SOX compliance FAQ: The basics of navigating regulatory demands

Congress passed the SOX Act of 2002 to help protect investors from fraudulent financial reporting by corporations in response to several high-profile financial scandals in the early 2000s. ​

There are several requirements under SOX, however, the major provisions of SOX are Section 302, Section 404, Section 802 and Section 906.

Section 302 of SOX states that the chief executive officer (CEO) and chief financial officer (CFO) are directly responsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure. The CEO and CFO are required to personally attest to the accuracy and completeness of their financial statements and sufficiency of internal controls quarterly.

SOX 404(a) requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR), and 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls.

Section 802 imposes fines or penalties of imprisonment for the destruction or falsification of records. This section also outlines record retention rules and what business records must be maintained or stored.

Section 906 requires a written statement from the CEO and CFO on all periodic financial reports declaring that the financial report fairly presents, in all material respects, the financial condition and results of operations of the issuer. It also establishes criminal penalties associated with knowingly filing periodic reports which do not comport to the requirements of the section.

Any company that is publicly traded on a U.S. stock exchange is required to be compliant with SOX or be subject to criminal penalties. However, there are benefits to having a robust system of internal controls. The benefits include improvement in operational efficiency, reduction of errors, more reliability of financial reporting, and lowering the risk of fraud.

The CEO and CFO will be required to comply with sections 302 and 906 upon going public. Generally, companies can take a 1-year exemption for SOX 404 requirements when filing their first Form 10-K but must comply thereafter. Companies should consult with legal counsel on SOX compliance requirements as they can vary depending on different factors, including filing status (e.g., large accelerated filer, accelerated filer, nonaccelerated filer), and other possible designations, such as smaller reporting company (SRC) and emerging growth company (EGC).

The company must evaluate whether their public float or annual revenue exceeds certain thresholds. The information listed below represents general requirements. Companies are encouraged to consult with legal counsel for any compliance requirements.

• If a company has public float less than $75 million and annual revenue less than $100 million then the company will be required to comply only with 404(a).
• If a company has public float that exceeds $75 million or annual revenue greater than $100 million then the company will be required to comply with 404(b).

Internal controls over financial reporting refers to the control activities and processes designed to provide reasonable assurance over the accuracy and reliability of the company’s financial statements.

Internal controls over financial reporting should be designed to provide reasonable assurance that a material misstatement to the financial statements would be prevented or detected in a timely manner.

There are several key stakeholders with responsibilities including management, control owners, internal audit and the audit committee. Each stakeholder has certain responsibilities that contribute to maintaining SOX compliance.

There are several risks of not having sufficient internal controls over financial reporting. This may include inaccurate or misleading financial statements, misappropriation of assets and noncompliance with SOX. As a result, the company may be required to disclose a material weakness in their U.S. Securities and Exchange Commission (SEC) filings and could potentially be subject to fines or penalties including imprisonment of key executives.

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. A material weakness must be disclosed in the company’s annual financial statements (Form 10-K).

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness but still merits the attention of those charged with governance, most often the audit committee. A significant deficiency should be reported to the audit committee but does not require disclosure in Form 10-K.

A company should perform a SOX readiness assessment at least 12-18 months prior to IPO. The readiness assessment should develop an implementation plan to address key activities including:

• Develop a 302-certification process
• Perform a SOX-based risk assessment to identify significant business processes and information technology systems upon which those business processes rely.
• Perform an assessment of control design for the current state of business processes and IT systems.
• Identify control gaps and determine remediation plans from the results of the control design assessment.

During the SOX implementation phase, companies should assess the existing internal controls framework and execute the following key activities:

• Understand the internal controls of the entity. This involves meeting with process owners to understand key risks and the design of processes and controls within the company as well as IT processes.
• Assess entity-level controls.
• Develop the risk control matrix (RCM) to aid in identifying key controls as well as document processes via narratives or flow charts.
• Implement procedures to test both the design and implementation as well as the operating effectiveness of the internal controls.
• Address any deficiencies or control gaps identified during this process and identify solutions to remediate the deficiencies.

To support continuous compliance with SOX, the company should establish a program to execute on the following:

• Execute internal controls design and operating effectiveness testing.
• Evaluate the testing results and communicate deficiencies and remediation procedures to key stakeholders.
• Perform testing procedures throughout the year including the 4th quarter.
• Communicate the final results to key stakeholders.
• Evaluate management’s quarterly SOX 302 certifications.

There are many challenges when implementing SOX compliance here are a few highlights:

• Board and audit committee understanding of risk and control
• Implementing effective controls over the information technology environment including user access segregation of duties and cybersecurity controls
• Ensuring that controls providing assurance over the reliability of financial data being processed and reported are in place and effective
• Implementing formal controls and processes around the financial reporting and IT risk management programs
• Evaluation and testing of testing of controls over outsourced processes

SOX compliance may be seen as a burden; however, SOX is also an opportunity to improve financial and information technology operations throughout the organization. The company will establish a structured process for evaluating risks related to financial statements that enables companies to prioritize high-risk areas more effectively. The SOX program will play a pivotal role in eliminating conflicts of interest and reinforcing the segregation of duties within an organization. The ongoing process will also enhance documentation and improve processes throughout the organization.