, ,

SOX compliance evolves: What’s worked so far and what’s still out of whack

When SOX was first invented, we all struggled to figure out what companies were supposed to be doing, and what auditors were expecting to see. All this happened while the auditors were trying to follow new audit rules just as their new regulator (the PCAOB) came into existence. We were all stumbling around together.

AS2 came out with principles-based guidance—and was the shortest auditing standard in history. It threw everything into the auditors’ scope regardless of materiality, and created a lot of work for dubious value. And a lot of expense.

Along came AS5 to replace that standard, with an attempt to focus auditors on items that could reasonably give rise to a material misstatement. Use professional judgment was the message. That helped settle things down for a while … until the PCAOB started failing audit firms in the inspection process, citing deficiencies in its reviews of internal control over financial reporting.

The audit firms pushed back, and the PCAOB pushed harder. All the pushback was occurring behind the curtain. Companies were often left in the dark about priorities and expectations. And disagreements over what should be in scope of the audit have persisted.

Interpretations in flux

Over a decade after SOX’s passage, a mismatch in expectations continues. The interpretation of the rules keeps evolving. The new directives aren’t always official but are instead happening piecemeal, audit firm by audit firm, and sometimes even engagement team by engagement team. Companies have often been caught unawares of new changes, not realizing that the bar had been raised.

Most of this direction has stemmed from inspection findings. Audit firms are in the unenviable position of delivering the news to their clients about what the PCAOB inspectors find, and companies understandably cry foul that it’s not helpful to have them change their ways “after the fact.” When it comes to audits, no one likes surprises.

The upsides of SOX

Years of SOX compliance have resulted in positive progress. The way companies design controls is far different today than the early days—and how they evidence the execution of controls has matured as well. We see that companies have integrated SOX into their operations—it is not some “thing” off to the side, separate and apart from ongoing operations. And real, tangible benefits are being derived from it. Financial statements are more reliable. There are more checks and balances in place. We see a better defined “tone at the top”—there’s clear integrity and transparency in how SOX-compliant companies do business.

We’ve also seen companies becoming more mature in their operations and documentation of accounting entries. In the past, we were more likely to see journal entries with no supporting documentation. Or we’d find that reconciliations were performed but nobody reviewed them. Now, the level of documentation produced and retained is more robust, and there is more scrutiny of the underlying data itself.

What do they want?

Still, it’s not always clear whether companies are living up to their auditors’ (and their auditors’) expectations. In 2013, some light shone through when the PCAOB released an audit alert following three years’ worth of serious deficiencies in internal-control audits. The general public finally got to hear what the inspectors were seeing beyond their vague inspection reports. The PCAOB expected to see more proof that the auditors were doing what they are supposed to be doing while reviewing internal controls, and those demands have trickled down to the auditors’ clients.

Here’s one example of how it plays out now: When auditors want to look over management review controls (controls that help management identify errors), they need to understand them and then test to see if they are operating at a precise enough level to detect a material misstatement. The potential snafu here is that management documented their review in accordance with their own needs, not the auditors’. The auditor will want sufficient evidence to prove what management looked at, what was investigated and how it was resolved.

Management does not need a stack of paperwork to perform a meaningful budget-to-actual analysis and be comfortable that there are no material misstatements. But auditors want to know for sure that the analysis was done and thoroughly reviewed or else they are hard-pressed to place reliance on that control. Ten years ago, a simple signature on a page was often sufficient evidence. Not so today.

At times it seems audit requests are coming from a “one size fits all” approach rather than a tailored approach based on specific facts and circumstances. Companies end up feeling a need to pile on the documentation to make future audits easier but on areas that have little connection to the possibility of a material misstatement.

What’s next

How the PCAOB goes about its inspections could change. In May, the PCAOB revealed that it may go about the selection of audits to review differently, shifting from a risk-based focus to taking some audits at random (as it is now, the PCAOB tends to review the riskiest/most complex clients in a company’s portfolio).

That change may not address the issue of mismatched expectations but it will certainly get the conversation going, which isn’t a bad thing. As usual, the devil is still in the details. What matters to the regulator—and the firms it audits—will continue to evolve as precedents get set and the bar gets raised. Some areas, such as cybersecurity risks, could attract more focus.

Here’s the bottom line: The evolution could all be for the better, as long as we can use judgment about what adds value and what is merely checking off boxes.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. She was recently asked by ComplianceWeek for her take on the “new normal for internal controls.” Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

/by
, , ,

What’s your move? The big consideration for data security

RoseRyan VP Pat Voll recently weighed in on a recent CFO.com debate that posed the question “Is your data more secure in a data center or in the cloud?” CFO published her bylined article alongside other data-security experts in one of its monthly Square-Off virtual panels. Pat’s take: Companies need to focus on the “who” rather than the “what” when looking at where they store their information. See below for an excerpt of Pat’s article:

Ultimately, you are responsible for the protection and security of your data, regardless of where it is stored. Where your data is safest depends on your company’s own internal processes, infrastructure, controls, training, and discipline, and those of your cloud provider.

Consider this fact: The most common reason companies suffer from a data breach is because of an employee error. In a recent survey by the Association of Corporate Counsel, 24% of in-house lawyers blamed employee error for a breach at their company. That’s higher than phishing attacks (12%), third-party access (12%) and lost devices (9%).

A mishap by an employee could happen no matter where the data resides—on-premises or in the cloud. To tamp down the risk, it is essential that companies take a hard look at their internal processes, including periodic training for all employees and robust on-going monitoring of controls, to ensure policies and procedures are being followed.

CFOs can’t pass off the responsibility for data security to the IT department and hope it’s getting done. Similarly, you can’t assume the vendor has adequate controls and procedures in place. It’s not only the right thing to do—it’s increasingly becoming an expectation.

To read the article in its entirety, go here.

/by
, , , ,

Going dark: What it means and why it might be a smart move for your company

What happens if your public company decides to “go dark”? If you are in the military or in covert operations of some sort, this slang term means you have ceased all forms of communication—probably to save your life. Teenagers can sometimes go dark. If your teenage son or daughter is not responding to your phone calls, texts, tweets, and any other way you to try to communicate, they’ve gone dark. You may feel snubbed and left out. But consider the positive aspect: This quiet period is actually part of their development. They are establishing their independence. Are they using their time wisely? That is what needs to be determined.

For publicly traded companies, going dark means they are delisting from an exchange (e.g., NASDAQ) and simultaneously deregistering with the Securities and Exchange Commission. In this age of transparency, going dark may not seem like a smart move. In fact, it might be just the right move, depending on the company’s objectives. Returning to the teenager example, you need to know—is your company using its time wisely?

If you are an investor, business partner or employee of a company that is going dark, pay attention to these areas as you explore the future potential of the business.

Take a closer look. While there are several practical considerations in the decision to “go dark,” the company may also have strategic implications. Review company filings with respect to the process, as well as press releases announcing the decision. These documents are intended to provide information as to the considerations involved in making the decision to go dark. Strategic implications may or may not be evident from the press releases and filings. It pays to take a closer look and see if you notice opportunity behind the ominous sounding development (more about this later).

Review current shareholder listings and changes in shareholdings. You can get this information from periodic SEC filings, including the latest proxy statement. This will tell you if there are major shareholders owning the stock. A little more research may give you some insights on the major shareholders and their plans for the company.

As an example, a major investor might have a strong track record in turnaround situations, or industry consolidation strategies or other strategic moves. Chances are, you will see a concentrated shareholder base, as companies that go dark must have fewer than 300 registered shareholders (an SEC rule). It pays to know who is driving the bus.

Also review company liquidity and capital structure. Once a company has gone dark, it no longer has direct access to the public capital markets. As a practical matter, if it is a small or microcap company, or if it is underperforming its peers, the company may not have access to such markets in any case. This is something to consider if the company has liquidity issues or is undercapitalized. Private equity and debt may or may not be available, and it can get expensive.

Consider whether cost avoidance is a legitimate driver. Publicly traded companies spend a lot of time and money maintaining the standards required by the national stock exchanges and the SEC. The costs easily exceed $500,000 per year for even the smallest of the small cap companies, to include annual audits, quarterly reviews, legal fees, audit committee fees, SOX compliance costs, annual registration fees and increased insurance premiums for director and officer liability. Oftentimes, boards find that the incremental costs of the public listing outweigh the benefits. Companies often site cost savings as a significant factor in going dark. Saving precious capital is a legitimate reason, but it has a downside.

Look into shareholder liquidity. Shareholder liquidity is probably the scariest part of the going dark process. When the company delists from national exchanges, its stock may continue to trade, but liquidity will depend on whether brokers will continue to make a market for the shares. There can be no guarantees. As such, shareholders may find it difficult, expensive and/or at least time consuming to sell the shares. And there may be a very thin market or no market at all. However, as long as there are market makers, the alternative exchanges—the pink sheets, the bulletin boards, etc.—will continue to trade the shares.

See if you will still have access to financial information. Transparency is another possible casualty of going dark. Most companies that deregister follow a practice of posting their periodic financial results either through quarterly press releases or direct posts on their websites. While they are under no obligation to do so, it’s good business practice, and it doesn’t cost much. And many companies continue to maintain a website and provide contact information. While you won’t see a Form 10-Q or Form 10-K or any of the other SEC filings, at least you will see quarterly and annual financial information, and hopefully you will have contact information if you have questions.

Study the strategic intentions. As noted above, there may be strategic reasons a company goes dark. It could be a logical step in taking a company private and could be a part of a bigger plan. Going dark is a relatively low cost exercise, with immediate cost benefits. If the strategy is in fact to “go private,” and your research shows that the major shareholders have a good track record, you could stand to benefit. At some point the majority shareholders and/or the company may be back in the market to cash out minority shareholders. Once again, no guarantees, but it’s something to consider.

Anytime a company goes through a transformative event, it’s wise to turn to experts who have gone through similar situations and can step in to guide the company, based on their past experiences, best practices and what makes the most sense for the business. Going dark is not routine—it’s a vital, transformative time that requires specialized expertise.

Terry Gibson heads up RoseRyan Private Equity to help PE firms extract more value from their portfolio companies. A founder of Steel Partners Corporate Services, he has been focused on serving the PE industry for over 15 years. He was the CEO of CoSine Communications and BNS Holdings, and he oversaw the finances at Calient Networks and served as controller at Lam Research.

/by