ARTICLE | June 14, 2023
Authored by RSM US LLP
For more information, please contact:
Not all companies need to go public, but for some it opens a new level of funding and stature. It’s a huge step that requires a great deal of planning and work. Operating as a public company in the U.S. demands a very stringent level of compliance that can require building out additional processes, controls and technology that weren’t necessary as a private company but are essential to planning and executing an initial public offering (IPO).
You need to develop a Sarbanes-Oxley (SOX) compliance strategy—a framework that will help you reduce time, save money and minimize risk, including personal liability of the CEO and CFO, who must certify compliance. Even if you are already a public company, you will need to periodically reassess and possibly update your SOX compliance processes and strategies.
What is involved?
Developing a SOX compliance program is a complex, time-consuming process that requires coordination, specific skills and scrupulous documentation. But as with any huge business task, the key is to tackle it in an incremental fashion. The typical approach contains six distinct stages, each of which results in a set of deliverables to drive the next step in the process. Success requires deep preparation, though, and some of your earliest goals will be to conduct a top-down risk assessment and to calculate materiality—at what dollar level might an error in an account balance materially impact the economic decisions made by the company?
How long will it take?
You should expect to spend 18 months or more readying your organization for SOX compliance. If you are preparing for an IPO, leading practice is to start this process no later than six months prior to your offering, as you have one year from the date of your IPO to document and assess internal controls and provide an independent auditor’s attestation report.
1. Plan and scope (months 1–3)
- Calculate materiality: At what dollar level might an error or omission in an account balance materially affect the economic decisions made by users of the company’s financial statements, such as company management or investors? Materiality will vary from company to company. While $1 million may be material to one company, $10 million may be material to another.
- Perform a top-down risk assessment and define program scope, considering both qualitative and quantitative factors.
- Map the financial statements to the core business processes to determine the accounts to be in scope and identify the relevant financial statement assertions for each material account.
- Review scoping with project sponsor before defining project approach, milestones and timeline.
- Risk assessment, scoping document, and project plan
2. Document critical processes (months 2–4)
- Conduct process walkthrough meetings to identify and document entity-level controls, IT general controls and key internal controls over financial reporting for all significant accounts and processes.
- Prepare risk and control matrices (RCM), process flowcharts and/or process narratives for each significant process.
- RCM, process narratives, and process flowcharts
3. Evaluate design effectiveness (months 3–8)
- Evaluate internal controls using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. This widely accepted framework is designed to provide reasonable assurance that the organization is operating in accordance with established standards.
- Perform a gap analysis on the current internal control structure. Identify any missing control points.
- Perform a design assessment on existing internal controls. Identify any controls not designed to effectively prevent or detect material misstatement.
- Design and implement process improvements while documenting all changes.
- Identify opportunities for process automation and enhancements based on leading practices.
- Gap analysis and proposed remediation plans
4. Evaluate operating effectiveness (months 6–12)
- Generate document request list and select samples to assess whether controls are operating as designed over time. (SOX requires compliance documentation, which must be provided to auditors upon request, and requires that controls operate at their defined frequencies consistently.)
- Evaluate the operating effectiveness of internal control over financial reporting and document the results.
- Review testing results with process owners and project sponsor.
- Operating effectiveness testing results
5. Remediate control weaknesses (months 10–16)
- Based on the testing results in step 4, validate any identified control deficiencies, identify deficiency root cause and assist management with developing remediation plans.
- Re-perform tests of remediated controls as needed to ensure efficacy.
- Control deficiency list and remediation plans and re-testing results
6. Assess and report (months 15–18)
- Assist management with the final assessment and reporting of any deficiencies. A thoughtful evaluation is needed to determine the significance of each control deficiency identified. Significant deficiencies are required to be reported to those charged with oversight (generally the audit committee of the board of directors), and material weaknesses are required to be disclosed in the company’s public SEC filings.
- Sign off on internal control structure design and operating effectiveness.
- Present results to the audit committee.
- Deficiency assessment template and audit committee presentation
This article was written by RSM US LLP and originally appeared on 2023-06-14.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
For more information, contact
James A. Krupinski CPA
Jim has 25 years of experience providing audit and consulting services to clients from a diverse range of industries. In addition to his many audit management responsibilities, he currently serves as the leader of the Firm's risk management services group. He has assisted his clients with performing risk assessments, evaluating and improving internal controls, developing fraud prevention programs and complying with the requirements of Sarbanes Oxley's assessment of internal controls over financial reporting requirements.
For more information, contact
Mark B. Stamer CPA
As a member of the Assurance Services Department, Mark primarily focuses on consulting services provide to a variety of the firm’s closely-held businesses. Mark helps streamline processes and provide management with financial information by researching, analyzing, and preparing financial statements. As a member of the Firm’s Forensic Accounting Group, he routinely assists in forensic accounting matters, litigation support services, and fraud prevention techniques.