerations. These emerging matters need to be considered throughout the course of business, whether a company is preparing for year-end financial reporting or tackling other complex scenarios such as going public or initiating business acquisitions.
Twenty years in, SOX programs remain highly relevant and critical to the overall financial and operational health of companies of all sizes and stages. A balanced, thoughtful, and cost-conscious SOX strategy enables CFOs and compliance teams to help their companies tackle any issues that arise. Today, future-minded leaders can build on the foundation that SOX has established and rethink the path forward in order to better anticipate uncertainty, manage disruptive events, and prepare for the year-end financial reporting cycle.
CFOs and compliance professionals can reimagine the impact of SOX by focusing on these three considerations:
(1) Leverage SOX to address the current economic challenges
As companies seek to address various risks related to the continued economic uncertainty (by looking to reduce headcount, cutting costs, or taking other actions), management can leverage a company’s existing SOX program to prioritize the current risks and more efficiently allocate their finite resources. Within their existing SOX programs, companies should consider cost containment ideas such as:
Continuing to work with external auditors to place more reliance on procedures performed by the internal audit or SOX team. Many times, the starting point is ensuring external auditors are comfortable with the competency of internal audit and the objectivity of the testing performed, which can be underscored by frequent interactions between the internal and external teams and setting clear expectations. Once expectations are set, external audit teams can more quickly get comfortable with how risks are being mitigated by the company. In turn, higher levels of reliance would likely be placed on the internal audit or SOX team, resulting in a more efficient independent audit.
Performing a true enterprise risk assessment. Enterprise risk management is a process that is designed to identify material risks that may affect an organization holistically. An enterprise risk assessment will drive continuous improvement of a company’s risk management capabilities as new risks continue to materialize throughout the organization. Utilizing a customizable approach, companies can identify, analyze, and address material risks. Prioritized roadmaps based on short, medium, and long-term solutions can be strategically developed for each risk and problem area identified. Ultimately, the assessment process will help companies to identify, quantify, and prioritize key risks, which drive integration with the evaluation of strategic options.
Ensuring an efficient control structure focused on relevant and key risks. This is an important step, and it builds on the risk assessment. Generally, a company will adequately designate its controls as key or non-key controls. In order to continue maximizing value, a team should focus on the risks that their organization faces and the key controls mapped to mitigate those risks. Refreshing the SOX program with a top-down risk assessment helps ensure not only that significant risk factors are identified, but also that key controls are designed to address them, while placing a reduced emphasis on controls spanning less material risk factors. Companies may consider testing the key controls mapped to lower risk areas on a rotational basis.
Streamlining processes and optimizing controls so that common controls are created to minimize the key control population. Using a risk-based approach helps to ensure risks at the financial statement assertion level for reporting purposes are addressed. Additionally, involving your external audit teams in early conversations is another effective strategy to help improve and streamline the processes and controls.
Reassessing the SOX governance model and considering options such as co-sourcing, out-sourcing, or staff augmentation. These levers can help alleviate wage inflation, resource constraint pressures, as well as increase a company’s technical expertise, flexibility, and scalability.
By considering the factors above, management will be able to better assess the effectiveness of the company’s internal controls for their year-end reporting while juggling the finite resource and other challenges presented by the current economic environment.
(2) Embrace technological innovation
Technology-backed innovation continues to drive forward at a blistering pace, and companies should continuously assess whether emergent software or tools could drive more efficient and effective processes.
Technological innovation can take a variety of forms. For example, an organization may look to implement a SOX reporting software or assess access-related risk with a segregation of duties (SOD) monitoring tool. Robotic process automation (RPA) could help to reduce the risk of human error in manual processes. Automated workflows can help ensure that the execution of controls is codified.
Whatever form that technological innovation takes, it is important for organizations to embrace it, but also understand the novel risk exposures that adoption presents. A nimble, yet proactive SOX program can help ensure that change is anticipated and enabled without sacrificing compliance. Ultimately, companies should challenge their employees to become a more digital workforce by leveraging new technologies like RPA to shoulder the tasks that are the most tedious and time-consuming.
Challenging employees to leverage new technology will help companies save time during the time-constrained year-end reporting cycles, reduce the risk of error, as well as increase timeliness and availability of accurate data.
(3) Be mindful of the rising importance of ESG
ESG has become a hot topic as many companies seek to tackle everything from climate change to inclusive workplaces and develop related ways to drive long term value. In step with this trend, more organizations are working to identify and report on the ESG issues likely to materially impact a company’s financial performance. The SEC has also proposed new requirements for all public companies in the United States to report on their environmental impacts. Many companies have been engaging in some degree of ESG reporting for years, while others have yet to do so. Regardless, very few companies—even those already engaged in ESG reporting—have treated these as material disclosures. As many investors base investment decisions on environmental impacts, it is increasingly important for companies to incorporate a similar level of rigor and scrutiny around reporting of environmental metrics as they do around financial disclosures.
Similarly, stakeholders are increasingly interested in an organizations’ diversity, equity, and inclusion (DEI) efforts, and the SEC is paying attention here, as well. In 2020, the SEC announced that public companies must reveal more information regarding their human capital, for which additional regulatory guidance is expected to be issued. As DEI reporting becomes more standardized and preponderant, best-in-class SOX programs will expand coverage of related metrics and reporting.
Companies should consider the lessons learned from their initial SOX program implementations and extract those insights learned so they can be applied into similar steps for building out their new ESG programs. Companies should also consider making DEI metrics a key part of their annual performance process and leverage their existing controls around the COSO framework components of control environment and information & communication, which will help build an effective DEI program through alignment, internal controls-guided accountability, and transparency.