As public companies wrap up their first quarter filings and move into the summer, they are most likely starting, or should be starting, to think about their 2022 Sarbanes-Oxley (SOX) plan. As SOX programs evolve, there are key business and operational considerations that public companies should be aware of as they plan out the second half of their fiscal year. As we unpack the key areas of focus below, we must keep in mind a successful SOX plan focuses on people, process, and technology:
Automation and Workflow Software
There are a plethora of SOX automation tools and workflow software tools on the market. Selecting the one that fits your SOX needs, and potentially aligning with other company-wide initiatives, can harness efficiencies and coverage. Conversely, if implemented incorrectly, can spell disaster. We recommend approaching the selection of the software to be the same as you would with any software implementation. Consider your company’s current SOX needs but also your three-to-five-year plan for your SOX program as it matures. You will also want to do your IT due diligence and interview vendors, demo tools, and ensure the solution meets your company’s overall strategic needs.
Evidence Review and Approvals
With many teams still working from home, or enjoying a hybrid work model, evidencing review and approvals will continue to be a challenge as the evidence may still be distributed through tools such as Microsoft Teams/Zoom/text or other electronic platforms. Companies should consider how communication styles and preferences are going to provide evidence of review and approval to their external auditors. While this has been ongoing for over two years, it continues to be a point of stress for newer public companies.
Turnover and Talent Shortage
“The Great Resignation” was, and unfortunately is still, a real thing! The war for talent is ongoing. Companies may have lost key people and may or not have been able to replace them or expand resources to meet growth. Smaller departments may have issues with segregation of duties, as well as a loss of institutional knowledge. Companies should consider assessing their talent and identifying gaps. In our experience, especially with newer public companies, we have seen a number of them receiving material weaknesses around insufficient accounting personnel and lack of financial oversights and levels of review.
In addition, with the related increase in salaries, companies should re-evaluate their hiring practices and budgets. An obvious way to fill the talent gap is to consider co-sourcing to a third-party provider.
Hybrid Work Model
As mentioned previously, it appears that the hybrid work model is here to stay. The need to keep in touch with your teams and have them remain productive continues to be a challenge. Monitoring your teams while allowing them flexibility will be critical to executing a successful SOX plan.
Market Capitalization Awareness
With the macro-economic and geo-political headwinds, inflation, and fears of another COVID wave, companies should continue to be very aware of their Market Capitalization, and as such their filing status for SOX, as this can dramatically impact the nature, timing, and extent of testing. For more information on filing status of current public companies and those considering going public, read more in our published article on “Filing Status and ICFR Compliance Considerations for SPAC and IPO Transactions.”
Additionally, where companies experience significant fluctuations in macroeconomic conditions and decreases in market value, these may constitute triggering events requiring a more detailed quantitative analysis of goodwill and intangibles. Depending on the extent of fluctuations, this may also require disclosures as to the impact of going concern considerations. Companies should design a plan to fulfill these requirements when necessary.
Reliance on Specialists
An area which continues to cause issues with SOX programs is the use of specialists over valuation and taxes. Oftentimes, we see companies are self-aware enough to realize that they do not have the proper resources, either in terms of people, capabilities, or skills, to perform some of the calculations required. They will often engage a third-party specialist to perform the calculation based on data provided by the company. The company will use the calculation provided by the third-party to record the entry in the books and records. What we have seen in practice is that the external auditors will, on occasion, take issue with the calculation inputs resulting in a difference. Oftentimes the difference can be material, and results in an adjustment that can become a material weakness in controls.
The argument being is that even though the company engaged a specialist to perform the complex calculation, the financial statements are the responsibility of management, and that responsibility cannot be outsourced or deferred. When engaging specialists, companies should work with the specialists to understand all the inputs into the calculations and should consider stress-testing or testing the sensitivity of the final result by changing the inputs (for example discount rate by X%) to see the impact. Another way to limit exposure is to involve the external auditor’s specialist in the planning and initial phases to agree on assumptions affecting the model.
Cybersecurity
On March 9, 2022, the SEC proposed regulations for the increased disclosure of cybersecurity incidents, risk management, strategy, and governance. These proposed regulations would require several new and enhanced disclosures around reporting incidents, disclosing risk management policies and oversight by the board of directors, as well as the director’s expertise. As a result of the proposed requirements, companies should consider the overlap with their SOX plans to decide if the final regulations are part of the control environment.
Homogeneity/Common Controls
As companies work to streamline their SOX efforts, we have seen companies’ group certain controls together to test as one population. While minimizing the SOX effort is an often-desirable goal, companies must understand the people, process, and technology and to the extent they are different, might need to re-consider this approach. A few factors in making this determination would include: the effectiveness and precision of entity level controls, history of the control effectiveness, and the identification of unique and different risks effecting the operation of the controls.
New Standard Pronouncements & Expiry of COVID-19 Concessions
Because of COVID-19, concessions and guidance were provided by regulators to reduce the impact of the planned application of new accounting pronouncements in situations impacted by the global pandemic. Specifically, these included Lease Concessions related to COVID-19, Troubled Debt Restructurings, and Current Expected Credit Losses (CECLs).
As these concessions expire, companies will need to reevaluate their control frameworks to ensure they adequately address new pronouncements. For example, new CECL guidance changes the status quo for accounting for credit impairment. Although this guidance largely impacts financial institutions, most companies may have exposure to financial instruments or other assets which are subject to the CECL valuation model (including Trade Receivables, Finance Receivables, Financial Guarantees, and Held to Maturity Debt Securities). Companies should identify and evaluate whether accounting models and internal controls require changes to ensure compliance with changing accounting guidelines.