The SOX compliance journey: Preparing for compliance

Successfully achieving compliance with Sarbanes-Oxley (SOX) 404 is complex, challenging and can seem daunting. Many companies underestimate the necessary scope of documentation, evaluation and testing efforts, as well as staffing requirements.

Drawing on our experience assisting many organizations with their SOX 404 readiness efforts, we have prepared an example “SOX readiness roadmap,” which may be executed over a one-or two-year period, based on the needs of the organization.

Familiarize yourself with the SOX 404 compliance readiness basics below and download our brochure for expanded insights, including a sample 12-month readiness roadmap.

SOX readiness

Maturing your organization and preparing for an initial public offering (IPO) requires many decisions, including decisions about your internal control structure and framework.

Consider the following as your company continues to grow, scale and take steps toward an IPO:

• Embed culture: Establish organizational buy-in through c-suite leadership and nimble management
• Start early and educate: Engage with key stakeholders, leverage investments in technology and prioritize the most material risks
• Engage with third parties: Understand the holistic ecosystem of controls and engage with your external auditors
• Learn, update and improve: Learn from others to avoid pitfalls, keep documents current and segregate duties

Key SOX activities and timeline

Prior to IPO

• Document company's significant business processes affecting financial reporting
• Identify risk, controls and areas of improvement in internal controls over financial reporting (ICFR)
• Make code of ethics and business conduct policy publicly available
• Establish "whistleblower" hotline
• Evaluate need for enhanced financial reporting function

By initial 10-Q

• Implement a CEO/CFO certification process

Prior to 2nd annual 10-K

• Implement a process to test internal controls and report on testing
• Remediate internal control gaps where necessary

By 2nd form 10-K filing

• Management's assessment on internal controls over financial reporting

Deferred up to 5 years (as long as the company is an emerging growth company (ECG)

• Auditor's attestation and report on management’s assessment of internal controls over financial reporting

SOX compliance challenges

Become aware of the pitfalls to more successfully navigate toward success. In no particular order, the top 10 compliance issues include:

1. Board and audit committee understanding of risk and control
2. Effective controls over information technology (IT) environment including user access, segregation of duties and cybersecurity controls
3. External financial reporting and disclosure preparation process
4. Evaluation and testing of controls over outsourced processes
5. Current, consistent, complete and documented IT and accounting policies and procedures, including internal controls documentation (e.g., narratives and/or flowcharts, risk and control matrices)
6. Formal controls over the financial closing process
7. Formal financial reporting and IT risk management program
8. Adequate controls to record non-routine, complex and unusual transactions
9. Understanding of IPE, key report, spreadsheet control and documentation requirements
10. Effectively controlled post-merger integration