SOX Compliance on a Global Scale
How Sensiba San Filippo’s new SOX and Internal Controls experts can help you
As a big step in expanding its consulting practice, Sensiba San Filippo (SSF) is pleased to announce that it has acquired The Resultants, Inc. — a boutique-sized firm with a strong reputation in Sarbanes-Oxley (SOX) compliance and internal audit consulting in the Silicon Valley. With deep roots in the epicenter of growing businesses, The Resultants specialize in helping pre-IPO (initial public offering) companies as well as small to medium sized public companies with the right-sized scalable solutions for internal audit and SOX compliance.
Aside from vast experience with domestic companies, The Resultants founder and newly appointed Partner at Sensiba San Filippo, Kevin Shives, has also spent considerable time abroad helping companies with internal controls and SOX compliance.
What is SOX?
Since being signed into law in 2002, SOX compliance has become one of the most historically significant reforms to U.S. security legislation. With the goal of increasing transparency and creating a more formalized system of internal checks and balances, SOX essentially measures how well a company manages its internal controls. Broad ranged and crucial to success, SOX affects financial governance and accountability, data storage and transmission, as well as information technology. The goal: to create a safeguard for investors against inaccurate or unreliable corporate disclosures.
Strictly enforced and far sweeping, SOX has affected global markets on a scale far more than expected. In an interdependent world, it has proven critical to understand, implement and maintain the proper controls and compliance rules set forth by SOX.
While all American-based public companies are legally bound to the rules of SOX compliance, the law also extends to international companies that have registered equity or debt securities with the U.S. Securities and Exchange Commission (SEC). The penalty for non-compliance includes substantial fines or removal from public stock exchanges, therefore it is important to ensure that your company is taking the right steps in not only having robust internal controls, but maintaining them.
When non-U.S. entities get involved in SOX, it generally means that they are a financially material part of a U.S. public company that is required to be SOX compliant. In these situations, the foreign location will require essentially the same internal control evaluation as its U.S. parent. The role of our firm is to help these entities obtain or maintain SOX compliance by providing a full range of SOX services.
All SOX implementations and on-going maintenance will follow these general steps:
Use risk assessment and scoping to decide what key controls are required and then design them to effectively address the risk. A company’s risk profile can change dramatically throughout the year, especially in a high-tech or equally dynamic industry.
Tip: The controls (and thus their design) should be reviewed periodically as circumstances change (i.e. acquisition, new product launch, new markets, growth or downturn), but at least annually.
Key controls require sufficient documentation so that the process can be properly performed and replicated. Anyone performing controls should be clear on how to consistently perform them, and internal and external auditors should be able to easily test the controls for compliance.
Tip: The key word for documentation is “sufficient.” Over documentation, especially in the first year, is a serious resource consumer. Reaching the documentation balance requires experience and perspective, so be sure to consult with your internal audit and external auditors to stay on track.
All key controls must be periodically tested with the appropriate samples to gather evidence and support a conclusion about effectiveness.
Tip: Year after year, testing will consume a large portion of your SOX budget. Spend the necessary time and effort to ensure you have the most efficient and effective test resources available. A highly efficient test program will include: experienced testers, executing on well-developed test plans, utilizing appropriate technology and proven procedure.
4. Evaluate & report
Results of testing will be compiled and evaluated to determine if there are deficiencies, and if so, their severity. There are three levels of deficiencies: deficiencies, significant deficiencies and material weaknesses. There is a lot written about the technical definition of deficiencies, but the practical concerns with each are as follows:
Deficiency – a control did not operate as “advertised,” but the resulting impact is not significant. Correct the problem and learn from it. Report the issue to management and share with external auditors.
Significant deficiency – a control did not operate effectively and the impact was close to material, but not quite. This must be reported to management, external auditors and the audit committee.
Material weakness – one or more controls failed and the result was, or could have been, a material misstatement to the financials. This level requires full public disclosure in the financial statements.
Tip: Developing a highly effective test program can help you find issues early, which will help you correct problems before they escalate beyond the level of a simple deficiency.
Ensuring that your company is SOX compliant can be a foreboding journey and a substantial expense, especially if resources are mishandled or the process goes astray. There are, however, experts to help lead the process and make your internal audit as effective and efficient as possible.
If you have questions regarding your current controls, or need help planning for your internal audit, please contact one of our SOX experts at firstname.lastname@example.org or at 925.271.8700.