Abstract building with lined beams

Whether you are considering compliance with section 404 of the Sarbanes-Oxley Act (SOX) for the first time, are already pursuing said compliance and have found the process more difficult to navigate than originally expected, or are simply seeking to streamline your overall compliance approach as a seasoned SOX veteran — successfully achieving, and maintaining, compliance with SOX 404 is a complex and challenging journey. 

Like most journeys (say, a large-scale family vacation) or monumental projects (say, building a home) — the difference between success and frustration is often found in the simple and mundane tasks: early-stage planning, clear communication, proper documentation, constant evaluation and, when necessary, timely revisions. 

In our work helping companies pursue, achieve and strengthen their SOX 404 compliance programs, we have discovered five common pitfalls many organizations face along the way. 

Five common pitfalls

These pitfalls — and tips on how to avoid them — are outlined below. 

  • Pitfall 1: Lack of communication from leadership
  • Pitfall 2: Lack of an effective risk assessment/identification process
  • Pitfall 3: Lack of a well-defined, implemented and documented set of controls to appropriately address risks
  • Pitfall 4: Lack of education of control owners
  • Pitfall 5: Lack of adequate design and operating effectiveness testing and evaluation

Pitfall 1: Lack of communication from leadership

How to avoid: Establish tone at the top. You would not begin to build a house by handing out hammers and nails to construction apprentices and wishing them the best. You start at the top — establishing plans with a contractor who then communicates the task to various subcontractors who then fine-tune the instructions for their hired construction workers. In the same way, a successful SOX compliance journey must begin at the top. The CEO, CFO and other organizational leaders must provide initial guidance and engaging support with this initiative to gain organizational buy-in (from executive leadership to middle managers to control owners and beyond).

Pitfall 2: Lack of an effective risk assessment/identification process

How to avoid: This is the SOX compliance version of the “measure twice, cut once” idiom. Every ounce of effort you put in on the front-end to assess and scrutinize your organizational systems, processes and risks, from top to bottom, will likely save you a pound of trouble down the road. 

  • Conduct a thorough, organization-wide risk assessment. 
  • Perform a comprehensive financial statement risk assessment to identify your risks of material misstatements to the financial statements and map key control objectives and activities to address those risks. 
  • Seek and obtain risk insights from a broad spectrum of stakeholders and ensure all perspectives are given proper consideration. 
  • Confirm significant financial reporting elements, relevant assertions and control objectives. 
  • Ensure an understanding of transaction flows from initiation, authorization, processing and recording/reporting, and confirm source risks of material misstatements within the transaction flows. 
  • Identify significant Information Technology (IT) applications and systems that facilitate the transaction flows (including back-end IT systems that many end users do not interact with) and the relevant controls within those IT applications and systems. 

Quite simply, if you don’t know which risks you face, you can’t establish the proper controls to address and mitigate those risks. 

*For more detailed information about these steps — and a sample timeline — explore our SOX readiness roadmap on pages 4-5 of the brochure linked below. 

Pitfall 3: Lack of a well-defined, implemented and documented set of controls to appropriately address risks

How to avoid: A good rule of thumb, when it comes to establishing your organization’s set of internal controls over financial reporting (ICFR), is to pursue quality over quantity (not that you must choose one over the other). But just because you have ample control sets across your organization does not mean those controls are well-designed and well-targeted to mitigate your risks of material misstatements to the financial statements. As you establish an appropriate internal controls framework for your SOX compliance initiatives, and as you begin to assign specific control owners, it is crucial to ensure the controls you are implementing are, in fact, addressing the risks you identified in the previous step by conducting in-depth, end-to-end process walkthroughs and control design workshops to fully understand and define the key activities intended to be executed by the control owner for each key control. 

And lastly, be sure to document your current processes and controls in ample detail to ensure consistency in operation and to minimize atrophy over time. This can be accomplished by utilizing risk and control matrices, process narratives and process flowcharts. When you are complying with SOX requirements, documentation is critical. 

Pitfall 4: Lack of education of control owners

How to avoid: Tying into pitfall #1 above, it is imperative that clear communication and education extends throughout your entire organization — especially to your control owners. Establish training programs for control owners to educate them on the importance of internal controls, the specifics of their roles and responsibilities and the organization-wide expectations to support the internal control environment through the proper execution of internal controls. Explain the criticality of thorough documentation and document retention and include education around change management and version control of key reports. 

Providing continuous education around key trends to incorporate into the internal controls framework and further supporting an ongoing understanding of what could go wrong in each process will help identify risks to the financial statements and promote a robust internal controls environment throughout the organization.  

Pitfall 5: Lack of adequate design and operating effectiveness testing and evaluation

How to avoid: Assuming your risk assessment, control framework and documentation processes are firmly in place, the worst thing you could do is … nothing. Especially early on, it is best to view your control environment — and its subsequent documentation — as evolving. This is not a “once complete, always complete” effort. Instead, you should constantly utilize your documentation to test, review and evaluate the effectiveness of your control framework to support continuous monitoring and evaluation of your control environment. 

Through constant and ongoing evaluation, you can identify potential new risks or control gaps, design and implement more effective controls, verify the efficacy of your current control framework and more. You can better design, review, approve and implement final solutions for control deficiencies. You can validate that the controls within the established framework are designed and operating as intended. You can identify opportunities for efficiency in your control environment. You can communicate documented progress and key results to control owners, managers, executive leadership, external auditors and beyond.  

Where do you go from here? 

There are many other considerations that will likely impact your pursuit of SOX 404 compliance — segregation of duties, IT governance, risks and controls, cybersecurity implications and more. Even within the five pitfalls above, countless other considerations remain to explore. It is a daunting task, but you do not need to go it alone. 

Need help navigating the complexities and technicalities of SOX 404 compliance? Want to discuss how these basic considerations relate to common deficiencies identified within the Public Company Accounting Oversight Board (PCAOB) guidelines? Let’s go there. Together. 

Anthony Casey
Joe Shusko
Rajeev Ramchandani
Mathew Mikulay
Abstract building with lined beams
Next up

Virginia’s 2021 retroactive pass-through entity tax election