Problems happen, but lax controls shouldn't, SOX specialist says

Having controls to spot and remediate material misstatements in your financial reports is what Sarbanes-Oxley is looking for, not the misstatements themselves, something it helps CFOs of newly minted public companies to keep in mind, a compliance specialist says.

Probably half of all companies have material weaknesses in their reporting when they make their public-market debut, whether through a traditional IPO or a special purpose acquisition company (SPAC) merger, Deloitte Managing Director of Audit and Assurance Lindsay Rosenfeld told CFO Dive.

What’s important for compliance with Sarbanes-Oxley, or SOX, is that your controls are sufficiently robust to identify where your processes are weak and how to address the inadequacy, she said.

“If you disclose material weaknesses in your financial reporting and what it is you’re doing to remediate them, you’re still in compliance,” she said.

SOX was enacted in 2002 to curb the kinds of control weaknesses that enabled companies like Enron and WorldCom to manipulate their accounting to give a misleading impression of their financial position. To give it teeth, the law requires the CFO and CEO to sign off on the adequacy of their controls.

“The SEC is starting to use data analytics, just like everybody else is doing,” Rosenfeld said about the way the Securities and Exchange Commission is scouring financial reports to identify misstatements. “As a result of some of those investigations, the CFO was fined and asked to not serve public companies, so they will ask and will look at what CFOs and CEOs are doing around compliance. This is real.”

Process scoping

The challenge for finance chiefs who haven’t had to comply with SOX is scoping out which processes need controls and which don’t. Operational processes that might be crucial for a company aren’t necessarily what SOX is looking for, she said.

Since SOX is looking for controls to prevent material misstatements on the company’s 10K and 10Q reports, an operational control to, say, weed out non-paying customers, although important from a business perspective, isn’t what SOX is looking for.

“Management doesn’t want to sell to someone who’s not going to pay for the service they’re providing, but from an accounting perspective, at the end of the day, if you do sell to somebody and they don’t pay you, your control over that is going to be captured in your allowance for uncollectible accounts,” she said.

SOX, on the other hand, looks for controls over processes like revenue recognition, which is an integral part of financial reporting and also what the SEC says is the number one problem area for misstatements.

“A control would be the accounting analysis review over those specific revenue transactions,” she said. “When is it appropriate to record that revenue?”

Controls are especially important for capturing problems around non-recurring and unique transactions, like a business combination, divestiture or a complex debt arrangement like a convertible bond.

“Anything that’s out of their normal environment,” she said. “And management estimates, because there’s bias in estimates. How does management evaluate those estimates?”

First scope, then design

CFOs should consider taking a phased approach to ensure they’re SOX compliant, Rosenfeld said.

They want to first take a hard look at what needs controls. That’s based on the areas most important to the business.

“We often talk to companies about how we make sure they’re focused in the right place, on what your risks are,” she said.

Once you’ve identified your risk areas, the next step is designing the controls. Controls that aren’t designed correctly can lead to deficiencies, which can lead to material misstatements.

With deficiencies, she said, you’ve got a “control for a process in place but it’s not designed with the level of precision to mitigate the risk of material misstatements,” she said.

Because of this risk, it’s important for the people identifying your key processes, designing your controls and then testing them to bring a thorough understanding of SOX, she said.

“You’re looking for people who have that SOX-specific experience to make sure you’re focused on the right places,” she said.

Third-party attestation

Depending on the filing status your company has with the SEC, it either must have an independent audit done on its SOX controls or it doesn’t.

In general, the filing status for larger companies is 404(b), requiring third-party attestations — an independent audit — while for smaller companies, the status is 404(a), which doesn’t have the requirement.

It’s important for the management team and the auditor to report the same conclusions on the adequacy of controls. If there’s a difference, the two sides need to work that out before the company files its reports.

“Is there always perfect agreement? No,” she said. “Those are conversations external auditors have with management.”

Even in cases in which external auditors sign off on the controls, if the SEC spots problems, liability still lies with the CFO and CEO.

“Management has responsibility over their controls and the accuracy of their financial results,” she said. “Auditors are performing an audit that is not absolute assurance.”

That makes it crucial for in-house compliance staff to know SOX thoroughly if the company doesn’t contract with compliance specialists to help them get their controls in order, she said.