If you qualify as a non-accelerated filer (i.e., your company’s public float is under $75 million), you’ll have to start complying with Section 404(b) of SOX, which requires company management and independent auditors to sign off on, or attest to, the effectiveness of your risk control framework or accounting policies and procedures for internal control. Are your processes protecting you from the risk of material misstatements (RMM)? Do you know how to control and reduce SOX compliance costs?
Why do larger companies incur higher overall compliance costs? Because of the sheer size — scale — of their operations! More operating locations, more employees, and more processes means more time and people needed to review accounting policies, procedures, and internal controls. There is no easy answer to the question of scale: larger size translates into more risk management, internal controls, and accounting processes.
When it was first enacted, the Sarbanes-Oxley Act (SOX) did not apply to non-accelerated filers because it was believed SOX compliance costs would be too high. Several delays and extensions have been given to non-accelerated filers because the Office of Economic Analysis (OEA), which advises the SEC, needed to complete a study on SOX compliance costs. The study was completed and was quickly followed by the announcement (on October 2) of the June 15th compliance deadline.
It didn’t surprise anyone when the OEA study showed that SOX compliance costs increase with company size; the study also confirmed that annual compliance costs decrease over time and that, overall, compliance costs have decreased. In other words, while larger companies achieving SOX compliance had higher costs overall, there are fixed SOX compliance costs that impact all organizations, regardless of size, and companies have gotten smarter on how to deal with SOX compliance costs.
There are three major factors that drive up the cost of complying with SOX: cost of scale; cost of review; and cost of improvement. The more control you have over all three of these, the lower your costs to implement Sarbanes-Oxley compliance will be.
You can reduce the scope of SOX compliance costs by addressing the greatest risks first (note that PCAOB Auditing Standard #5 was developed for this purpose). Don’t try to address all risks at once — this is what drives up compliance costs. But, which risks do you address first? Determine a threshold, or cutoff, for risk materiality, then decide which risks are most material to your company.
Remember — this is an ongoing process of improving your SOX compliance, not a one-time SOX compliance event. Next year, you can (and probably should) lower the threshold and address your “second-tier” risks, and continue to annually adjust your threshold until you are comfortable. Management decides on the internal controls needed to cover the identified risks.
Also, if you decide wrong and set your risk threshold too low or too high, you’ve identified a material weakness in your risk control framework. You think you’ve exposed a flaw in your system, but consider that your system is also about continual improvement. The only flaw is failing to improve: work on improving your internal controls – adjust your risk threshold – and you can demonstrate that you have a SOX-compliant system.
The Sarbanes-Oxley cost of review represents the Check and Act phases of the Plan-Do-Check-Act (PDCA) process approach. All companies needing to comply with SOX have to have some form of review process that tests accounting’s internal controls and gives management the confidence to attest to the validity of the company’s financial statements.
Internal audits, management reviews, management and auditor attestation, and board oversight are fixed costs of Sarbanes-Oxley compliance. Every company has to operationally demonstrate to top management that internal controls are in place and are working. Larger companies have to spend more, of course, but every company must spend a minimum amount for basic compliance.
As with the cost of scale, you can reduce the scope of SOX compliance by addressing the largest risks first in your audit plan. You don’t have to audit every accounting process every year. Start with the accounting processes that have the greatest impact — those that pose the greatest risk of material misstatement if they don’t work. Review past audit opinions, your compliance plan, and your definition of materiality and adjust your audit plan to deal with the greatest risks.
Management decides on the internal controls and testing needed to ensure that the identified risks are controlled. If you find that your audit plan hasn’t addressed the right risks, you adjust the plan. Again, lessons learned — and implemented — show that your system is driving improvement and is, therefore, Sarbanes-Oxley-compliant.
The cost of improvement comes under the “Plan” and “Do” phases of the PDCA process. Sarbanes-Oxley compliance starts with a compliance plan, one that identifies the risks you need to control. Your compliance plan is the foundation of your risk control framework. With a sound compliance plan in place, management can make better decisions regarding internal controls, such as implementing accounting policies and procedures that reduce or eliminate the risk of material financial misstatement.
Developing accounting policies and procedures is the “Do” in “Plan-Do-Check-Act”. Your risk control framework identifies individual risks (e.g., the chance a receivable is not collected on time). Your accounting policies (e.g., collect accounts receivable within 30 days) and procedures (daily A/R aging reports, phone calls, collection letters, etc.) are forms of internal control that demonstrate your compliance with Section 404 of SOX.
Are your accounting policies and procedures for compliance or control? Well, control comes before compliance, but many companies have confused the two and wasted a lot of time and money. You can reduce the scope of SOX compliance costs and compliance by controlling your greatest risks first with your accounting policies and procedures.
You don’t have to write a policy or procedure for every accounting process at once. Once again, start with the accounting processes that, if they don’t work, pose the greatest risk of material financial misstatement. Review audit opinions, your compliance plan, and your definition of materiality, then develop and implement the accounting policies and procedures that address your greatest risks first.
Management makes the final determination of which accounting policies and procedures are needed. If you develop cash policies and procedures that do not (adequately) control the identified risks, you have a material weakness. Improve your accounting procedures for internal control and you demonstrate Sarbanes-Oxley compliance.
Sample accounting policies and procedures serve as a model, or framework, for your own accounting policies and procedures. The CFO Accounting Policies and Procedures Manuals set contains 262 procedures you can use to address the ten accounting cycles.
Using prewritten procedures will save you hundreds — possibly thousands — of hours in researching, writing, and implementing accounting policies, procedures, and internal control for Section 404 compliance. Save even more time implementing additional internal controls for sales and marketing, security, disaster recovery, and ISO 9001 compliance using the CEO Company Policies and Procedures Manuals. Download free policies and procedures of our procedures and judge for yourself.
In Sarbanes-Oxley compliance your SOX accounting policies and procedures have the same purpose as with ISO 9001 2015 procedures, to provide a foundation for improvement. Sarbanes-Oxley is not a quality standard so why the need for improvement?
First, Sarbanes-Oxley (SOX Section 302 and 404) requires that your financial reports contain accurate information from controlled accounting and financial processes. Second, signing executives have to report on the effectiveness of the company’s internal controls and disclose any significant deficiencies in the design or operation of those internal controls that could affect the company’s financial reports.
ISO 9001 uses terms like effectiveness and deficiencies too. Only the focus with your SOX accounting policies and procedures is to continuously improving effectiveness and identifying non-conformances that do not conform to planned arrangements. Sounds pretty similar to SOX compliance.
SOX accounting policies and procedures are used to build consistency, communicate SOX internal controls, and provide a baseline for SOX improvement. This is done by identifying a target performance (policy) and communicating a series of actions (procedure) to achieve the target. Risks are areas for mistakes, fraud, or abuse. Internal controls are responses to mitigate identified risks to the policy and procedure.
For example, an accounts receivable policy might be timely invoice collection. Your procedure consists of the steps to ensure a timely invoice collection. Risks include an accounts receivable clerk taking cash, misapplying collections, or not collecting at all. Internal controls could include: segregation of duties, cash application controls, bad debt reserves, credit policy, credit approval process, and so on. Each control counters one or more identified risk to the accounts receivable procedure.
But let’s say we missed a few risks, now what? If it is determined to be a significant deficiency then you would disclose the risks that you missed and work on improving them. With SOX policies and procedures like this, you are Sarbanes-Oxley compliant. You have reported on the effectiveness of your controls and disclosed known deficiencies, just like with ISO 9001. Sarbanes-Oxley compliance and ISO 9001 conformance are pretty similar in their implementation.
Bizmanualz Accounting Policies Procedures Manuals serve as a model, or framework, for your own SOX accounting policies and procedures. Save time with the CFO Accounting Policies and Procedures Manuals set, which contains 262 procedures you can use to address Sarbanes-Oxley compliance with the ten accounting cycles.