The decision to go public is a massive, transformational effort with the potential to enhance value and create new growth opportunities for your organization. The endeavor also increases regulatory demands and creates scalability challenges. One of the more pressing issues pre-public or newly public companies face is establishing a program to maintain Sarbanes-Oxley (SOX) compliance.
Congress passed the SOX Act of 2002 to help protect investors from fraudulent financial reporting by corporations in response to several high-profile financial scandals in the early 2000s.
There are several requirements under SOX, however, the major provisions of SOX are Section 302, Section 404, Section 802 and Section 906.
Section 302 of SOX states that the chief executive officer (CEO) and chief financial officer (CFO) are directly responsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure. The CEO and CFO are required to personally attest to the accuracy and completeness of their financial statements and sufficiency of internal controls quarterly.
SOX 404(a) requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR), and 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls.
Section 802 imposes fines or penalties of imprisonment for the destruction or falsification of records. This section also outlines record retention rules and what business records must be maintained or stored.
Section 906 requires a written statement from the CEO and CFO on all periodic financial reports declaring that the financial report fairly presents, in all material respects, the financial condition and results of operations of the issuer. It also establishes criminal penalties associated with knowingly filing periodic reports which do not comport to the requirements of the section.
Any company that is publicly traded on a U.S. stock exchange is required to be compliant with SOX or be subject to criminal penalties. However, there are benefits to having a robust system of internal controls. The benefits include improvement in operational efficiency, reduction of errors, more reliability of financial reporting, and lowering the risk of fraud.
The CEO and CFO will be required to comply with sections 302 and 906 upon going public. Generally, companies can take a 1-year exemption for SOX 404 requirements when filing their first Form 10-K but must comply thereafter. Companies should consult with legal counsel on SOX compliance requirements as they can vary depending on different factors, including filing status (e.g., large accelerated filer, accelerated filer, nonaccelerated filer), and other possible designations, such as smaller reporting company (SRC) and emerging growth company (EGC).
The company must evaluate whether their public float or annual revenue exceeds certain thresholds. The information listed below represents general requirements. Companies are encouraged to consult with legal counsel for any compliance requirements.
Internal controls over financial reporting refers to the control activities and processes designed to provide reasonable assurance over the accuracy and reliability of the company’s financial statements.
Internal controls over financial reporting should be designed to provide reasonable assurance that a material misstatement to the financial statements would be prevented or detected in a timely manner.
There are several key stakeholders with responsibilities including management, control owners, internal audit and the audit committee. Each stakeholder has certain responsibilities that contribute to maintaining SOX compliance.
There are several risks of not having sufficient internal controls over financial reporting. This may include inaccurate or misleading financial statements, misappropriation of assets and noncompliance with SOX. As a result, the company may be required to disclose a material weakness in their U.S. Securities and Exchange Commission (SEC) filings and could potentially be subject to fines or penalties including imprisonment of key executives.
A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. A material weakness must be disclosed in the company’s annual financial statements (Form 10-K).
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness but still merits the attention of those charged with governance, most often the audit committee. A significant deficiency should be reported to the audit committee but does not require disclosure in Form 10-K.
A company should perform a SOX readiness assessment at least 12-18 months prior to IPO. The readiness assessment should develop an implementation plan to address key activities including:
During the SOX implementation phase, companies should assess the existing internal controls framework and execute the following key activities:
To support continuous compliance with SOX, the company should establish a program to execute on the following:
There are many challenges when implementing SOX compliance here are a few highlights:
SOX compliance may be seen as a burden; however, SOX is also an opportunity to improve financial and information technology operations throughout the organization. The company will establish a structured process for evaluating risks related to financial statements that enables companies to prioritize high-risk areas more effectively. The SOX program will play a pivotal role in eliminating conflicts of interest and reinforcing the segregation of duties within an organization. The ongoing process will also enhance documentation and improve processes throughout the organization.
Tune into our on-demand webinar, Navigating the financial services compliance landscape: A deep dive into SOX compliance. For more information on the subject, and to learn how we can assist your organization with its Sarbanes-Oxley (SOX) compliance journey, refer to our SOX compliance, IT SOX compliance, risk advisory and financial services webpages.