The Sarbanes-Oxley Act (SOX) recently reached its 20th anniversary, since being enacted in 2002. Although the act itself has remained relatively the same, many established organizations, particularly smaller ones and those evolving out of a special purpose acquisition company (SPAC), are still reporting material weaknesses (MWs). Some of the recent and most common themes that have led to MWs for companies  include:

1. System access control issues
2. Inadequate segregation of duties
3. Lack of adequate policy and procedures
4. Inadequate process documentation
5. Insufficient accounting expertise in terms of skills and headcount 
6. Poor change management processes related to technology
7. Increased reliance on third parties
8. Process and control changes related to the shift to a remote workforce
9. Inability to remediate previous significant deficiencies (SDs or MWs)

If the act has remained the same, why are some organizations still struggling with achieving SOX compliance?

Read on for a few possible explanations, plus ways to strengthen your compliance program moving forward.

Common obstacles to SOX compliance

• Increasing stakeholder expectations and requirements – As an example, the PCAOB’s (Public Company Accounting Oversight Board’s) inspection of public accounting firm audits related to SOX has had somewhat of a domino effect on SOX filers. Increased PCAOB scrutiny forced public accounting firms to bolster their quality control and risk management processes, increasing the level of scrutiny into the audits they provide, which in turn increases the amount of management documentation required to support the effectiveness of the company’s internal controls over financial reporting. The PCAOB recently reported that it expects 40% of its 2022 audits inspected to have deficiencies – an increase for the second year in a row. This could be taken as an indicator that greater scrutiny may be on the way.   
• System implementation – The past couple of years have seen an increase in the amount of system implementation activity. These implementations are often performed without taking SOX controls into account until after they have been completed, which often does not leave the company enough time to implement the needed IT and business process controls prior to their fiscal year-end.
• Acquisitions – SOX implications may not be adequately identified or considered during the due diligence exercise performed by an acquiring company. This can result in not identifying existing gaps or new in-scope areas of focus soon enough to remediate or capture in the acquiring company’s SOX compliance initiatives. 
• Third-party service providers – Controls performed by significant third-party service providers may not be adequately identified,  designed correctly, operating effectively, or monitored. 
• Audit committee oversight – Often, audit committee discussions related to the organization’s ongoing SOX compliance program are less than robust. Audit committees should be provided with information pertaining to the status of controls testing, results, potential gaps, and ongoing remediation efforts. Many companies, particularly newer filers, report the same deficiencies in multiple years and are unaware that repeated control deficiencies may be  aggregated, resulting in an SD or even a Material Weakness.
• Skill sets and competencies – Some companies simply lack the skill sets needed related to overall SOX compliance, risk management, information technology, and remediation. This may be compounded by difficulty finding qualified professionals who possess strong competencies in the areas of accounting, tax, revenue recognition, and information technology.
• Starting too late – Starting too late in the year can have a significant impact on the success of an organization’s SOX program, leaving insufficient time to identify, communicate, and remediate poorly designed controls and gaps. This can be especially concerning for controls executed quarterly or annually.

Strategies for strengthening your company's SOX compliance program

With the 2022 10K filing season complete for most companies, now is a good time to focus on remediating any existing SDs and MWs and assessing the adequacy of current go-forward SOX compliance programs. If your organizations identified multiple SDs or a material weakness, here are few recommendations that may help you avoid reporting an MW this year.

• Start early – If you haven’t already started developing remediation plans for existing gaps, SDs, and MWs, get started now. Test remediated controls thoroughly, and communicate with your external auditors on the results.
• Actively communicate – Meet with your external audit firm early to discuss your overall plan, planned or ongoing remediation efforts, and any issues you’re facing. Active communication will help them gain comfort with your plan and will provide your company with early insights as to their expectations and requirements. Additionally, consider enhancing your quarterly SOX status communications with your audit committee in areas such as remediation timelines, changes in controls related to implementation efforts currently in process, and resource constraints.
• Assess core competencies – Identify any competency gaps that you may have related to unfilled positions or departures of technical personnel, and hire or reassign existing staff (if possible) to cover the positions until they are filled.
• Refresh your risk assessment – Refresh your SOX risk assessment on a quarterly basis to help identify any new areas of materiality that will need to be covered in your SOX effort.
• Review change management processes – Assess any recent or planned system implementations to confirm that process and controls activities have been taken into consideration. Special attention should be given to access rights and segregation of duties; migration of data; interfaces; and, most recently, any digitization activities taking place within your company.
• Obtain SSAE18 (SOC II) Reports – Review SOC reports received from third-party service providers and confirm that any SOX-relevant controls defined as the end user’s responsibility are captured in your SOX scope. Additionally, review the reports for any deficiencies that could impact the reliability of the third parties’ controls, and confirm that the report covers your company’s financial reporting period. You should also make note of any sub-service organizations utilized by the third party and request SOC reports from the sub-servicers if warranted.
• Evaluate acquisitions – Assess the impact of any recent or planned acquisitions on your go-forward SOX plan. Ultimately, any acquisition will need to be folded into your SOX compliance effort. At a minimum, they will need to be included in your risk assessment phase for materiality purposes.

Maintaining effective Sarbanes-Oxley compliance can be a costly endeavor for any company in terms of dollars and resources. But establishing a robust, proactive, and communicative SOX program can play a big part in keeping SOX compliance costs under control, by helping to reduce the risk of significant deficiencies and material weaknesses. 

Contact

George Gallinger, CIA, CFE, Principal, Risk Advisory

973.871.4060

Marianne Turnbull, CIA, Managing Director, Risk Advisory

973.364.7711