Given the high-profile, public company failures that prompted the Sarbanes-Oxley Act of 2002 (SOX), there is a common misconception that its auditing and financial regulations solely apply to public companies. As such, it’s understandable that many private companies haven’t implemented a SOX compliance program. There may be a lack of awareness that there are provisions of SOX that are applicable to private companies. Many may think SOX will be a burden to implement or might not realize the benefits of being SOX compliant.
While many private companies do not have a SOX compliance program – they should! SOX program implementation is easier now than it’s ever been. There are also dangerous consequences for ignoring the regulations, and many business benefits to becoming SOX compliant. In this article, I break down four reasons why all private companies should have a SOX compliance program to avoid violating applicable regulations, enhance the company’s reputation, and add value to the organization.
What Is a SOX Compliance Program?
Simply put, a SOX compliance program is a formal process by which the company manages risk of financial misstatement. The program enables management to:
- Identify risks (via surveys and interviews).
- Design controls to mitigate those risks (an internal, collaborative effort).
- Confirm the effectiveness of control design and performance (via testing).
- Certify that an effective control environment exists.
When properly executed end-to-end, control owners clearly understand the objectives of and are accountable for control performance, which provides assurance to key stakeholders while reducing control deficiencies.
1. SOX Applies to Private Companies Too
First and foremost, SOX is not only for public companies. Certain provisions of SOX are also expressly applicable to private companies. Violations of these provisions can result in severe penalties including non-discharge of certain liabilities in bankruptcy, fines, and up to 20 years imprisonment. Applicable provisions include:
- Compliance with federal and state securities laws (e.g., fraud in connection with placement of private securities).
- Intentional destruction, alteration, or falsification of records or documents with the intention of impeding or influencing a federal agency investigation or federal bankruptcy proceeding.
- Retaliation against someone who provides a law enforcement officer with truthful information relating to a possible federal offense.
These dangerous pitfalls can be avoided with the design and execution of a robust SOX Compliance program. Whether leveraging internal knowledge or relying on outside expertise, the risk identification exercise, all-hands brainstorming related to coverage and mitigation, performance confirmation, and final certification provide a solid foundation.
2. Favorable Perception for a Buy-Out or IPO
SOX compliance is the “gold standard” within the investor and regulator community. Companies pursuing a buy-out or IPO enjoy favorable perception as their compliance:
- Exudes commitment to best practice.
- Defines company standards and practices.
- Proves appropriate management oversight.
- Facilitates integration with a SOX-compliant buyer.
This favorable perception can translate into higher valuations and an accelerated deal cycle as potential suitors can spend fewer resources determining a company’s financial accuracy and transparency. Certainly, market participants have more confidence in a company that maintains a sound control environment and periodically proves effectiveness. Likewise, markets can and do change rapidly so it is critical that delays associated with a lack of control documentation and proof of effectiveness are minimized.
3. The Myth of the SOX Compliance Burden Is Increasingly Outdated
In the early days of SOX, companies struggled to identify an appropriate control environment that resulted in too many controls, unnecessary documentation, an unmanageable testing effort, and limited ability to summarize results. Today, implementing and maintaining a compliance program is much easier due to the availability of comprehensive risk and control libraries and the introduction of end-to-end audit management solutions (AMS). The AMS 1) provides a centralized, securely managed, cloud-based repository for all audit information, 2) automates all internal audit department operations and associated management responsibilities, and 3) provides configurable reporting in real time.
Today, the implementation of a SOX compliance program is manageable, and the benefits are quite attainable for all private companies. Since implementation and program management is easier than ever, companies will find it increasingly difficult to justify not having a robust compliance program in place.
4. Benefits of SOX Compliance for Private Companies
SOX compliance has clear, proven business benefits for private companies. According to Protiviti’s 2017 Sarbanes-Oxley Compliance Survey, many companies report they would continue to perform a certain level of internal assurance work because of the value it generates. The following benefits were reported by respondents:
- Improved internal control over financial reporting (ICFR) structure.
- Enhanced understanding of control design and control operating effectiveness.
- Continuous improvement of business processes.
- Increased reliance by external audit on the work of internal audit.
These benefits are fully realized when control owners participate in control design and are consistently engaged throughout the audit cycle. This participation and engagement is made possible by current AMS offerings which provide structure, templates, workflows, and dynamic reporting. With a solid SOX Compliance program in place, companies can turn their focus from financial-related to value-add audits. Doing so can target cost reduction and waste elimination, risk identification and mitigation, and strategy execution.
An AMS provides time savings as well, which present opportunities for teams to dive deeper into internal validations and data analytics, and opens the door to meaningfully engage in continuous improvement. Further, it positions companies to reduce reliance and spend on third-party functions so they can invest in building internal expertise and career development.
These days, there are many reasons for a private company to choose to implement a SOX compliance program; SOX implementation and ongoing management are easier than ever. Knowing that SOX does apply to private companies, the ever-increasing focus on compliance, a reduced implementation and execution burden, and a plethora of cascading benefits, it is no wonder many private companies have already implemented a compliance program. Regardless of the maturity of your compliance program, the introduction of an AMS is critical to efficiently manage the annual process and reduce the administrative burden.
When considering an AMS, it is important to find a solution that allows the entire organization to leverage a single, fully-integrated platform – one that allows the company to assess and manage identified risks (enterprise, vendor, IT, etc.), mitigate those risks via effective internal control and audit programs, and readily identify coverage for applicable regulatory frameworks (e.g., SOX, NIST, PCI, ISO). Going forward, the market will expect all companies – public and private – to have a compliance program in place, and a SOX-focused program is a great place to start.
Interested in hearing about the real-world experiences of an internal audit team when preparing for an IPO? Watch our on-demand webinar, “How ZoomInfo Successfully Navigated the IPO Journey and Beyond.”
Scott Parker, CPA, was Director of Account Management at AuditBoard, where he helps clients maximize their team’s use of the AuditBoard platform. Prior to AuditBoard, Scott was Director Technical Accounting and Internal Controls at GameStop, with over 15 years of experience in SOX compliance, audit, financial reporting, and technical accounting.