You are here

5 Steps to Improve SOX 404 Implementation

As your company approaches $75 million in non-affiliate market capitalization, one of the most daunting tasks at hand is the implementation of a program to comply with the requirements of Sarbanes-Oxley (SOX) section 404(b). The enhanced requirements of SOX 404 compliance require your financial statement auditor to affirm the operating effectiveness of the internal controls in place over financial reporting. Implementing these programs can often be a costly and time consuming process. We’ve compiled a few key ways you can reduce the cost, time, and stress of implementing a SOX compliance program.

Key 1: Start Early

It’s never too early to begin documenting your financial reporting controls. Proactively beginning this process gives you more time to resolve issues with the effectiveness of the design, highlights opportunities to identify and resolve control gaps, and provides a lower strain on resources involved. If you wait until SOX compliance is required, you may identify significant deficiencies or material weaknesses during the financial statement audit—and at that point, it could be too late to remediate these issues.

Key 2: Set the Tone at the Top

Controls over financial reporting affect every employee at your company, whether directly or indirectly, through the deployment of Entity Level and Information Technology controls. It’s vital that the Board of Directors and executive management foster an environment of accountability throughout the company.  While executive management will be responsible for assessing the effectiveness of controls at the company, every employee must understand their role and how they can impact the company’s SOX controls.

Key 3: Quality over Quantity

Documenting and testing key internal controls over financial reporting can often become cost prohibitive, and a herculean task for some companies. When it comes to key controls, having the right controls is more important than having a lot of controls. An unmanageable SOX program is often the result of documenting all controls and business processes. Choosing an appropriate framework (such as the COSO 2013 Framework) can help identify opportunities where similar procedures exist to help keep the number of controls at a manageable level.            

Key 4: Involve your Financial Statement Auditors

Involve your external auditors early in the process. To express an opinion over the design and operating effectiveness of your controls, the auditors will need to perform independent testing and conduct walkthroughs of the control processes. They’ll likely have best practice ideas, and should also be involved to ensure that you’re on the right track to receiving an unqualified opinion on your internal controls over financial reporting. Good communication between your internal team, any third-party internal audit group, consulting firms involved, and your external auditors will ensure success. An effective communication strategy should involve identification of control cycles relevant to financial reporting, deliverable content, and project timeline. By having all invested parties actively participate in planning discussions and regular status meetings during the implementation, you can prevent many delays. 

Key 5: Ensure your Controls Remain Up to Date

Once the controls are identified, documented, and developed, they should be revisited periodically to ensure they remain up to date. In today’s environment of rapidly developing technology, controls may change quickly, resulting in new risks related to financial reporting that weren’t anticipated during the initial program implementation. 

What Can I Do Now?

One option that can make this process more manageable, and allow you to continue to focus on managing and growing your company, is to bring in a third-party consultant to assist in the identification and documentation of your SOX controls. A third party enables you to identify what the key control cycles are, document the existing key controls, identify existing control gaps, and assist in remediating existing control deficiencies. A third party can also assist in providing training to the Board and all levels of management to make sure they’re familiar with their responsibilities in implementing SOX 404.