Last year, 2021, was a record year with about 1,030 companies doing initial public offering (IPO) transactions and special purpose acquisition company (SPAC) deals. But it is not always smooth sailing when it comes to financial reporting. One of the biggest challenges is compliance with the requirements in Sarbanes-Oxley Act of 2002.
Thomson Reuters recently had a conversation with Lindsay Rosenfeld, managing director for audit and assurance and co-leader of governance, risk and controls with Deloitte & Touche LLP about what CFOs of new public companies should do to avoid making some common mistakes in their efforts to comply with Sarbanes-Oxley (SOX). The following was edited for length.
Q: What do companies often ask about Sarbanes-Oxley?
Rosenfeld: The journey toward SOX compliance and readiness, especially for a pre-IPO stage company, is pretty long. We get asked a lot about “what do I have to do to meet certain milestone dates?”
One of the first things a company has to do after going public is sign off on their certifications in accordance with Section 302. You have to do that from your first Form 10-Q after becoming a public company. Then Sections 404(a) and 404(b) follow that.
I tell companies to make sure they understand what the requirements are for each one of those milestones because the requirements for 302 and 404 are different. And so, making sure they lay out what they need to do for each one of those compliance milestones and why.
Editor’s Note: Section 302 requires CEO and CFO to certify that the company’s quarterly and annual reports are presented completely and fairly. Section 404 is about the company’s internal control over financial reporting (ICFR).
Rosenfeld: Immediately for a company’s first 10-Q after an initial offering you need controls in place in order to be able to sign that certification, and that really comes down to risk assessment. Companies will often dive into SOX, and they will try to boil the ocean and get everything done at the same time without first stepping back and spending ample time to really go through “how should we scope this, and what is our highest risk in the organization of having a financial statement?” and focusing on those areas.
Q: Both Sections 302 and 906 are about CEO and CFO certifications. What are the differences between the two?
Rosenfeld: One differences is that 906 says that if you don’t comply with 302, you will be held criminally liable. So, these certifications are a big deal.
Q: What are some of the key risk areas companies should focus on?
Rosenfeld: Revenue recognition, controls over significant management estimates, and non-recurring transactions are some of the biggest places that we see companies need to focus from a risk assessment perspective. But it is really not a one-size-fits-all situation; each organization is different. Ineffective risk assessment could cause misses to mitigating risk and compliance but conversely can also could cause companies to do more work than needed if they were otherwise focused on the right places.
Q: What are some other things that companies have to consider?
Rosenfeld: You essentially need controls over material every aspect of your financial statements. It’s a big change for an organization to have to go through, making sure those controls are documented in an auditable way. So, companies should have a project plan to focus on risks, making sure they are not doing too much, too fast, and not getting stuck in the weeds as they will just get buried in a list.
It is also important for companies to have the right tone at the top. A lot of times when you are assessing internal controls for a pre-IPO stage company, you may have a lot of deficiencies in your internal control environment. So, it’s setting the tone that you weren’t necessarily doing things wrong as a private company, but rather now, you have to shift the lens and make sure that they are well documented.
Q: For example?
Rosenfeld: Management review controls are a hot topic, something I talk about all the time. You might have an organization that has the right controls, the right reviews, but those reviews aren’t documented. I used to give the example of walking down the hallway—now, it’s picking up the phone or zooming somebody—and having a conversation with somebody, and asking the right questions as part of the review, but that review isn’t evidenced or documented. And as a result, it’s not auditable.
Since there’s no way to test that the conversation happened when you weren’t part of it, it is not auditable, which is necessary for SOX compliance. It’s not like you’ve been doing something wrong, but instead it’s changing the way the conversations and reviews is documented to make sure these controls are actually evidenced at a sufficient level to be assessed.
Editor’s Note: Section 404(a) requires management to evaluate its effectiveness of internal controls while Section 404(b) requires the auditor to attest to that effectiveness.
Q: Do only accountants work on SOX compliance?
Rosenfeld: People outside of accounting should be involved because SOX reaches every aspect of the organization. You are going to have legal accruals. You are going to have accounting over sales adjustments, and that might be coming from the commercial side of the business. You could have environmental reserves or warranty on products, and you’ve got environmental engineers or warranty group. These folks may be part of the SOX compliance framework for an organization.
Q: When complying with Section 404, should a company use COSO framework?
Rosenfeld: Companies do technically have a choice in what framework they use, but I have not seen a company not use the COSO framework. It is a very defined and tried and true framework. I wouldn’t recommend another framework.
Editor’s Note: COSO is Committee of Sponsoring Organizations of the Treadway Commission, a joint initiative of five private sector organizations that develop frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Q: As companies go public, should organizations get to know the PCAOB regulations?
Rosenfeld: Yes. I often get the question from a company management “why should I care about the PCAOB because the PCAOB regulates the external auditors, and the SEC regulates management.” The SEC framework is less prescriptive, but the fact of the matter is, they are aligned in view, in terms of what companies need to do surrounding internal controls. The difference is that the PCAOB provides guidance to auditors. An example is a PCAOB guidance on information used in a control, such as an accounts receivable aging analysis. Management reviewing the aging analysis shouldn’t just assume the report is accurate and complete. While the SEC doesn’t have prescriptive guidance like the PCAOB, it is management’s responsibility to look at controls, such as data and parameters for that particular report.
Q: What are some of the pitfalls of ICFR?
Rosenfeld: Management must not only identify but also test controls across all relevant financial statement items. One of the common pitfalls is not having the appropriate skills and experience to both identify the correct controls that should be tested, as well as define the approach to testing.
We often get asked “should I do this internally?” For example, some companies will have internal audit perform the SOX testing, or they co-source and have some internal audit professionals and some external third-party providers that have more skills and experience in doing the assessments. Some companies just fully outsource to an external provider, and so determining what your operating model around how you comply with 404(a) testing is really important.
If you try to take everything in-house and don’t have folks that have really stood up SOX program from the beginning, know how to do a risk assessment, and know where to focus; you could end up having an inefficient framework and raise your cost of compliance than had you just gone externally or to a co-source model. And there is labor shortage today, which is causing challenges to some organizations as well.
Q: But if you go externally, shouldn’t you have controls about that?
Rosenfeld: Yes. That’s the difference between outsource and co-source. When it’s fully outsourced, the external provider reports directly to audit committees. I caution companies that; there should always be somebody internally that has ownership and control over the process that can also help drive change and accountability.
Q: For example?
Rosenfeld: About 50 percent of new IPOs have material weakness. And when you fully use a third-party provider to help you with remediation efforts over those material weaknesses or other deficiencies, it may not be as effective as having somebody internally that can drive ownership and accountability alongside the third-party provider.
Q: What are some other ways to avoid confusion and wasted time on SOX compliance?
Rosenfeld: It really comes down to project management. Get the right tools in place. We are seeing a lot more companies start to use governance risk compliance (GRC) solutions to hold all the internal control documentation and streamline the process.
Q: What happens when management fails to coordinate with external auditors?
Rosenfeld: You don’t want your auditors to come in and say that you have a material weakness or any deficiency that you didn’t even think it was part of your SOX compliance famework. So, it’s really aligning on the front, on that scoping and risk assessment with your external auditors to make sure you get ahead of where they’re going to be focusing and why. And if there are differences in opinion on where that focus is or what accounts or what areas should be in scope, there should be a conversation about the different points of view to avoid surprises.
Q: So, would it be a good idea for smaller companies that do not need to get Section 404(b) audit to still go ahead and get the external auditor attestation?
Rosenfeld: Some companies do dry runs before they lose the emerging growth company (EGC) status. By not doing a dry run in a year prior to 404(b) being required, you can reduce risk. One of the things that you don’t want to happen is finding a deficiency in November as a calendar year-end company. You don’t have time to fix it. But if you find a deficiency in June, you have six months to remediate, because the report on internal controls is as of the balance sheet date, not what happens throughout the period. You want to avoid those surprises with your external auditor coming too late in the process to correct for timely.
However, dry runs are expensive. That’s where it comes down to risk assessment. It’s the balance of managing cost of compliance and managing risk.
This article originally appeared in the May 18, 2022 edition of Accounting & Compliance Alert, available on Checkpoint.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.