— • Confirming all controls are present and tested

• Evaluating internal controls to prove they’re functioning as specified

• Obtaining external audit report on the effectiveness of ICFR for companies under the SOX 404(b) environment

Shifting management’s responsibilities to cover these aspects helps companies meet and balance long-term SOX compliance goals.

Assess Risk and Establish Risk Tolerance

Performing an annual risk assessment of your company’s internal financial controls is the foundation for SOX compliance. It establishes the annual plan for SOX by cutting out accounts that couldn’t result in material misstatement, and it drives the nature, timing, and extent of effort required for your company’s level of compliance.

Low Compliance

Low compliance internal financial controls might include the following factors:

• A management assessment memo describing management’s top-down risk assessment approach, risk assessment results, and account scoping

• Established and documented controls

• Completed controls questionnaire on design and operating effectiveness

• Incomplete or unperformed transaction testing

• The 302 certification

This low level of compliance is typical of companies that don’t plan to trigger the public float or revenue thresholds; have small, simple, and centralized accounting processes; and don’t need an attestation as required by 404(b).

High Compliance

Larger companies that are required to have ICFR audited by an external auditor have to put more effort into SOX compliance. These efforts could include:

• Risk assessment based on prior-period financial statements

• Full-scope testing, including narratives, flowcharts, risk and control matrices, and operating effectiveness

• Detailed documentation of management review controls and information

• Established remediation

• The 302 certification

By assessing risk, companies can identify their risk tolerance and the impact to financial reporting, letting them focus on the activities most important for fairly stated financial reports.

Depressurize the Budget

Establishing and adhering to a budget that aligns with the SOX project calendar is important. Because a smaller company has far more time to implement the robust structure of a SOX internal controls program, it can apply SOX implementation activities, relevant expense, and time incurred much more smoothly.

A larger company, on the other hand, will have to hustle to fast-track compliance activities. Regardless ,it’s vital the budget approach and end-goal are balanced and realistic. It’s important to keep in mind that a company’s expected pace of growth affects its filing status—and therefore its compliance requirements.

Use Operational Goals as a Guide

Operational goals may change drastically when a company is growing quickly. Whether management is responding to excited investors or potential mergers, change provides the opportunity for a company to align its strategy, mission, and vision with trending events and market drivers. Changes to operational goals and strategies can impact a company’s SOX environment and should be considered when performing a SOX risk assessment.

It’s an exciting time to be a fast-growing company. As a company grows, it’s key to pursue opportunities strategically and address regulation requirements thoroughly. A balanced approach to SOX compliance that focuses on risk tolerance, budget, and operational goals can help you keep pace with your growth.

Joan Taylor is a senior manager in assurance services. She has provided internal control services since 2004, specializing in process improvement work and managing audits under the requirements of Sarbanes-Oxley (SOX) Section 404. She can be reached at or (949) 221-4086.

