SOX Section 302: Corporate Responsibility for Financial Reports
Going public is a wonderful opportunity for growing companies to be able to tap into public securities and debt markets, potentially substantially reducing their cost of capital. Going public, is not, however, free of costs and burdens. One of the more substantial burdens is the requirement to comply with the provisions of the Sarbanes-Oxley Act. In this article we’ll cover the basics of SOX audits and how to prepare for them.
Up until 2002 public stock exchanges were largely self-regulated. The exchanges had their own rules that listed companies needed to comply with, but this segment of the financial industry was largely free of governmental regulation.
Boom and Bust
The late 1990s were boom times in the stock market. At the same time that personal computers moved from nerd curiosity to essential business tool many other businesses, including communications, were going through radical technology driven change and growth. The explosion of the internet fueled the dot com boom, which were heady times for investors: just one example, Netscape, enjoyed a 150% jump in share price on the day it went public. There were other companies that did even better.
All that came crashing down in mid-2000. All the money being made in the stock market proved too enticing for self-regulation. There were too many companies, most famously Enron and WorldCom, that not only cut corners but engaged in and out fraud. Some of the celebrated IPOs turned out to be built on sand as well, with the real value of the firms being much less than management’s hyped-up values. The stock market crashed. IPOs were dead. Investors lost billions. Corporate governance was widely viewed as inadequate.
Passage of the Sarbanes-Oxley Act of 2002
It was apparent to everyone in Congress that something had to be done to restore investor confidence and get the markets functioning smoothly again. Two members of Congress, Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH) co-sponsored the Sarbanes Oxley Act, which was also known as the “Public Company Accounting Reform and Investor Protection Act of 2002” in the Senate. It’s also commonly referred to as the “SOX Act.” The bill established effective government regulations for publicly held companies, regulations intended to ensure that financial reports accurately represented the financial condition of public companies and especially to reduce opportunities for fraud. The bill passed with overwhelming bipartisan support and was signed into law by President George W. Bush on July 30, 2002.
The act created the Public Company Accounting Oversight Board (PCAOB), which is tasked with setting the rules and standards for SOX audits.
Which Companies are Subject to a SOX Compliance Audit?
Generally speaking, SOX auditing is required of companies that publicly traded in the United States, regardless of which stock exchange. Over the counter stocks are also subject to SOX. Wholly-owned subsidiaries and foreign companies that access the US public markets are also required to comply with the SOX Act, and are subject to SOX auditing.
There are two exceptions:
- Companies known as “non-accelerated filers,” which are companies that have less than $100 million / year in revenue and less than $700 million in public float.
- Emerging growth companies, for the first five years after an IPO, providing revenues do not exceed $1.07 billion, it has not issued more than $1 billion in non-convertible debt, and it has not become a “large accelerated filer” as defined in the Exchange Act Rule.
What is Covered in a SOX Audit?
There are two parts to a SOX-compliant audit. The first is the audited financial statements, where the auditor does checks to verify that the company’s financial statements are accurate. Section 404 of SOX created an additional requirement: a “management assessment of internal controls.” Company management certifies that the company has adequate internal controls to protect the integrity of the data from fraud or error. The SOX auditor reviews the controls and procedures in place so that they can attest to management’s certification. When people talk about a “SOX compliance audit” they are referring to the auditor’s validation of the internal controls certification provided by management.
The audited financial statement is strictly concerned with the accuracy of the numbers; the SOX compliance portion of the financial statement is not about the numbers themselves, rather it’s about the steps the company takes to ensure that the data is indeed accurate and without fraud or misrepresentation.
There are two different types of internal controls the auditors will be reviewing: the company’s financial controls, and the company’s control over their IT infrastructure.
Financial controls are the policies and procedures used in the company to catch mistakes and prevent fraud. Some examples of financial controls include:
- Reconciling bank statements to the general ledger
- Not allowing a person who creates an invoice for payment to approve that invoice for payment
- Not allowing managers to approve their own expense reports
- Check approval and signing procedures
It doesn’t do any good to have robust financial controls in place if it’s easy for someone to alter data in the company’s computer systems. The data security surrounding a company’s financial information is vitally important to the overall effectiveness of a company’s internal controls. The IT team’s role in SOX compliance is to make sure that data is protected not only from internal threats – such as an employee trying to inflate their numbers to look good at bonus time, or trying to misappropriate or embezzle funds – but it must also be protected from outside threats from cybercriminals. IT controls auditors may look at include:
- What is the company’s program for Identity and Access Management (IAM)? There are many different ways to implement IAM, but some of the things auditors might look for include:
- Is “Least Privilege Access” enabled so that only people with a “need to know” have access to financial data?
- Is multi-factor authorization used for sensitive data?
- Are passwords required to be strong?
- Are accounts promptly disabled when an employee leaves the company?
- Data security. The auditors will want to see that you take appropriate steps to prevent data breaches, including encryption, antivirus and anti-malware software and procedures, firewalls, VPNs, etc.
- Mitigation steps. In the event of a breach, are the processes in place that could minimize damage, for example “microsegmentation” which restricts movement between servers if someone did break in.
- Comprehensive controls. With more people working remotely, and more processes being done in the cloud, it’s important that financial data is secure where ever the user is, in the office, on the road or at home, wherever that data is, whether on the company’s own servers or in the cloud.
- Are there SOX-compliant off-site backups of important financial data?
Preparing for a SOX Compliance Audit
Far and away the most important thing to do to prepare for a SOX audit is to make sure that your policies, procedures, and internal controls, both on the finance side and on the IT side, are adequate to protect the integrity of your financial data.
An important step in bringing your company into SOX compliance is to perform a risk assessment. Controls that are especially important – ones where a failure could lead to a material breach – should be designated as “key controls.” Key controls should be tested to verify that they work the way they are supposed to work. If any key controls fail in testing, steps must be taken to identify the problem and take remedial action. It may be the case that there’s a flaw with the procedure, and it needs to be revised. On the other hand, it’s possible that there’s nothing wrong with the control or procedure itself, but relevant staff did something wrong, and what’s needed is remedial training.
There are tools such as checklists and special SOX compliance software that can help with getting into compliance and preparing for an audit. Another important matter is to select a framework.
SOX Compliance Frameworks
There are several different frameworks that have been put together by nonprofit industry associations to assist companies and auditors in complying with SOX. Three of the most popular are those from COSO (The Committee of Sponsoring Organizations of the Treadway Commission), COBIT (Control Objectives for Information and Related Technologies), and ITGI (The Information Technology Governance Institute).
Title II of the SOX Act details the requirements for the external auditor. The company’s internal audit committee is responsible for determining that the auditor meets the PCAOB standards for independence. A letter from the office of the SEC’s Chief Accountant states that the audit committee should consider whether “a relationship with or service provided by an auditor:”
- creates a mutual or conflicting interest with their audit client;
- places them in the position of auditing their own work;
- results in their acting as management or an employee of the audit client; or
- places them in a position of being an advocate for the audit client.
Generally speaking, the firm chosen to perform the SOX audit is prohibited from providing non-audit services to the company or its affilitates. Non-audit services could including bookkeeping, consulting, or outsourcing of functions. The auditor is required to disclose to the audit committee in writing of any relationships with the company that could possibly be considered to impair their independence.
The independence requirement is for the entire period of the engagement for the audit, as well as for the time period of the financial statements that are being audited. If the relationship is terminated because the company chooses a different audit firm, they can hire the former auditor for other services, although the audit committee should be aware that if a restatement of the financials becomes necessary the auditor has to meet the independence requirements to be able to re-issue its opinion based on the revised financials.
SOX Compliance Audit Process
There are a number of different steps the auditor will take. Here is what to expect during a SOX compliance audit:
- Risk assessment. As mentioned above in preparing for an audit, understanding where the risks are will guide the auditor in which processes to focus on.
- Determining materiality. This goes together with the risk assessment in identifying areas of focus in the audit. Materiality is a very important criteria; controls that could only have a minor effect on the company’s financials don’t need to be scrutinized closely, if at all. The effort goes on controls that could have a material effect on the company (generally defined as something involving more than 5% of company assets or 3-5% of operating income).
- Identifying SOX controls. The auditors will look at both the financial and IT controls mentioned above.
- Fraud risk assessment. Some financial controls are focused on catching errors; others are specifically targeted at preventing or identifying fraud. Since SOX was passed in response to cases of massive fraud, there’s a special sensibility about looking at controls surrounding fraud.
- Internal Control documentation. The auditors will want to see solid documentation of the procedures, policies, and controls that are in place.
- The auditors will test key controls to make sure they function as designed. That’s why it’s important to do your own testing before the auditors testing. it’s much easier to fix something before the auditors catch it.
- Assess deficiencies. The auditor will generally do more than point to something and say it doesn’t work. They’ll give you feedback on what in particular is wrong, which will help the company to take remedial steps.
- Issuance of auditor’s certification. Once the auditor has validated management’s report, they will be able to include their certification in the annual report.
Management’s “Report on Internal Control” is typically included in the company’s annual report. For example, IBM’s 2020 annual report contains a section for this where the CEO describes the requirement to provide certification of internal control and what those controls are. He then says,
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
Management conducted an evaluation of the effectiveness of internal control over financial reporting based on the criteria established in Internal Control–Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on this evaluation, management concluded that the company’s internal control over financial reporting was effective as of December 31, 2020.
The auditor conducts its own assessment of the internal controls and validates management’s report. For example, in the IBM annual report mentioned above, the independent auditor, PriceWaterhouse Coopers includes a statement:
Our audits of the consolidated financial statements included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions.
Penalties for Non-Compliance
SOX includes penalties with real teeth for executives filing a false or misleading report: up to 20 years in jail and a $5 million fine. Needless to say, CEOs have no interest in going to jail, so they often rely on “sub certifications” from subordinates to make the same type of certifications for their operations.
Bringing a company into compliance with SOX and preparing for a SOX audit is an expensive and time consuming process. However, there are benefits of SOX compliance beyond it simply being something that’s legally required. The rigorous internal controls mandated by SOX will help your company run smoother. Preventing fraud and misrepresentation isn’t only a legal requirement, it’s in the company’s best interests, as has been demonstrated by the giant corporations that failed because poor corporate governance.