As leaders adapt to and anticipate emerging risks, evolving regulatory pressures and new accounting standards, Jason Sammons and Sabrina Serafin discuss current trends in Sarbanes-Oxley (SOX) compliance.
Culture of Compliance: Sarbanes-Oxley: The Journey Continues
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace.
I’m Sabrina Serafin, Partner and national leader of Frazier & Deeter’s Process, Risk and Governance practice. I’d like to apologize for any lack of clarity as we are exercising social distancing as a result of COVID-19 and recording from various locations.
Today, we’re talking to Jason Sammons, also one of our partners in Frazier & Deeter’s Process, Risk and Governance practice. Jason brings leadership and expertise to the marketplace in the area of Sarbanes-Oxley program advisory. To clarify, Sarbanes-Oxley legislation requires public companies to maintain internal controls over their financial reporting processes, and management of these companies must publicly certify and a pine on the effectiveness of these controls. Jason, welcome to the podcast.
Jason Sammons Hello. Thanks, Sabrina.
Sabrina Jason, our topic today is focused on the recent and emerging trends in Sarbanes-Oxley compliance, with most of our December 31st year end companies having recently completed their annual report. Jason, can you comment on some of the key themes in the area of internal controls over financial reporting that you’ve seen?
Jason Absolutely. As you say, Sabrina, we’re just finishing a busy year helping our clients manage their Sarbanes-Oxley compliance programs. As I reflect, a couple of things stick out. First and foremost, a lot of time was spent over the last few months really focused on what’s new. So, whether it’s the first year of implementing the new revenue recognition standards, the adoption year for the lease accounting standards, a lot of activity around new systems being implemented whether that be enterprise wide solutions or special purpose applications focused on a particular business cycle, and responding to those changes that companies are making in their internal control framework. That was a major area of focus, over the balance of 2019 to incorporate these new elements into the compliance programs.
There’s also substantial attention on control activities occurring at all points of a transaction. The way we looked at it is just more attention on the various layers of review of each transaction as it moves through the processing cycle. Additional emphasis on creating and maintaining audit trail documentation of those layers of review for third party auditors that those activities are occurring.
The last thing, I would say, received more attention than maybe in prior years relates to the service providers. We’ve always had third party providers, like payroll or data center operators that are core to financial reporting. But as companies continue to partner with other firms that have world-class technologies to solve some of their challenges across all industries. Whether that be payment processing or third-party logistics, it brings the evaluation of these third and even fourth parties in some cases more into scope greater investigation as to exactly what are they providing to companies and how that fits into the overall financial reporting control framework.
So, deeper dive into SOC 1 and SOC 2 examinations and scoping which controls actually apply to companies as they work with these service providers.
Sabrina Thanks, that’s a lot to consider for one year’s time. What should companies expect as they move into 2020?
Jason I think it’s going be a lot more of the same, but I think because we’ve seen over the years the trend will continue that the bar will just continue to rise. The regulatory pressures are not being relaxed. The auditor requirements continue to be refined and improved or strengthened, depending on your perspective. But when we boil down all the decisions that companies are going to make, you need to continue to be grounded in risk and materiality. Management teams need to have a clear handle on their financial reporting risks and understand those in context in order to prepare a program to focus on what matters most, and that goes right back to the principles of the original guidance. Sarbanes-Oxley was implemented a couple of decades ago amazingly.
So, as they move forward, I think there’s just more enhancements and more desire to automate controls. The introduction of tools and skills will continue to be an area of focus. We’ll have to shift our focus to understanding how non-routine transactions that cannot be automated, identified, routed and ultimately subject to particular controls.
Then, within the automation, any failures or exceptions that may fall out that don’t meet the predefined criteria, being sure that those are escalated and quickly resolved. On top of that, access control and change control over any of the robotic process automation (RPA) or in general, bots, will be a greater area of focus I believe in Sarbanes-Oxley programs. The other thing that’s on the horizon is the new auditing standard on auditing estimates that the external auditors will be incorporating into their procedures beginning in 2020. So, it’s likely to take to a whole new level how certain estimates are determined around fair values and other key estimates, judgements, and assumptions.
Companies are going to need to continue to improve and deepen their documentation around how certain assumptions are used, the decision-making process behind those, why they chose to go one route and not a different route, and how that data used in any modeling is validated. I expect us to be having those conversations this spring as we get started on the next year’s assessments.
Sabrina Jason, the FCC recently adopted new rules modifying the criteria of a company’s filer status. This removes the external auditor attestation on controls for companies with less than $100 million in revenues. This is where some are beginning to call the rollback of SOX, can we get your thoughts on that?
Jason Sure. It’s a great question and a very interesting development. Notably, this is the first piece of guidance for companies that the SEC has come out with in a number of years, almost dating back to their original guidance in the mid-2000s. Since that time, the PCAOB has largely been driving the agenda as it relates to Sarbanes-Oxley.
What this does is, as you said, it removes a certain requirement related to the external auditor activities for companies that have higher market values, but revenues are less than $100 million. From the top, it does not change management responsibility to maintain effective internal controls. So, I think that that’s going to be one thing if you just read the headlines and don’t look deeper, you may over estimate or overstate what the impact of this new guidance results in.
The investor protections and the governance expectations continue to exist because they always have, and this is really going to address all in all a small percentage of the marketplace. For me, these companies really need to have the strongest management lead programs because they have such high valuations. They plan to grow fast, and their resources are being bought after by competing priorities. So, they’ve got to choose wisely into how they select and develop their internal controls program, both to meet securities regulations but then also to manage their business.
For the external auditor to do an audit of internal controls or financial reporting, there’s a certain minimum cost that that requires. This guidance is going to relieve that financial burden from these companies should fall in to the category that are affected. So now, companies can be really strategic and precise about creating competitive advantage through SOX versus it being a burden or a drag on their operations.
In closing, I’d say, we love advising and guiding management teams through that process so they can focus on running the business, as well as maintaining a high performing compliance program.
Sabrina Well said, Jason, we can keep an eye on this development and perhaps explore this deeper in our next podcast. Jason, thank you for being with us today and sharing your insights.
Thank you for listening to Frazier & Deeter’s Culture of Compliance podcast, please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.