Optimize your SOX Compliance Program in 2024 | Navigating 404(a) and 404(b) Requirements
- Published
- Sep 18, 2024
- Share
Watch our second webinar as we continue to discuss "Optimizing Your SOX Compliance Program." This session focuses on best practices in SOX compliance whether you're preparing for an IPO, a first-year filer, or have been performing SOX for many years. We provide a deeper dive into overall efficiencies and challenges when looking at both 404(a) and 404(b) requirements.
Participants will receive practical insights and actionable strategies to navigate the complex landscape of Internal Controls over Financial Reporting (ICFR) and SOX compliance in the current year (2024) and beyond.
Transcript
Jerry Ravi:Thank you, Bella. Good morning, good afternoon, good evening, wherever you are. Thank you for being here today with us once again. I wanted to introduce myself, and I'll allow Gerald and Rob to introduce themselves as well.
So, I'm Jerry Ravi, I'm a partner at EisnerAmper. I focus on Risk and Compliance Services. I'm a market-growth leader in that space. I have 28 years of experience and background in Finance Compliance, Internal Audit, as well as Technology Enablement.
I have a passion for technology, which we'll talk a little bit about today in this discussion, and spent the last 20 years on Sox Compliance, helping companies that are smaller reporting companies to accelerated filers and larger accelerated filers, and even those that were thinking about Sox Compliance that still remain private.
We just want to have good controls over financial reporting. So, pleased to be here, and glad we're going to be talking about this topic today. I'll pass it to Gerald.
Gerald Maloney:Hello, everyone, my name's Gerald Maloney. I'm a Senior Manager here at EisnerAmper, and I'm part of our Risk & Compliance Services group, focusing predominantly on our Financial Regulatory Risk practice, which includes services related to SOX, JSOX, and Model Audit Rule.
RCS, overarching, is everything controls-related, and we help our clients prepare themselves for growth and mitigate their risk in a variety of capacities, everything from assisting from developing process and procedures and efficiency reviews to Material Weakness Remediation and Sox Compliance programs.
Industry-wise, I'm focused in the life sciences space, manufacturing and distribution, construction, aerospace, and a variety of other industries. I've been doing this for around 14 years, and I actually started off my career in some of the seats that you're in right now within Internal Audit at two different companies, and then made the transition to Public Accounting where I've been for around 10 years now. I'll go ahead and pass the Rob to introduce himself as well.
Robert Morales:Thanks, Gerry. I'm Rob Morales, I'm the SVP of Accounting and Finance at Ovid Therapeutics. My responsibilities at Ovid involve all things Financial-and-Accounting-related, running the whole gamut of the accounting operations.
Prior to joining Ovid, I was a principal Financial and Accounting officer at Acorda Therapeutics, another biotech company. Prior to Acorda, I worked primarily at large Fortune 100 companies in the Pharmaceutical Consumer Products and Energy industries, where I held various director of managerial positions in External Reporting, General Accounting, SOX Control Administration, and Internal Audit.
I have over 25 years of experience and a fairly solid background in Internal Control. Thanks, Jerry. I'll turn it back over to you.
Jerry Ravi:Thanks, Rob. Really appreciate it. I'm so happy that you're here with us. You'll hear a little bit more about Rob's role with SOX Compliance and Ovid, even as a client of the firm. So, thank you for being here.
So, we'll go through the agenda quickly. We have a lot to cover today. This is Part 2 of our SOX Optimization series that we have kicked off this year. The first one was in the spring.
So this topic today is really to navigate the landscape, even around 404(a) and (b), even if you're not in that space, and we'll talk a little bit about some of the requirements around 404(a) and (b).
But in essence, what we want to make sure you look at is optimization, how do you do this more efficiently and effectively? And we're really happy that Rob is here to talk about his story at Ovid and our story together with him in how we're able to do that.
So, the key here is to develop a framework and look at some of the efficiencies that you can gain from documentation, risks, risk assessments, and Jerry has a great background in that space, any material weakness or weakness of the deficiency, remediation, and certainly, improving those processes and controls, which is near and dear to Internal Controls or Financial Reporting as well.
So, we're going to hit a lot of these topics today, and we'll certainly make sure that we stop for questions. Please, feel free to ask questions. We'd love to hear from you. I know the last session we had in May, we had so many questions, we actually had to follow up afterwards.
And we'll do the same here. If we're unable to get to your question, we'll make sure we have a follow-up. We're going to go to our first poll, so Bella, I'll pass it to you.
Bella:Poll #1
Jerry Ravi:While you're answering the question, let me just give you a reason why we're asking. We want to give you a sense of or understand, obviously, who's in the audience today. But ultimately, these are a lot of the team members and stakeholders that we interface with around Sox compliance.
So, it's real important to look at each one, because they are a little different, obviously coming from Accounting and Finance, Technology, and even down to External Audit, which we're going to talk about today.
And if it's not applicable, that's okay too. In essence, I think what you'll glean is how to actually improve those processes and controls in a different way, even if you are private and not sitting in any of these roles.
Jerry Ravi:Excellent. Yeah, from the standpoint of where we are, this is similar to last time as well. I'm glad to see Compliance and Internal Audit is up again, as Gerry mentioned, even in Risk and Compliance, and we're interfacing with all of the same stakeholders you see here.
So, important that Accounting and Finance plays a lead role, as well in Financial Reporting, and certainly Technology, although a little lower today. Ultimately, they have a bigger part as a stakeholder in Sox Compliance going forward.
We used this slide the last time, in the last spring May meeting that we had, our webinar. So, I wanted to just focus more on the future trends. When we talk about optimizing Sox Compliance, there's a few different things we want to think about.
Risk-based scoping, automating controls, ongoing and continuous testing, which is really important, documentation, quality training, and certainly, with the Auditors, your communication with them, leverage and optimizing and rationalizing with your External Auditors, how they look at controls, what's important to them.
So, there's a whole gamut of things that you can do, but we're going to hone in on those key items that you're going to focus on, but I wanted to mention those few items, because it is a maturity that we have to go through as we look at the trends.
And it's been around a long time, obviously, 20 years. I've been at the firm 20 years since SOX started, so we have seen a lot, and some of that is baked into this presentation as we continue. But ultimately, what you want to glean is where you need to focus on today on how you want to optimize your controls.
Some key requirements for SOX Compliance and 404 compliance. So let me just start with the left. You have Management on the left-hand side, for sure, on the first two items. So, you have to look at your controls.
So, everybody who's public, whether you're a smaller reporting company or a large accelerator filer, you have to have controls over Financial Reporting, and most important, retain documentation to evidence. That's really important as you're looking at optimization as well.
You have to assess the adequacy and design of those controls, and operational effectiveness. So, we'll talk about design and implementation quite a bit. And then, on the 404(b) front, which, again, we'll talk about more, the Auditor actually has to assess and opine on your controls as well.
The enforcement, we have the SEC and the Public Company Accounting Oversight Board, which has been around since SOX started, just basically overseeing the accounting profession. Why is this important?
We want to understand where enforcements are coming from, because there has been sanctions and fines from the SEC when not having adequate controls and not reporting it properly. And the Public Company Oversight Board, or PCAOB, has come out with inspection results that will impact you and has impacted our clients and those in the public company landscape. So, we want to talk about that as well.
Quickly, I want to just remind everyone, effective internal control frameworks are always important. So, this is iterative. We want to make sure that we look at, I mentioned D&I is the acronym we use, Design & Implementation, so the top portion of this and the bottom-right, and then, obviously, monitoring and reporting.
How can we optimize the three elements of this framework today and going forward? What do we need to do to make sure that we have the proper design, we've implemented those controls, and then we can properly monitor them and do it efficiently, and report on those controls as well, including with the Auditors.
So, I wanted to make sure that everybody knows that having a good framework in mind is really important. So, I'm going to go to PCAOB results. So, we did talk about this last May. We were only able to present 2022. The 2023 results came in. They do inspections of firms across the board, small, medium and large.
Some of you, who are public companies, may already know that you've been picked for inspection, from your external Auditor. So, it's typically something that you'll hear about. So overall deficiencies, unfortunately, are high. So, this last report that came out from 2023 was 46% efficient.
So, it's a steady increase year to year, and even from 2020 to 2021. 2022 was certainly the highest, and now, 2023's results are even higher. So, common issues and internal controls testing include just Auditors failing to gather the sufficient evidence, and because Management didn't have the evidence that was proper, and they just didn't give Management the right information to request the test of controls and support behind it.
But ultimately, did they test the controls effectively, because the Auditors are doing this in conjunction with Management as well. We'll talk a little bit about how you can optimize that process.
So, the impact on audit firms is significant, and it's increasing. And that's important to know because that actually impacts you as you're going through 404(a) or 404(b), because they're going to change their practices and their procedures as well.
So, especially in areas that are highly complex, manual in nature, or that just are higher risk, they may be non-routine areas, things that may have occurred, whether it's M&A or goodwill impairment, it could even be technology, upgrading systems.
So, it's just important to note that there's a risk assessment and a risk-based approach that applies to this as the PCOAB comes up with this inspection report.
So some of the regulations and audit focus areas, what I wanted to mention here, and I know we're going to get into this a little bit when we go through the case study with Gerry and Rob on Ovid, but ultimately, the user access reviews around your systems are really important, high scrutiny around user access reviews.
The information provided by you, the entity, is very important as well. So, the information and report, so key reports, how you're substantiating the review of that report, the accuracy and completeness of that review, and certainly, vendor risk Management, SOC report reviews.
Maybe there's not a SOC report that you can leverage, but there's a lot of scrutiny on vendor risk Management because more often than not, the companies, you especially, and even us as a firm, we're using cloud providers.
We're getting support from third parties, and even fourth parties, so those parties that are actually working with a third party, we need to understand that more, how it impacts financial controls and those areas where we need to have proper controls on our side, even if we're using a vendor. So, these are just a couple of areas that I wanted to highlight.
So, 404(a) versus (b), I wanted to mention a few things. So, I talked earlier about some requirements higher level. Here, what I'm doing is just bifurcating it from Management and Auditor. So, obviously, Management, 404(a), internal controls assessment required by all public companies.
So, you have to do that. Management's responsibility is to make sure that you establish and maintain that adequate control structure and processes and procedures. You do your annual evaluation, which is really throughout the year. You enter them in, your annual, your final review at year-end, whether you're a calendar year-end or a fiscal year-end.
And you have to disclose that assessment in your annual report, in your 10(k). So, that's important to note that there is a process that you need to go through throughout the year, even if you're a newly public company. But an established public company, there's always ways that you can do this more efficiently. There's control self-assessment for low-risk areas, et cetera.
On the Auditor side, this complements 404(a), but in essence, there are designated accelerated filers. So, there's a couple of different thresholds and exclusions here, that I don't have in detail on this slide, which we can go through separately if you wanted to reach out and talk about where you stand.
But more than 75 million but less than 700 million accelerated filers in public float, and then, also, the larger accelerated filers, so over 700 million. There's a couple of different exclusions that they have there.
So, if your revenue is under 100 million and you're also under 700 million, you're still considered a smaller reporting company. There are a couple other things for business development companies as well, but we didn't want to put the nuances in there.
Just to consider, under 100 million in revenue for a revenue test, as well as under 700 million, you're a smaller reporting company, but if you're outside of that, you're considered an accelerated filer. And large accelerated filer, you would need 404(b), which is where the Auditor will test on your controls. So that's important to note.
And as we go into this next polling question, so consider that. If you don't know, it's okay, this D option is for that. So, it may be not applicable, but just let us know where you stand as you answer this polling question.
Bella:Poll #2
Jerry Ravi:Thank you, Bella. And Gerry, I'll pass it to you as you go through the next couple of slides. But in essence, I would assume not applicable if you're here for CPE. Thank you for clicking that one as well. But a first-year-
Gerald Maloney:Hopefully we can-
Jerry Ravi:Yeah, go ahead, Gerry.
Gerald Maloney:No, I said, hopefully they will keep this individual, that's just here for CPE, interested.
Jerry Ravi:Yes, yes, for sure. Currently, 404(b), great. We have a lot of companies, and you're going to hear the story that Rob's going to tell where they went from (a) to (b) and back to (a).
So, we didn't put that as an option because it's somewhat unusual, but there are ways to go back, obviously with the revenue test and the thresholds that are put out there, because there are different thresholds, even if you're a larger accelerated filer.
And a market cap, let's say a 560 million, brings you back down to accelerated filer, but again, we don't want to confuse that. If you have any questions, again, on your status, please reach out to us.
We do this all the time with clients, even work with their attorneys to figure out where you need to be, as well as what you need to do and when you need to start. So, Gerry, I'll pass it to you.
Gerald Maloney:Great, thank you, Jerry. So, this right here is a placement that we've put in front of our clients to give them a high-level understanding, really, of some of the differences between 404(a) and 404(b). Often people underestimate the time, energy, and effort needed for 404(b).
I've heard clients say, "Well, we don't do anything different." And that's simply not the case. There's significantly more communication in getting the External Auditors comfortable with the program that's currently in place.
So, as you can see from the slide, we broke it down into about nine categories. The three I really want to focus on today and right now is the Risk Assessment Review process in coordination with External Auditors.
The reason why I want to focus on these three areas is because these are ripe for creating efficiencies throughout the engagement. Coordinating with External Auditors will be a recurring theme as we go through these.
So, first off, aligning on the risk assessment, that really sets the tone of the engagement and aligns all parties to ensure that there's no discrepancies and differences of opinion on the approach for the current year.
Aligning early-on risk rating, sample sizes, the timeline, is paramount, and it gets all the teams on the same page, and results in decreasing duplicative efforts, and really enhances a better relationship, such as hosting walkthroughs with all the team members, Management, SOX team, and the External Auditors.
That will cut down on the time, energy, and the effort needed for having multiple walkthroughs. And then, the review process is another area. Coordinating with External Auditors is going to optimize your SOX program because it increases the efficiencies.
Aligning with Management on the review process translates to the test steps that we take when re-performing the function of the actual controls that are in place. So, level-setting on these test steps taken by the SOX testing team, by their internal co-sourced or outsourced, we'll set up opportunities for the External Auditors to more easily leverage testing performed by the SOX team.
In a lot of instances they'll not do that for the first year. And if you end up having conversations and they feel comfortable with the program and how you're approaching it, you can sometimes change their minds.
So, the last area, which, again, has been the recurring theme here, is the coordination with External Auditors. Having that open communication and status updates keeps the engagement moving forward and holds all parties accountable on your deadlines.
We regularly have conversations, even just off the cuff, with our External Auditors for our clients, regular biweekly cadence meetings to make sure that all parties are aligned. We even share each other's reports for Board reporting prior to having those so that you come to the table aligned.
So, this next slide here is some of the overlaps between 404(a) and 404(b). One of the key aspects with this is, it's really important to remember that just about everything developed for 404(a) can be leveraged for 404(b). It's still the same program and it's still the same cycle.
So, it's important to understand that in most instances, when tripping the threshold from 404(a) to 404(b), the largest change really is, those External Auditors will be doing an integrated audit where they will be opining on your controls.
In prior years, likely for 404(a), they'll likely have questions and comments just regarding most of the instances we see journal entries and certain user access, third-party service provider reviews, and things of that such.
So, one of the best things you can do in your first year 404(b) plan is to plan. Ensure that you present to the External Auditors your plan, and approach it with confidence. Taking time to walk through with them the planning and the risk assessment, the timeline for the walkthroughs, and the testing to align on deliverables for presenting to quarterly Audit Committee meetings is paramount.
Our clients always really enjoy, and the Audit Committee really enjoys when we come to the table with one conversation, aligned as one party and one team, working towards a common goal.
And then, this last slide here that I'm going to go through right now is, we've covered, really, the top two. This is the challenges and impacts of non-compliance. So, we've covered the top two, which are challenges, on the previous few slides. So, realistically, we broke these impacts down into internal and external.
So, it's important to understand, also, the volume of testing impacts Managements from day to day. So, all their responsibilities that they have to do, just having a successful SOX program takes time. It's on top of the jobs that these process owners already have, so facing these issues is tough enough.
Another large internal impact is the responsibility of escalating up to the Audit Committee, and those terms with Governance and significant deficiencies and material weaknesses. Having that open communication and establishing that relationship is huge and makes that much easier.
Another non-compliance that can also cause external impacts, so issues with reputation. Current and potential investors' opinions could be impacted by non-compliance. We actually drafted an article a few months back called Material Weaknesses and Internal Controls, the Real Impacts.
That could be found on LinkedIn, as well as the EisnerAmper website will take you through some of the causes and effects of material weaknesses and how to avoid and remediate those deficiencies. So, I'll kick it back over to you, Jerry.
Jerry Ravi:Yeah, thank you for that. I think, ultimately, what we want you to glean too as we go through this particular piece is, what are we focused on, what worked, et cetera. I'll give you a little backstory as well on the case study here that we'll get into with Rob.
And again, you see that top item, 404(a) to (b) to (a), but ultimately, I want to give you some construct. I'm the partner on the account, so I have general oversight for the delivery for SOX, and even amongst other things that we do for the company.
Gerry Maloney here was the Project Manager, and still is, who handles oversight of every aspect of SOX, even getting into the details of testing. And Rob, as he mentioned, Senior VP of Finance, so he had a critical role and was a key stakeholder and seeing this through as the lead.
And of course, beyond us, a lot of other team members were helping as we were transitioning from (a) to (b), and they've been a client for quite a while. So, in essence, it's really some tweaking that we had to do, but there are some things that we needed to focus on. So, you'll see that as we go through this.
So, Rob, I'll pass it to you to talk about, a little intro here for this chat, and we're going to spend a little bit of time here. Again, feel free to ask questions along the way as we're going through this. But Rob, I'll pass it to you just to go through the background and timeline.
Robert Morales:Great. Thanks, Jerry. So, a little bit of background. So, Ovid is a development-stage pre-revenue biotech company focused on rare neurological disorders. During 2021, the company was subjected to the requirements of SOX 404(a).
Under 404(a), the company had robust SOX internal controls and processes, and those controls had operated effectively, although the company was not subject to the requirements of an internal control audit.
In 2022, the company fell into, I would say, I wouldn't call it the trap, but we became subjected to the 404(b) requirements due to a large revenue that the company recorded in 2021, and it was a one-time revenue related to a royalty sale.
And it put us into this threshold or mode of being required to comply with the SOX 404(b) review in 2022. So, as the company was under 404(b), clearly, the company became subjected to an internal control audit for 2022.
So, beginning in June 2022, the company, with the support from the team at Eisner, spent the remainder of the year in preparation for the internal control audit. This included performing process walkthroughs earlier in the year, and including all the stakeholders involved in the process, including our External Auditors, having them sit in with us going through the process walkthroughs.
We documented all processes and the related key controls, and performing remediation where required to ensure the company was prepared and compliant. These efforts resulted in the company having a positive internal control audit with an effective opinion for 2022.
That was something that was... For my colleagues that I've worked with in the past said that that's something that's very difficult to obtain, but we were able to obtain that for 2022, and that came down because of the effectiveness we had and the team that we had working with us from Eisner, and the way we all operated and were cohesive as a team to present our 404(b) program for 2022.
Now, moving into 2023, the company no longer had that large revenue, so we no longer met the requirements for 404(b) reporting, and we reverted back to our 404(a) status. So, that no longer required an audit of our internal controls over Financial Reporting.
But with our company, although that we're no longer subjected to the requirements of 404(b), Management continues to maintain the controls and the related enhanced documentation to evidence those controls. Clearly, the thinking is that at some point we may be a 404(b)company again.
But even though it's very important to maintain those controls and to maintain adequate documentation to verify the performance of those controls, it's just a good thing to do, and it's one of the reasons why we're going to continue to do it moving forward.
Jerry Ravi:Excellent.
Gerald Maloney:Yeah, so we ended up operating in a support capacity with Rob. So, we were with him every step of the way through the whole program of the 404(a) to 404(b), and then back down to 404(a).
So, we ended up enhancing the program quite a bit in terms of, to Rob's point, the completeness and accuracy of certain items, Management Review Controls, level of precision that there was on each one of the areas for 404(b) to give Management, I'm sorry, the External Auditors the information that they needed.
And then, for that (b) to (a) that we ended up doing the next year, we ended up keeping most of the enhancements in place. There were certain areas where we maybe de-keyed if there were duplicative controls that mitigated those same risks.
So, we were able to dial back a little bit on testing, but overarching, it was largely the same program from year to year, which was good because it keeps that consistency.
Jerry Ravi:Yeah, support is really the key theme here that you're hearing, so in essence, you do need a lot of support. So, I'm going to throw a question out to Rob. And Rob, before I do that, I know you talked about that going back to (a) and continuing the process as though you were (b).
It's putting more rigor around the control environment, it's helpful and valuable to the company, and even to the Audit Committee and the Board. You're looking at controls on a continuous basis, you're optimizing it. So, that rigor...
And rigor doesn't necessarily mean it has to be a lot more effort. As you continue, you actually do optimize in the way where you're really focused on the higher risk areas more so than you have in the prior year. So, I think that's important.
Just because the Auditors are not given an attestation and opining on the control environment doesn't necessarily mean that you have to dial it back. And one individual, that's an attendee today, made a comment. I appreciate the comment.
As we were going through that polling question as to whether you're 404(a) or (b), or maybe you're private and you're just here for CPE, that's, again, okay, but whatever is good for public companies is good for private. And we've actually heard that many times before.
So, we have, I know, attendees that are private, that are still looking at internal controls over financial reporting for many years because it's the right thing to do. So, I wanted to hone in on that one comment that Rob made, because I think it's important not to dial it back completely.
Because it is harder to get back if you're sitting at the (a) status. It's almost like you got used to it, and now we're going to continue to optimize it. So, it's not to say that we didn't look at in a different way. We probably looked at the lower risk areas in a different way, but that's important to note.
So, Rob, I wanted to ask you a question just about some of the focus areas for you and the team and the externals that you guys really looked at with that rigor and that support.
Robert Morales:Sure. Thanks, Jerry. Yeah, so the top areas of focus for us were segregation of duties, your vendor management, and documentation of accounting for the non-routine transactions. So, segregation of duties is a challenge for smaller teams, but critical to maintain for good control environment.
As you know, our team is very small, so it's very important for us to ensure that we do have adequate segregation of duties. That's a key for having a good strong control environment. And as you know, the External Auditors focus heavily on segregation of duties as a critical audit review item.
With respect to vendor management, Management needs to maintain a robust review and monitoring process for their key vendor controls, and really, just keep an oversight of their vendors.
Reviewing Vendor SOC 1 reports is critical for good vendor management, documenting the review of the Vendor SOC 1 reports, and the results, and mapping of the client user entity controls is required to support and document Management's review of these key vendor controls.
The Auditors pay very close attention to the vendor controls and how effectively Management monitors them, and we spent a great deal of time on that during the 404(b) audit phase, as you know. The memo process for the non-routine transactions, clearly, that's a very important process.
Documenting evidence of Management review of non-routine transactions, really, that's done to ensure that we're applying the appropriate accounting for transactions. Therefore, it's important that Senior Management is reviewing that.
So, by evidencing that, it's ensuring Management oversight and review of the accounting for these transactions, another critical component for a good control environment, just to make sure that things are being reviewed, they're being prepared, and then, someone else higher up in the organization is reviewing those, ensuring that we have good accounting control in place.
Jerry Ravi:Great. Thank you, Rob.
Robert Morales:Yeah.
Jerry Ravi:So, with that, I want to pivot, really, for Rob and Gerry to have a little bit of back and forth here. So, ultimately, let's talk about the stresses faced when 404(b)came about.
And you heard Rob's story of when, in 2022, as that was moving, we were already somewhat through the year, so we had to pivot fairly quickly, so there were some things that we needed to look at.
So, I'll pass it back to Rob and Gerry just to talk about those stresses that were faced and how we were able to get through it with the timeline that we had.
Robert Morales:Okay. Yeah, I would say the condensed timeline was a critical stress factor for us. We began this process at June 2022, and as you recall, we initially thought that we weren't going to be subjected to 404(b), and then, in discussions with our SEC Council, we learned that, "Oh, yes, we do fall into the 404(b) trap for 2022."
So we had to really get on board very quickly with the program and get moving on this, and we were already midway through the year when this started. Gerry, who's on this presentation as well, had just started with Eisner.
So, he onboarded, and then we just started the process and meeting with the External Auditors, operating under this condensed timeline, really, to perform the related control work within such a tight timeframe.
And going through the walkthrough processes, performing the control reviews, identifying areas where maybe we didn't have the documentation in place that 404(b) would require to really provide adequate evidence of performance of controls.
Under 404(a), the company had the total controls in place, and we were confident that the controls were in place and they were operating effectively, but the rigor required for 404(b) meant that it required much more substance with respect to documenting those internal controls. And we spent a great deal of time working on that throughout the year with the Eisner team.
Gerald Maloney:Right, that's true, I had basically started at the firm and then hopped on some intra calls with Jerry Ravi and Rob, and it was quickly evident we have a SOX 404(b) client that we didn't anticipate was going to trip the thresholds, and that we needed to start that whole program, which again, it was very similar to 404(b), "And by the way, welcome to the firm."
So, it ended up being a little stress for a little while just getting to understand, really, the individuals that we're working with. The team's great over at Ovid. They're one of our favorite clients. We enjoy working with them on a year to year basis. We keep current with each other, even outside of working hours with sports and related hobbies, and everything like that, so that's always really good.
So that's just really a testament to also the relationship that we created over the long hours together, working hand in hand, making sure that we ended up getting to the goal that we wanted to, which is safeguarding the company's assets and making sure that they had a successful program in place.
Jerry Ravi:Yeah, Gerry, I'm looking back, and you were onboarded very quickly, to say the least.
Gerald Maloney:Yes.
Jerry Ravi:So, in essence... And I know, Rob, you started with Ovid just before that, for sure. And so, everybody was looking at this net new, which is, in some ways, not a bad thing to try to get a sense of what needs to change.
Gerald Maloney:Yeah, I think that was what made it successful, Jerry. It was fresh sets of eyes, each individual catalog on the program and on the account. So, we were really looking at it in an analytical capacity anyway just because we were learning anyway.
Robert Morales:Correct, correct. And like you said, Jerry... Just still wanted to add, Jerry, like you said, the team itself at Ovid was also fairly new, so we were all just learning as we go and just making the process work.
Jerry Ravi:And I want to reiterate a couple of things for the audience too. We've mentioned this as Jerry and Rob were talking, even Jerry about the 404(a) difference between (b) on that one slide, you honed in on a couple of different things; documentation, even starting with your risk-based approach, and just really looking at that and making sure, again, that you're focused on the right areas, which gets down to where you need to remediate, maybe, enhanced documentation, the ongoing assessment, starting early.
One of the key factors here, and I'm going to ask Rob more about the contributions to success here, that top three, but ultimately, the people who you're partnered with, and how that all works together, including with your External Auditors, so that communication that we see.
One of the biggest factors that I see going from (a) to (b) two is, literally, in that communication mechanism being effective, is making sure many other people know what's going on, not just in this case, not just Rob, not even just Rob and the Accounting team, but there are many others that are involved, even on the IT side.
That was the reason why we asked about the stakeholders. All of those stakeholders really need to understand what we're trying to do. Now, clearly, the Audit Committee and Board may have a different take on it. We'll be a little more high-level with them, but they understood what was happening.
And we had meetings where we would, instead of a 10-minute Audit Committee read-out on SOX, it would be more like 30 to 45, and we would go through, in some detail, the areas that we're going to focus on. And the External Auditors would too.
So we would have weekly cadences at least. And there were some times where I was interfacing with the External Audit partner probably three times a week. And Gerry and Rob were doing the same, including with the External Audit team. So, that's really important, to make sure we're all on the same page.
So, Rob, just talking about success factors, can you talk a little bit about this top three at the bottom of this slide, and how you navigated through it?
Robert Morales:Sure, sure. Ensuring the processes are designed to permit flexibility, especially for a smaller team like we have, to ensure maintenance of segregation duties, which is, as we discussed, is a critical factor.
And then, a long-term focus on the program design, something that we can continue to do, whether it be monthly or quarterly, or whatever the time frequency that's required, something that the team can actually do with the resources we have available.
Spend the time on the design of your program, work with the internal and external constituents and get them involved and committed to the cause, and keep all parties appraised by maintaining robust communications.
This is a key factor in the success of the 404(b) program and the rollout of the 404(b) program if you're coming from the 404(a) status. With respect to the people, partnerships, et cetera, it's crucial to have the right people on your team assigned to the task.
And when I say that, I mean those folks on the team who are willing to put forth the intense and committed effort required to make the SOX program successful. It's an incredible commitment of time, long hours, late evenings, weekends, et cetera, to make the process happen and make it successful.
It's also crucial to have the right partners working with you to support your program, and utilizing their expertise to ensure the success of the program. So, our Eisner team was on board with us throughout this whole process, and they were able to guide us to ensure that we were doing the right things with respect to the 404(b) program, and leading our hands in some respects to make sure we did everything according to the book.
And then, again, Jerry, to continue on your point of communication, it's critical to maintain robust communications with all parties involved, whether that be the Audit Committee, Senior Management, the External Auditors, and internal teams as well, to keep everyone apprised of the status of the ongoing efforts, what potential concerns or challenges have been identified and encountered, and what are we doing to address those issues.
Again, the whole point is, you're committing all of these entities to moving the organization forward toward a goal, and that goal is, obviously, to get a successful Internal Control Audit and have a positive Internal Control opinion. And ultimately, that's good for the company and that's good for good for investors.
Jerry Ravi:And everybody was in the same boat in terms of the objective, from the beginning, with the External Audit team included. So, it was a great success story, for sure. So, thanks for that, Rob. I really appreciate you going through all of that. So, we're going to continue on with the next slides, but we're going to go to our next polling question. Bella, I'll pass it to you.
Bella:Poll #3
Jerry Ravi:Thanks, Bella. Yeah, as you answer this, obviously, there's an element of remediation and getting to that early as well, looking at the gaps and making sure, if those gaps can get remediated, even in the third quarter, if you've identified them in the second quarter, that you have a chance to test those remediated controls.
Gerald Maloney:Yeah, and I think that's a good point, Jerry, because you have your program, you started off with your Planning and Risk Assessment, but the reality of it is, you have to remediate and go through your deficiencies for the prior year. That's always what we start off with, making sure that those are remediated, we can test them as remediated and remain intact throughout the remaining portion of the year.
Jerry Ravi:Thank you. Yeah, so we have some in the bucket, or almost even with further scrutiny and multiple deficiencies, including some SDs and MWs. We love acronyms, so we'll keep using them. But ultimately, I think the important part there is have you navigate through that.
Because in essence, you don't want those deficiencies to continue. And we're seeing the scrutiny from the PCAOB, as we mentioned earlier, increase because of the fact that the audit firms are, with the inspection results that I shared, they're looking at some areas with some rigor.
I talked about information used by the control. Again, that could be IT. You could see that in terms of 21%. That increases and has been increasing. We're seeing more and more, just to give you an idea of level of effort. We typically would see anywhere from 15 to 20% of our effort in the IT General Controls area.
Now, it's increasing more to 30%, and even more than that, depending on how much automation you pushing forth in your controls, which, obviously, aligns to transformation and what companies are doing, do more with less when it comes to technology.
So, it's good even as things are the same. What I would also say there is, look at it in a different way to try to optimize. There's still room for optimization every year, and as a team, we pride ourselves on that, looking at optimization every time we get into planning, scoping, and a risk assessment because there's something there that we may be able to glean that we did in the prior year that we could push forth to enhance the control environment.
So, we'll continue through. With Audit Trail and Documentation, I wanted to focus on this a little bit. I did use a similar slide back in May, and there's a reason for that. Because I think, ultimately, when we talk about documentation, this is an area where you can enhance your program quite a bit.
Again, regardless if it's (a) or (b), but certainly (b), you're going to get more scrutiny around documentation. You heard me say "information used by the control" quite a bit. Those could be the reports that you're using in Completeness and Accuracy.
So, to the left-hand side, the evidence of that documentation, how is that review being done? You see Management Review Controls is a big focus by the Auditors, and should be in your program.
So, whenever you have the MRCs, or Management Review Controls, you want to make sure that the information in that control, and that could be a review of a balance sheet rec specifically, it could be outside of Reconciliations, could relate to even the vendor reports that you're receiving.
So, you just need to make sure of your evidence in that review, and that's also where technology can help you. It's not a check-box that I signed off on it, it's, what did you actually do in the review before you signed off, or, what did you do to sign off? That's the more important piece that's part of the requirement.
And then, again, recordkeeping, do you have a single source of the truth? I think, most of the time when we see errors and omissions or issues, it's because the recordkeeping is an issue. It's not just things are not in the same place, it's, individuals don't really know where to get to the information related to the controls and the evidence and the transactions, and just having that traceability and the ability to do that.
Again, another area where technology can actually help in your program in keeping that intact, that single source of the truth as you get into reviews. You want to be able to be ready. Make sure that you're in a position to be ready for (b) at some point, or be ready for the Auditors, or maybe even a Regulator to ask a question.
That's important in anything you're doing in a control environment. And many of you may have an Internal Audit Department, you may be part of your Internal Audit Department. And clearly, a lot of Internal Audits focus on controls. So, enhancing that process and having a place where you can go and get that efficiently is really important.
And that gets back to even traceability, to the trails that are there, the audit trails that you can go to, and being able to audit efficiently instead of going through many different systems to get to the information.
So, that's part of a lot of regulatory inquiries that we see, not just with your External Auditors, it could be outside of that as well. So, it's not just a one-size-fits-all.
So, as I talk about technology, I'm going to hit a couple of different topics here, just some key focus areas for SOX Compliance that I want to make sure that we throw into the presentation. So, you have your IT General Controls considerations.
There's a particular agile approach that we've seen and we've put forth that is important. So, just being agile and making sure you're looking at it iterative. It's a continuous process. It's not a, "let's do this point-in-time review and let's come back six months later".
So, working with your IT teams and making sure you're using their time effectively at the same time, that's really important, because what I found is, Technology teams, it's different than Finance, and they don't have much time, so you want to use it wisely.
And no one wants to stay till 10 PM at night or later in the week for any reason to go through any type of an audit or regulatory requirement. So let's simplify the compliance approach in how we deal with the regulation.
And then, the role of automation, to the top-right, in your control environment, particularly with IT, is important. I think Technology Enabling, what you do is really important, creating efficiencies, going back to the single source of the truth, do you have a system that you use. We're going to ask a question about that next.
Reduce the manual errors in data collection, making sure that we understand, how are we collecting this information, and how are we doing the analysis on that information? How long does it take for us to do that is really important, because you want to truncate that timeline for getting into the controls, looking at the information, and reporting it out, where you stand.
The last thing we want to do is, if Rob, for instance, gives us information about a Control and Support, we don't want to come back to him three, four weeks later and tell him, "Oh, Rob, you have an issue." We want to get to it fairly quickly. We want his process to get us that information to be efficient as well.
And then, bottom-right, vendor relationships, as we talked about, Vendor Risk Management is really key. Take a fresh look at those vendor relationships, understand, take a risk-based approach to that, to what they're doing for you and what controls they have.
Because we're seeing a lot of issues that come out in SOC reports these days that even relate to the things that we're talking about. It could be the information that's used in their control when they do their assessment that then impacts you.
Other regulatory areas that have popped up this year that we've talked about even in the last session, and we have articles and blogs and videos on this that you can watch, the SEC Cybersecurity Regulation requirements and best practices.
So, using your SOX controls, potentially, to even comply with new cyber regulations is important, or just cybersecurity posture is important. So, you can potentially do that. So, embedding that into your SOX program creates a lot of efficiencies, and it helps your IT Security team.
Whether it's a small team, an outsource team, or it's a big team, it's certainly something you can leverage. And going back to just software solutions for SOX Compliance, just, there's so many different solutions out there. We partner with one, which I'll talk about in a second.
But ultimately, there's many that you can look at, taking a fresh look at how you're doing it and how you can use technology to support your requirements. So, we're going to go to our last polling question. So, Bella, I'll pass it to you again.
Bella:Poll #4
Jerry Ravi:And as you answer, we'll talk a little bit about how you can leverage a particular technology tool, but again, somewhat agnostic, if you wanted to get some information on technology, we can help with that. Just reach out.
And I know we do have a question that we'll go through, because we will have a little bit of time for Q&A. So, if you have any other questions, please, put them in the chat.
Jerry Ravi:Great. Okay, so a little higher than the last time. We're benchmarking some of this information. So, the no was definitely higher, and the yes was lower, and considering a solution was even lower. So, it's good to hear that the folks out there are looking at technology to help.
And you may be able to use the technology that you already have. Some are enhancing their Technology Enablement through Microsoft Teams and SharePoint or Office 365. That's one way to do it. The key is, what you want to consider with technology is the collaboration with all parties, how you're reporting it out, how much time are you spending on deliverables?
How much time are you spending collecting information, how much time are you spending analyzing that information. So, that's really important to consider. One of the solutions that we use for SOX and clients is Workiva and the Wdesk platform.
So, in essence, what I wanted to go through is just how it works. There are other systems out there, of course, but in essence, we create efficiencies. It would take us more time to get through Sox Compliance, maybe about 20% more right now.
And in some clients it's even more than that, depending on their structure. And it's also creating standards, especially when you have team members that are sitting across multiple geographies or global. So, integrating that testing and workflow...
By the way, that also includes the workflow with the External Auditors. Getting information out to them, having them get notified when things are completed and ready for their review, and then holding them to a timeline to come back with feedback, and embedding that in that so-called single source of the truth.
So, it's intuitive for everyone. You're creating those reports and dashboards that the CFO, those in Finance that are attached to the SOX program, and others, including the Board, could get access to, or we present to them through that dashboard.
And not a lot of effort is placed on putting forth the deliverables. They're really dynamic. And they're getting pulled from the information that's in the system. So, it has that powerful relationship, and the data and the relationships within it. So, that's the key.
Even as you get to identifying risks and risk change and documentation changes, updating it once, and it gets pushed out to many areas. So, that's really important. Rob, I actually have a question for you that came up. We just have two more minutes.
What would you say when just looking at the benefits to a private company? Because I know a number of folks on the call, it seems like they're sitting in that bucket where they're not 404(a) or (b), so maybe non-public or private, and having that strong controls. And I know you've been in that space before as well.
Robert Morales:Sure, yeah. Yes, I have Jerry. Thank you. Yes, it's very important to have a solid control environment for your organization, whether it's public or not. As a private company, you may be going to banks to borrow money or you may be doing other types of lending, or you may be financed with private equity or some other sort of financing arrangement.
Having a solid control environment is very important to those parties that may be financing you, whether or not you're public or private. For a public company, clearly, it's dictated by law, but for private companies, it sets you apart as a good... I would call you a good risk if you have solid SOX controls at your organization.
Gerald Maloney:Right. And a good example of that is, even with a simple Due Diligence Report that we put together for our clients, obviously, our Audit team does that, but going through and normalizing the revenue is obviously part of that, and having questions and conversations with everybody involved.
A good portion of that is also, what kind of controls do they have in place, how are they taking the initiative to ensure that somebody is reviewing what the preparer is doing, and they're confident that the financial statements and the processes that they have in place are operating as they're designed, and mitigating, essentially, again, those risks that pose a threat to the organization?
Jerry Ravi:I echo the same. It's good governance, it's good practice, and everybody would see it through and it's going to help recreate value within the company, private or public.
So, just to reiterate, we have a lot of information on SOX Optimization. There's some top themes and articles. Gerry mentioned the Material Weakness article. Please visit our website, you can get a lot of information there.
And just stay tuned for more webinars. We're trying to do them quarterly, more blogs, and even some focus round-table discussions. If you want to be part of that, just reach out. But with that, we will close.
And I just wanted to thank Rob and Gerry for being here. Thank you so much. This was great. And thank you to the attendees. Much appreciated.
Robert Morales:Thank you, everybody. Great.
Gerald Maloney:Thank you.
Transcribed by Rev.com
What's on Your Mind?
Start a conversation with the team
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.