Sarbanes-Oxley at 20: For CFOs, it may be time for a refreshing experience

Introduction

July 30th, the twentieth anniversary of the Sarbanes-Oxley Act (SOX), may have gone unnoticed by many US finance executives. But the law is almost certainly present in their day-to-day work lives.

Since it was enacted, SOX has improved transparency and investor confidence in US capital markets. By imposing strict new controls over financial reporting processes, mandating criminal penalties for senior executives who certify false financial statements, and enacting new regulations ensuring auditor independence, Congress accomplished what it set it out do to: end the rash of accounting scandals that plagued financial markets in the early 2000s.¹ 

But evolving regulatory requirements and changing market dynamics have turned SOX compliance processes into a moving target, according to a Deloitte report. Mix in the reporting requirements triggered by traditional corporate activity—acquisitions, digital transformation, and entry into new markets, for instance, and it becomes clear why SOX compliance has become a complex endeavor.² In addition to the costs of compliance, CFOs and CEOs can face personal legal liability (up to five years in prison, or $20 million in fines³) for compliance failures.

But there’s still time for CFOs to commemorate the law’s twentieth anniversary. How? By taking the opportunity to modernize the company’s end-to-end SOX program. A SOX refresh can not only help CFOs mitigate the legal peril associated with certifications but can also lower the cost of compliance. To reap the benefits, however, some finance teams must first shed an all-too-common mindset: We’ve complied. What else is there to think about?

Plenty, as it turns out. In this issue of CFO Insights, we discuss why, 20 years after SOX became law, some companies are now saddled with outdated controls that are costly, unnecessary, and ineffective. We will also explore the steps CFOs can take to modernize their SOX programs and, by doing so, mitigate risks of material misstatement, lower the costs of compliance, improve efficiency, and gain deeper insights.

Control quality

One of the most influential and transformative pieces of federal finance regulation, SOX sought to address several exposed fault lines in the corporate governance framework, from creating greater executive accountability for financial reports, to enhancing disclosure rules, to strengthening board independence. Given its breadth, it’s perhaps inevitable that compliance would grow more complex over time.

As a result, the costs associated with SOX compliance may at least in part explain why there are now more so-called “unicorn companies” (definition: private companies with valuations of at least $1 billion) than ever before.⁴ (See sidebar, “SOX readiness pitfalls for companies considering IPOs.”)

A top-to-bottom SOX modernization can produce savings. For example, one company reduced controls by 40% in year one and 20% in year two, which lowered costs due to testing less, among other factors. Modernization efforts should focus on the levers of transformation that follow:

Operating model optimization. Establishing an effective governance structure and maintaining clear accountability within that structure is critical. Unfortunately, some companies have left their operating structures unchanged since the years immediately following the SOX passage in 2002. Sections 302 and 906 of SOX require CFOs and CEOs to publicly certify the reliability of the financial statements being free of material misstatement. Consider including these five organizational issues: 

1. What resources are needed—human and otherwise—for proper SOX
   compliance?
2. Do the employees responsible for controls have the requisite expertise and skills to perform their assigned tasks?
3. Is there a plan to “skill up” control owners as risk, technology, and the industry evolve?
4. If control owners do not have the requisite expertise, and training is not an option, would co-sourcing or outsourcing be beneficial in certain areas?⁵
5. Is ownership and accountability for SOX compliance driving down to the right levels of the organization? 

Addressing these questions may go beyond evaluating existing controls. CFOs may need to factor in new risks such as cyber-attacks that may not have been accounted for when the company set up its SOX-related policies and practices 10 or 20 years ago. Determining if the appropriately skilled people are in place will be easier for the risks and controls that fall within the finance function. Some controls fall outside of finance and accounting, yet still have a material impact on the accuracy of the financial reports that CFOs are required to certify.

Program enhancements

Modernizing a SOX program properly means adopting a risk-based mindset that is less focused on adherence than on risks of material misstatement. For starters, take a step back and determine whether the risks that were considered relevant even as recently as the last annual risk assessment remain pertinent, or whether new risks have emerged that are not being mitigated by current controls. 

The risk assessment should include both quantitative and qualitative considerations, including but not limited to:

• The degree of complexity or judgment in the process.
• The volume of activity, complexity, and homogeneity of the individual transactions.
• The frequency at which specific errors were identified in prior reporting periods.
• Whether the employees overseeing the control activities fully understand the role.
• Whether existing footnotes and disclosures in financial statements still reflect the most relevant risks.⁶

Over time, risks evolve, new risks are identified, and the organization’s response may have been to design new controls without considering whether existing controls should be modified or scrapped. Companies that have grown by acquisition may have layered controls upon controls, not challenging the underlying risk assessments and failing to investigate whether some controls are now duplicative or obsolete. To mitigate risk, it’s key to make sure that as threats have evolved, the needed controls have indeed been added—to address the possibility of misstatement.

Eliminating existing controls may sound perilous for CFOs responsible for attesting to the accuracy of management’s report on internal controls. However, companies are not expected to maintain obsolete controls or to devote the same level of resources to controls whose associated risks have declined over time. It’s also possible some existing controls may have never been required in the first place, as actual regulatory requirements sometimes differ from companies’ preconceived beliefs.⁷ Something else to keep in mind: Under Securities and Exchange Commission (SEC) guidelines, CFOs are responsible for maintaining a control system that provides “reasonable assurance” regarding the reliability of financial reporting. Reasonable assurance, which acknowledges the remote possibility of misstatements, is not as high a standard as absolute assurance.⁸

Technology and automation

Some companies may still be operating their SOX compliance programs in a highly manual control environment. As businesses grow and risks evolve, relying on manual controls can pose problems. It can increase program costs by siphoning employees’ hours away from core operations. Also, as operating environments become more complex, manual controls may become more susceptible to human error and more vulnerable to human misconduct. Not all controls can be automated, of course, but automating some of them can help reduce such risks.

For example, many CFOs oversee high volumes of cash disbursements to suppliers and vendors. Duplicate payments can be a problem, and digital controls can help catch them. Moreover, the same technology will identify transactions that, analyzed collectively, reveal a pattern of rule breaking. For example, digital controls can flag disbursements designed to bypass authorization limits. Imagine a situation where an employee—someone only authorized to make payments of up $1 million—makes two $1 million payments to the same vendor on consecutive days.

Governance, risk, and control (GRC) tools can also help improve SOX monitoring and compliance. Adoption of GRC tools has been slow, as some companies resist the cost of new software or don’t see a need to abandon using of spreadsheets to gather and analyze information manually. GRC tools take much of the manual monitoring out of SOX programs, creating a more reliable, streamlined information flow for CFOs. They can perform the following tasks, among others:

• Increasing accountability for risks and controls through the clear assignment of roles and responsibilities.
• Serving as a single source of truth for control documentation.
• Centralizing requests and responses related to SOX Section 302 certification.
• Managing documentation requests.
• Managing workflow around issues and deficiencies that have been identified.
• Providing the real-time status, through dashboard reporting, of testing and issue remediation progress.⁹

In addition to helping CFOs improve controls, reduce compliance costs, and lessen their risks of false certifications, a modernized SOX program can provide insights and value to the business beyond finance and accounting. Digital controls can add value outside the compliance function by identifying ways to operate more efficiently. By tracking payment terms and dates, analytics can help companies optimize cash flow by eliminating early payments and timing disbursements closer to when they are due.

Kickstarting a SOX refresh

Here are three steps CFOs can take now to kickstart a SOX refresh:

• Challenge preconceived beliefs about risks and regulatory requirements. A top-to-bottom risk reassessment may uncover regulations that no longer apply, risks that are no longer relevant, and controls that can be eliminated. Questioning old assumptions can lead to refreshed ideas and allow for companies to develop new and better ways of working.
• Identify opportunities to automate and digitize. If a company’s SOX program or control environment has not kept up with the pace of change, then, very likely, the technology supporting the SOX program also has room for optimization.
• Consider investment in GRC tools. Such tools give CFOs real-team access to compliance data and to the identity of the person assigned to each control.

The cost savings and efficiency gains associated with SOX modernization can be significant. Don’t wait for SOX’s silver anniversary, five years from now, to take advantage.

End notes

¹ “Corporate Scandal Never Goes Out of Style,” Barron’s, June 30, 2022.
² “Sox Compliance: A smarter way forward,” Deloitte Development LLC, 2019. 
³ "SOX Section 906: Corporate Responsibility for Financial Reports, Sarbanes-Oxley-101.com, August 30, 2022.
⁴ “Sarbanes Oxley Turns 20,” The National Law Review, July 19, 2022.
⁵ “SOX Modernization: Optimizing compliance while extracting value,” Deloitte Development LLC, 2022. 
⁶ Ibid.
⁷ Ibid. 
⁸ Ibid. 
⁹ Ibid. 
¹⁰ “The Crunchbase Unicorn Board,” Crunchbase News, August 12, 2022; “Going Dark: The Growth of Private Markets and the Impact on Investors and the Economy,” US Securities and Exchange Commission, October 12, 2021. 
¹¹ “SEC Pushes for More Transparency from Private Companies,” The Wall Street Journal, January 10, 2022. 
¹² Ibid. 
¹³ “SOX compliance: Are you ready? A practical approach to SOX readiness,” Deloitte & Touche LLP, Deloitte Development LLC, 2021.

Get in touch