SOX and internal control over financial reporting services

For pre-IPO and newly public companies, designing and implementing an internal control framework can be daunting. Our risk-based approach focuses on promoting flexibility and scalability while designing and implementing a practical control framework that adheres to the current regulatory environment. Our professionals can help you identify, understand, and assess your current-state capabilities, processes, and controls and provide recommendations for enhancements with a goal of designing a sustainable, ongoing compliance programme.

Organisations that understand and assess their current state early in the SOX Readiness journey are typically better positioned to effectively and efficiently:

• Plan for change;
• Create synergies;
• Reduce disruptions;
• Provide transparent insight to those charged with governance; and
• Enhance communication and collaboration.

Each organisation’s control environment has unique considerations and challenges. Determining that you have resources with sufficient skillsets at the right time can keep your control environment operating effectively and allow for the opportunity to improve your internal control compliance programme. Deloitte can help you achieve your ongoing SOX Compliance with our co-source services. Deloitte supplements your team with experienced professionals with deep subject matter knowledge, insights, and leading practices, while providing testing support for management’s assessment of internal controls over financial reporting.

We provide the full suite of services including risk assessment testing of design; implementation and operating effectiveness; and monitoring, remediation, and reporting. Our scalable solution uses data-driven technology and analytics to standardise documentation, workflow, and reporting to create a more effective and efficient outcome while driving compliance outcomes.

Over the years, there have been significant developments in technology and changes to business environments, but the SOX Programme at many companies may not have evolved at the same pace. We can help you refresh and rethink your internal control programme to help you rethink operating model optimisation, SOX Programme enhancements, and technology enablement. Modernising your SOX Programme can deliver critical benefits, all while still achieving compliance, including:

• Enhanced Quality: Increase transparency and visibility into business process with meaningful insights to managing risks.
• Increased efficienc: Enhance focus on risks and key controls to focus on what's important, and employ precisions control testing methods while moving away from a checklist approach.
• Deeper Insights: Refocus efforts and move away from point-in-time solutions and focus on addressing issues at their root cause.
• Potential reduction in total cost of compliance: Create effectiveness by redeploying highly skilled resources to other strategic assignments.

Organisations may enter transactions or events that can be strategically positive but can also be disruptive for their business. These transactions may be infrequent but can be complicated and have their own unique internal control considerations.

As you enter these transactions, Deloitte can take a fresh look at your control environment and assist you with streamlining processes and controls and identifying opportunities for effectiveness. Some examples of complex and infrequent transactions where we can assist include post-merger integration of internal control frameworks, adoption of new accounting standards, and evaluation of complex contracts or significant non-recurrent transactions.

Although SOX may not be as applicable for private companies as their public counterparts, risk management and internal controls still provide tremendous value to those organizations. This value isn’t only for companies getting ready for a public listing; it’s also for companies that want complete, accurate, and transparent financial and operational information available for decision-making and reporting.

Additionally, private companies may be able to improve efficiency or the speed of close, to both allow resources to have more time for strategic business needs, and to allow decision makers to get financial information more timely.

Our tailored, risk-based approach to controls is practicable in the design and application of the framework for private companies, establishing and/or enhancing their internal control environment to increase the reliability of information from across the organization as it is used in the preparation and analysis of the company's financial results and other relevant decision-making activities.

A crucial role of management is to define risk management frameworks within their companies. While companies in recent years have responded to an increasing number and type of business risks, the focus on internal and external fraud has lagged behind. New trends in fraud continue to emerge, causing financial losses, integrity and trust issues, and even emotional distress for those affected.
Deloitte can support your company in developing measures to manage the fraud risk:

• Conduct comprehensive and recurring fraud risk assessments
• Strengthen management review procedures
• Monitor and review continually fraud risks and the effectiveness of associated internal controls.
• Strengthen the segregation of duties.

Leveraging our ICFR experience combined with our environmental, social, and governance (ESG) subject-matter experience, we assist companies with ESG-related governance at the board, entity and process-level controls. ESG reporting metrics are coming from new and complex data sources that are outside traditional financial reporting systems; therefore, understanding controls over such systems and data sources are critical to accurate and complete ESG reporting. Our services include but are not limited to:

• Establishing board oversight.
• Defining organisational roles, responsibilities and competencies.
• Providing training on internal controls.
• Performing risk assessment and scoping exercises that could impact ESG reporting objectives.
• Identifying relevant risks of ESG reporting, and documenting ESG-related controls.
• Conducting control testing for ESG-related controls and the completeness and accuracy of data.
• Establishing risk control matrices, process narratives or flowcharts, and control design gaps or deficiencies and related remediation plans.
• Assisting management in development of remediation plans for control gaps or deficiencies in relevant ESG-related reporting metrics.
• Communicating with those charged with corporate governance.

We will collaborate with companies at all maturity levels, from those starting their ESG journey to those with existing ESG policies and processes in place.

Each organisation’s control environment has unique considerations and challenges. Determining that you have resources with sufficient skillsets at the right time can keep your control environment operating effectively and allow for the opportunity to improve your internal control compliance programme. Deloitte can help you achieve your ongoing SOX Compliance with our co-source services. Deloitte supplements your team with experienced professionals with deep subject matter knowledge, insights, and leading practices, while providing testing support for management’s assessment of internal controls over financial reporting. Our co-source service is scalable and flexible allowing you to decide the level of involvement from ad hoc to more recurring assistance.