Most organizations contemplating an IPO or incurring public debt are troubled with the perceptions of achieving Sarbanes-Oxley Section 404 (SOX 404) compliance, particularly during the initial year of compliance. Even large privately held companies and public sector entities recognize the virtues of “SOX-like” compliance programs, but are concerned with the cost vs. perceived benefits associated with such an endeavor. While the cost associated with SOX compliance continues to be a burden for large and smaller organizations, few companies have been able to realize a true return on their SOX 404 investment of time, energy, and cost. These few companies have not only instituted internal controls over financial reporting, but have also optimized their wider business processes to reduce inefficiency and enhance performance. We assist management and the Audit Committees of middle-market and smaller public companies in complying with SOX 404 in a practical, cost effective, yet comprehensive manner.
Making the Transition to COSO’s Updated Integrated Framework
Prior to founding The Audit Exchange, John McLaughlin served as a frequent contributor to The Financial Management Network while leading the Risk Advisory practice of BDO. In this segment, John discusses the updated 2013 COSO Internal Control Framework and its application to Sarbanes-Oxley compliance including internal controls over financial reporting, as well as the effective use of internal controls over operations and regulatory compliance.
SOX 404 Readiness – Starting from scratch can be intimidating to some people, while others would look at starting from scratch as a genuine opportunity. We see the obligation to initiate a SOX 404 compliance program as a unique opportunity for a smaller organization to establish a foundation of solid governance and internal control practices. While we do not ascribe to the notion that one size fits all, we believe our deep experience with dozens of companies across a variety of business sectors, along with risk & control libraries, test plans and other roadmaps developed from previous experience will assist management in establishing a practical, yet solid SOX 404 foundation for growth.
Control Rationalization – As the road to success is always under construction, most successful companies in the public sector are constantly undergoing a variety of change initiatives to enhance shareholder value. Yet, the identification and number of key controls associated with SOX 404 remains relatively static. Why? Perhaps complacency or the adage “If it ain’t broke, don’t fix it” artificially applies. A periodic assessment of key controls in relation to the current state of financial reporting processes, almost always results in the identification of several new controls, yet yields a net reduction of the number and composition of key controls. We have assisted management in right-sizing their SOX 404 compliance effort, ensuring the appropriate balance of compliance and cost.
SOX Program Management – Brain drain is a legitimate concern whenever an organization engages consultants. SOX 404 compliance is no different. To ensure a good deal of institutional knowledge remains within the organization, we have successfully overseen SOX compliance programs which utilize internal staff to validate the controls design of certain process and perform testing of selected controls. As SOX program management, we help to ensure the work of the internal staff is performed “objectively and competently” as required by the Public Company Accounting Oversight Board (PCAOB) and your independent auditors. Serving as an interface between the independent auditor and management, particularly given the depth of our core competency, helps to ensure fewer “control deficiencies” and balance the company’s interests with the needs of the independent auditor.