Published on September 27th, 2019 | by Sunit Nandi
0How Does SOX Compliance Help Companies
Following the enactment of the Sarbanes-Oxley Act (SOX) in 2002, companies had to rethink their approach to reporting to avoid recurring penalties. SOX compliance benefits businesses in many ways. It creates a fresh approach to financial reporting. This has gone a long way in building greater market trust. SOX is particularly beneficial to companies that intend to go public. According to Harvard Business School, this compliance standard allows better IPO pricing, which is something that every publicly-listed company desires.
Despite having high initial internal control mandate costs, evidence indicates that SOX compliance is beneficial. Previous concerns that the act would reduce the number of IPOs have been proved to be unfounded. In fact, since the enactment of the law, the pricing of IPOs has become less uncertain. Initially, the cost of being publicly-traded caused some companies to go private. Nonetheless, studies indicate that these were mainly smaller, more-fraud-prone, and less liquid businesses.
The ability of SOX to better IPO prices has significantly improved market certainty besides cleaning the market for public-listed companies that were financially stable despite being held privately. As a result, overall market strength and individual corporate financial stability have improved. SOX compliance benefits organizations in the following six ways.
1. Risk Triage
Not all business risks are equal. Even so, SOX compliance can be beneficial in the sense that it gives companies a starting point when undertaking asset analysis. According to The Information Systems Audit and Control Association (ISACA), risk evaluation enables companies to manage their controls effectively. The most suitable way of defining the appropriate extent and scope for testing each SOX standard is performing a risk assessment.
Risk assessment isn’t a new thing. Today, everyone talks about undertaking them, having a risk-based approach, and so on. However, very few people understand that risk assessment can only be successful if it is based on the identification of risk parameters.
For instance, PCI DSS compliance mainly focuses on what you should/shouldn’t store to ensure that clients’ credit card information doesn’t get compromised. This is done to guarantee data privacy. You cannot apply the same approach for Sarbanes-Oxley because it mainly focuses on misstatements to financial reporting and data integrity. Therefore, the criteria for risk assessment changes from data privacy to integrity.
2. Controls Structure Strengthening
SOX sections 404 and 302 require companies to document controls, including personnel policies, recorded control processes, and operations manuals. With all this paperwork, some organization might find the whole process overwhelming. SOX compliance ensures better control awareness for companies. It creates awareness on the significance of these controls.
When the management and auditors focus on internal controls via SOX assessment, control owners will be aware of the significance of their activities to the success of the organization. The additional security provided by SOX assessments outlines activities that enhance financial reporting and how it should be executed.
3. Better Auditing
Although better audits might feel vague, the term in itself encompasses different aspects of an audit process. Here’s what the Protiviti Sarbanes-Oxley Compliance Survey of 2016 established.
- For most public companies (85%), either the executive management or audit committee sponsors the SOX compliance task. The audit committee’s role is to oversee the organization’s risk management process; which SOX compliance falls under. Therefore, it’s sensible that executive SOX compliance falls under either of these bodies, especially in public-listed companies.
- In 35% of companies, internal audits are needed for the execution of activities related to SOX compliance. In most organizations, this responsibility falls under either the management or internal auditors, or process owners.
- As far as testing is concerned, up to 70% of public companies mainly rely on their process owners of internal audit groups.
- It shouldn’t come as a surprise when internal auditors perform and support testing efforts. They have the skillset needed for the job besides being sufficiently independent to guarantee external audit reliance.
Generally, effective operations lead to better audit outcomes. External auditors are more likely to have an efficient process. This, in turn, reduces overall audit costs besides reducing the time that employees take to respond to the results of external audit reports. SOX compliance is beneficial to the audit process since it ensured better audit evidence collection. An automated platform provides dashboards that simplify audit project management.
4. Efficient Financial Reporting
SOX compliance’s primary goal is to ensure transparency in financial reporting. To achieve this, the regulation defines the process that should be followed to determine what information is reliable. Similarly, SOX seeks to identify pertinent financial statement accounts. For each report or disclosure, the management should identify relevant reporting assertions such as existence, rights and obligations, presentation and disclosure, and valuation or allocation.
The management also needs to identify underlying transactions, processes, and events that support respective disclosures and accounts. The results can help you map your organization’s internal control environment besides providing evidence to external auditors that relevant control activities are in place. In case there are any significant gaps, remediating them will be easy.
Despite the perceived drudgery that comes with documentation, completing the process ensures efficient financial reporting in the long run. Having a well-mapped internal control environment provides in-depth insights when it comes to tracking material changes. As a result, reporting will be more comfortable as your organization scales and matures. Accurate financial reporting means you will spend less time correcting mistakes.
5. Peaks Operational Performance
By engaging with SOX compliance during the tentative stages of your company’s growth, you instill a culture of internal control. In this sense, a presentation by Steve Guarini to the Institute of Internal Auditors North America pointed out that SOX compliance should:
- Take a top-down approach to drive efficiency
- Focus on the core areas of significant accounts, high risk, processes, and locations
- Utilize a practical approach when it comes to ‘right-sizing’ documentation
- Focus on critical controls vis a vis. all controls
- Incorporate IT as well as all business processes to optimize the benefits of manual and automated controls
- Improve the control structure to maximize auditing and operational efficiency while minimizing compliance costs.
By requiring companies to initiate essential controls from any early stage, SOX makes it easier for them to assess both their starting points and their risks. Therefore, the controls can’t be haphazard. Organizations must first implement a streamlined approach to risk. The strategy should integrate multiple business areas.
6. Ensures Team Collaboration
According to Ernst & Young, SOX compliance necessitates the need for more in-depth and constant collaborations among internal stakeholders. As the threat landscape and the IT risk profile rapidly changes, risks also increase. Therefore, companies should change their approach and mindset towards IT risks. The management should get involved since the implementation of an IT risk management strategy requires everyone’s input. The directors, chief risk officers, and audit committees should collaborate with the IT department and information security experts so that cyber risks are well-managed.
Internal auditors and anyone who oversees SOX assessments should cooperate across business lines. Similarly, they should work with anyone who contributes to financial controls, including control owners, HR, and IT staff. SOX provides the framework for fostering stronger partnerships among teams. You should place communication at the heart of this collaboration since it enhances the exchange of ideas on how to make the entire undertaking effective and sustainable.