If you qualify as a non-accelerated filer (i.e., your company’s public float is under $75 million), you’ll have to start complying with Section 404(b) of SOX, which requires company management and independent auditors to sign off on, or attest to, the effectiveness of your risk control framework or accounting policies and procedures for internal control. Are your processes protecting you from the risk of material misstatements (RMM)? Do you know how to control and reduce SOX compliance costs?
When it was first enacted, the Sarbanes-Oxley Act (SOX) did not apply to non-accelerated filers because it was believed SOX compliance costs would be too high. Several delays and extensions have been given to non-accelerated filers because the Office of Economic Analysis (OEA), which advises the SEC, needed to complete a study on SOX compliance costs. The study was completed and was quickly followed by the announcement (on October 2) of the June 15th compliance deadline.
It didn’t surprise anyone when the OEA study showed that SOX compliance costs increase with company size; the study also confirmed that annual compliance costs decrease over time and that, overall, compliance costs have decreased. In other words, while larger companies achieving SOX compliance had higher costs overall, there are fixed SOX compliance costs that impact all organizations, regardless of size, and companies have gotten smarter on how to deal with SOX compliance costs.
There are three major factors that drive up the cost of complying with SOX: cost of scale; cost of review; and cost of improvement. The more control you have over all three of these, the lower your costs to implement Sarbanes-Oxley compliance will be.
Why do larger companies incur higher overall compliance costs? Because of the sheer size — scale — of their operations! More operating locations, more employees, and more processes means more time and people needed to review accounting policies, procedures, and internal controls. There is no easy answer to the question of scale: larger size translates into more risk management, internal controls, and accounting processes.
You can reduce the scope of SOX compliance costs by addressing the greatest risks first (note that PCAOB Auditing Standard #5 was developed for this purpose). Don’t try to address all risks at once — this is what drives up compliance costs. But, which risks do you address first? Determine a threshold, or cutoff, for risk materiality, then decide which risks are most material to your company.
Remember — this is an ongoing process of improving your SOX compliance, not a one-time SOX compliance event. Next year, you can (and probably should) lower the threshold and address your “second-tier” risks, and continue to annually adjust your threshold until you are comfortable. Management decides on the internal controls needed to cover the identified risks.
Also, if you decide wrong and set your risk threshold too low or too high, you’ve identified a material weakness in your risk control framework. You think you’ve exposed a flaw in your system, but consider that your system is also about continual improvement. The only flaw is failing to improve: work on improving your internal controls – adjust your risk threshold – and you can demonstrate that you have a SOX-compliant system.
The Sarbanes-Oxley cost of review represents the Check and Act phases of the Plan-Do-Check-Act (PDCA) process approach. All companies needing to comply with SOX have to have some form of review process that tests accounting’s internal controls and gives management the confidence to attest to the validity of the company’s financial statements.
Internal audits, management reviews, management and auditor attestation, and board oversight are fixed costs of Sarbanes-Oxley compliance. Every company has to operationally demonstrate to top management that internal controls are in place and are working. Larger companies have to spend more, of course, but every company must spend a minimum amount for basic compliance.
As with the cost of scale, you can reduce the scope of SOX compliance by addressing the largest risks first in your audit plan. You don’t have to audit every accounting process every year. Start with the accounting processes that have the greatest impact — those that pose the greatest risk of material misstatement if they don’t work. Review past audit opinions, your compliance plan, and your definition of materiality and adjust your audit plan to deal with the greatest risks.
Management decides on the internal controls and testing needed to ensure that the identified risks are controlled. If you find that your audit plan hasn’t addressed the right risks, you adjust the plan. Again, lessons learned — and implemented — show that your system is driving improvement and is, therefore, Sarbanes-Oxley-compliant.
The cost of improvement comes under the “Plan” and “Do” phases of the PDCA process. Sarbanes-Oxley compliance starts with a compliance plan, one that identifies the risks you need to control. Your compliance plan is the foundation of your risk control framework. With a sound compliance plan in place, management can make better decisions regarding internal controls, such as implementing accounting policies and procedures that reduce or eliminate the risk of material financial misstatement.
Developing accounting policies and procedures is the “Do” in “Plan-Do-Check-Act”. Your risk control framework identifies individual risks (e.g., the chance a receivable is not collected on time). Your accounting policies (e.g., collect accounts receivable within 30 days) and procedures (daily A/R aging reports, phone calls, collection letters, etc.) are forms of internal control that demonstrate your compliance with Section 404 of SOX.
Are your accounting policies and procedures for compliance or control? Well, control comes before compliance, but many companies have confused the two and wasted a lot of time and money. You can reduce the scope of SOX compliance costs and compliance by controlling your greatest risks first with your accounting policies and procedures.
You don’t have to write a policy or procedure for every accounting process at once. Once again, start with the accounting processes that, if they don’t work, pose the greatest risk of material financial misstatement. Review audit opinions, your compliance plan, and your definition of materiality, then develop and implement the accounting policies and procedures that address your greatest risks first.
Management makes the final determination of which accounting policies and procedures are needed. If you develop cash policies and procedures that do not (adequately) control the identified risks, you have a material weakness. Improve your accounting procedures for internal control and you demonstrate Sarbanes-Oxley compliance.
Sample accounting policies and procedures serve as a model, or framework, for your own accounting policies and procedures. The CFO Accounting Policies and Procedures Manuals set contains 262 procedures you can use to address the ten accounting cycles.
Using prewritten procedures will save you hundreds — possibly thousands — of hours in researching, writing, and implementing accounting policies, procedures, and internal control for Section 404 compliance. Save even more time implementing additional internal controls for sales and marketing, security, disaster recovery, and ISO 9001 compliance using the CEO Company Policies and Procedures Manuals. Download free samples of our procedures and judge for yourself.