In a certain sense, Sarbanes-Oxley compliance is an annual rite of passage, akin to the arrival of spring or the fall television season. The exact experience changes from year to year, but it always happens.
Indeed, for SOX compliance professionals under the age of 35 or so, it might seem like documenting and testing of internal controls is all there is to SOX compliance. Nothing could be further from the truth.
So as SOX turns 15 this fall, let’s widen the lens to capture what SOX is really about: its history, its goals, and the most important points to remember for an effective SOX compliance experience.
1. SOX was about more than Section 404 and ICFR.
Congress enacted the Sarbanes-Oxley Act in 2002, amid deep suspicion that corporations, and the financial statements they published, could not be trusted. The goal of SOX was to place accountability for corporate behavior with the highest levels of the business: the board, the CEO, and the CFO.
Hence the law has other objectives well beyond Section 404. Among them: whistleblower systems for anonymous reporting of possible fraud (Section 301); CEO and CFO certifications that all financial disclosures are accurate (Section 302); prompt disclosure of material changes in a company’s financial situation (Section 409); and penalties for retaliation against whistleblowers (Section 806).
All those sections, and others, work to the overall goal of more reliable corporate financial statements, through the mechanism of greater accountability on senior corporate executives and board directors.
2. Original estimates for SOX compliance costs were wildly off.
In 2003, officials from the Securities and Exchange Commission estimated that the annual cost of SOX compliance would average about $92,000 per company. They were wrong: SOX compliance costs have been far higher. According to Protiviti’s 2017 Sarbanes-Oxley compliance survey, annual compliance costs now average $700,000 for non-accelerated filers, $1.14 million for large accelerated filers.
The repercussions of that first misjudgment about cost continue to this day. Anti-SOX critics have used it to push for amendments to the law, such as a section of Dodd-Frank Act of 2010 that exempted non-accelerated filers from Section 404(b), the annual audit of internal control over financial reporting. Some lawmakers want to expand that Section 404(b) exemption to more companies yet.
Current SEC leadership, meanwhile, wants to reduce compliance requirements; altering how the Public Company Accounting Oversight Board applies auditing standards around ICFR is one possibility. The SEC held a hearing on Section 404(b) burdens as recently as Sept. 13.
All the anti-SOX discourse heard today (and the SOX compliance community will hear much more in months to come) springs from the premise that initial estimates of compliance costs were low, and that the benefits aren’t worth the costs incurred.
3. SOX has worked.
If the principal goal of SOX was to make financial statements more reliable, that has happened. According to analysis from Audit Analytics, the total number of restatements for U.S. filers went from 1,853 in 2006 to 671 in 2016. As a percentage of the total filer population, restatements fell from 11.9 percent to 6.8 percent.
Key characteristics of financial restatements have improved, as well. Average number of days restated; average time to complete the restatement; average size of the restatement in dollar terms, average number of issues cited in the restatement— all have fallen precipitously from the mid-2000s, when companies first began compliance with Sections 302 and 404, to today.
Other recent research suggests that strong internal controls also reduce the risk of accounting fraud. A study from the University of Texas at Austin found that companies disclosing fraud were 80 to 90 percent more likely to have previously disclosed material weaknesses; 30 percent of the companies studied also had prior auditor warnings of material weakness in internal control.
4. Internal control weaknesses come in three sizes: deficiency, significant deficiency, and material weakness.
The standard definitions for each type of internal control weakness are clear:
- A deficiency exists when the design or operation of an internal control doesn’t allow employees to prevent or detect misstatements on a timely basis.
- A significant deficiency is a deficiency serious enough to warrant attention from senior executives who oversee financial reporting.
- A material weakness is one or more deficiencies so severe that there is reasonable chance of a material misstatement of financial data that won’t be caught promptly.
Understanding the nuances of those three definitions is crucial. For example, a company only needs to disclose material weaknesses to investors, not significant deficiencies. But if a significant deficiency contributes to that material weakness, then the company “must disclose the material weakness and, to the extent material to an understanding of the disclosure, the nature of the significant deficiencies.” (Per the SEC’s guidance on management’s report on internal control.)
What’s more, while significant deficiencies don’t need to be disclosed to investors, an auditor aware of those deficiencies must communicate them to the audit committee.
5. Communications among audit firm, audit committee, and management are critical.
The requirement that auditors bring significant deficiencies to the attention of the audit committee underlines a crucial point: clear communication among all three is paramount.
For example, SOX compliance officers must talk with external auditors regularly to determine which controls should be in scope for an ICFR audit, and to what extent the audit firm will rely on work performed by the internal SOX compliance team. Those decisions have direct consequence for how much time and money the company will spend on SOX compliance.
Meanwhile, management and audit firms will both talk to the audit committee about the company’s financial reporting. Differences of opinion can arise, but they should be truly that: questions about judgment, rather than misunderstandings about issues.
If management and auditor disagree about whether a specific deficiency is significant, the audit committee could ultimately referee that dispute. On the other hand, if they disagree about what the definition of a significant deficiency should be for a certain control, that requires more discussion between SOX compliance team and external auditor.
6. Cloud computing has changed SOX compliance enormously.
The rise of outsourced service providers (OSPs) is one of the most significant changes to the business environment since SOX was enacted in 2002. OSPs, delivering data processing and other business functions via “the cloud,” affect SOX compliance in two major ways.
First, cloud computing increases a company’s concerns about access control and oversight of third parties. More outsiders might work with your organization’s financial data, or financial applications. That requires more attention to your own controls, and more careful risk assessment and testing of the OSP’s access controls.
Hence we saw the arrival of more sophisticated SOC 2 audits in 2011: audits of an OSP’s security controls. SOX compliance officers must ensure those audits are scoped correctly, to provide useful information to you.
7. The more you automate, the better off you are.
Manual processes — from testing controls, to operating controls, to certifying control effectiveness, to collecting documentation, and much more — are the bane of SOX compliance. They allow more chance for error and loss of version control. Hence the strategy of automating controls and processes has become so crucial.
For example, companies might have a control that works in two phases, where Employee A must certify his component’s effectiveness before Employee B certifies hers. Done manually, this creates the risk that Employee B might certify her component before Employee A (emailing an attestation, say, while Employee A is on vacation), and a SOX compliance director doesn’t catch the discrepancy.
An automated approach might build logic into a certification and documentation system: a database of Web-enabled forms, so Employee B can’t certify her component of the control until Employee A completes his certification first.
Improvements like that, scaled up to the vast range of control activities most companies perform, is what automation seeks to deliver. That concept— “How can we simplify our internal control processes to reduce the opportunity for error?”— should be a guiding principle for all a company’s efforts to rationalize and reduce the number of key controls.
8. SOX compliance brings more benefit than a clean audit report.
In the same way that SOX was about more than effective internal control over financial reporting, SOX compliance can deliver more benefit than a clean audit report and reliable financial results.
As noted above, SOX compliance correlates to reduced risk of fraud and financial errors. But consider: how many workplace harassment issues came to management’s attention, thanks to whistleblower hotlines created by SOX? How many cybersecurity breaches never happened, thanks to more attention to IT general controls? (Not enough, but the point is clear.) Academic studies have found SOX compliance—specifically Section 404(b)’s outside audit of ICFR— contribute to higher market valuations and stronger credit ratings, which in turn cut the cost of a company’s capital when seeking debt in the markets.
The point is that SOX compliance does serve a purpose. While the mechanics of compliance may be imperfect, the purpose itself is worthwhile, and the Sarbanes-Oxley Act achieves what lawmakers want it to do.
Reliance on financial statements, interdependence of risk, services delivered over the cloud — none of that is receding. So compliance officers should prepare for an even more interesting ride as we enter the next 15 years of SOX.