Navigating SOX Compliance: What You Need to Know for Your Growing Business

A version of this article was previously published in the June 2018 edition of the  San Diego Business Journal.

While fast-growing companies might be lured by shortcuts, cutting corners can often have devastating effects in a heavily regulated market. Not fully addressing compliance requirements under the Sarbanes-Oxley Act of 2002, commonly known as SOX, is one shortcut that can lead to errors in financial statements and corporate disclosures—devaluing stock price and damaging investor confidence.

A balanced approach to SOX compliance—one that considers the organization’s risk tolerance, budget, and operational goals—can keep your company growing and compliant.

Adopt Internal Control Over Financial Reporting

Every fast-growing business is driven by access to capital, so it’s in the company’s best interest to make sure financial statements are accurate and reliable, making investor funds in the marketplace accessible when they’re needed. Guidance for internal control over financial reporting (ICFR) falls into two governing bodies:

  • The Securities and Exchange Commission (SEC) determines management’s responsibilities in assessing and certifying their ICFR, covered by SOX.
  • The Public Company Accounting and Oversight Board (PCAOB) establishes the role of external auditors.

The SOX Act spans over 11 sections, with sections 302 and 404 being the most well-known and causing the most compliance difficulty for businesses. Section 302 requires company officers certify quarterly that the financial statement fairly, materially, and accurately presents the company’s financial condition. Section 404 requires management maintain adequate internal controls and assess their effectiveness, which provides the basis for management’s certification in Section 302.

Understanding SEC Classification

Section 404 requirements expand into the following two subsections, which a company may fall under depending on its filing classification:

  • Section 404(a) requires a company’s management to include a report on the effectiveness of ICFR in its annual report
  • Section 404(b) requires the company’s registered public accounting firm to attest to and report on the effectiveness of the ICFR

Classification is largely determined by the public float, or portion of market cap that’s controlled by public investors, as shown in the following table:

Emerging growth companies with revenue of less than $1 billion and public float less than $700 million can stay under Section 404(a) for up to five years—if they stay under those thresholds.

Management’s Responsibilities

Management and the executive officer’s roles are increasingly focused on a company’s internal controls. These roles include the following responsibilities:

  • Overseeing the annual internal controls assessment, performed by a competent and objective party that isn’t the external auditor
  • Establishing and documenting ICFR controls, such as IT-related controls and financial reporting system
  • Confirming all controls are present and tested
  • Evaluating internal controls to prove they’re functioning as specified
  • Obtaining external audit report on the effectiveness of ICFR for companies under the SOX 404(b) environment

Shifting management’s responsibilities to cover these aspects helps companies meet and balance long-term SOX compliance goals. 

Assess Risk and Establish Risk Tolerance

Performing an annual risk assessment of your company’s internal financial controls is the foundation for SOX compliance. It establishes the annual plan for SOX by cutting out accounts that couldn’t result in material misstatement, and it drives the nature, timing, and extent of effort required for your company’s level of compliance.

Low Compliance

Low compliance internal financial controls might include the following factors:

  • A management assessment memo describing management’s top-down risk assessment approach, risk assessment results, and account scoping
  • Established and documented controls
  • Completed controls questionnaire on design and operating effectiveness
  • Incomplete or unperformed transaction testing
  • The 302 certification

This low level of compliance is typical of companies that don’t plan to trigger the public float or revenue thresholds; have small, simple, and centralized accounting processes; and don’t need an attestation as required by 404(b).

High Compliance

Larger companies that are required to have ICFR audited by an external auditor have to put more effort into SOX compliance. These efforts could include:

  • Risk assessment based on prior-period financial statements
  • Full-scope testing, including narratives, flowcharts, risk and control matrices, and operating effectiveness
  • Detailed documentation of management review controls and information
  • Established remediation
  • The 302 certification

By assessing risk, companies can identify their risk tolerance and the impact to financial reporting, letting them focus on the activities most important for fairly stated financial reports.

Depressurize the Budget

Establishing and adhering to a budget that aligns with the SOX project calendar is important. Because a smaller company has far more time to implement the robust structure of a SOX internal controls program, it can apply SOX implementation activities, relevant expense, and time incurred much more smoothly.

A larger company, on the other hand, will have to hustle to fast-track compliance activities. Regardless, it’s vital the budget approach and end-goal are balanced and realistic. It’s important to keep in mind that a company’s expected pace of growth affects its filing status—and therefore its compliance requirements.

Use Operational Goals as a Guide

Operational goals may change drastically when a company is growing quickly. Whether management is responding to excited investors or potential mergers, change provides the opportunity for a company to align its strategy, mission, and vision with trending events and market drivers. Changes to operational goals and strategies can impact a company’s SOX environment and should be considered when performing a SOX risk assessment.

It’s an exciting time to be a fast-growing company. As a company grows, it’s key to pursue opportunities strategically and address regulation requirements thoroughly. A balanced approach to SOX compliance that focuses on risk tolerance, budget, and operational goals can help you keep pace with your growth.

We’re Here to Help

To learn more about how a balanced approach to SOX compliance could benefit your growing business, contact your Moss Adams professional.