Sarbanes-Oxley Compliance Services
The Sarbanes-Oxley (SOX) Act of 2002, specifically Section 404, requires the CEO and CFO of a public company to document and assess as of the end of every annual reporting period that they established, maintained, and tested the operating effectiveness of the public company’s internal control over financial reporting (ICFR). The independent auditor of the public company must then provide an opinion on management’s assessment of the public company’s ICFR. The CEO and CFO also have to certify as of the end of each quarterly and annual reporting period that they are responsible for the design and operating effectiveness of ICFR based on Section 302 of the SOX Act.
Public companies establish compliance with the SOX Act by developing a compliance plan that includes the appropriate criteria which ensure that significant financial reporting risks have been identified, assessed and key internal controls put in place to mitigate those risks. The most prominent guideline utilized by public companies is the Internal Control – Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Overall, the process to ensure compliance with the SOX Act requires public companies to have specialized knowledge of the SOX Act requirements, the COSO Framework, and the internal control auditing methodologies followed by the independent auditor.
LBMC’s Sarbanes-Oxley Specialists have extensive knowledge and experience with the SOX Act, Section 404 documentation and testing requirements, the COSO Framework, Generally Accepted Accounting Principles (GAAP) and Public Company Accounting Oversight Board (PCAOB) Auditing Standards (specifically AS 2201). We have been assisting numerous public companies with their SOX Compliance programs; working closely with their independent auditors. No matter if you are mature public company or a company in the process of entering the public market through a traditional public offering (IPO) or a special purpose acquisition company (SPAC). We can help you with your SOX Compliance. Our services can be packaged or selected a-la-carte based on your desired support to include the following:
- Documentation and Assessment of Compliance with the COSO Framework
- Risk Assessment Facilitation
- Documentation of Significant Processes and Systems
- Financial Reporting Risk and Internal Control Assessment
- Internal Control Testing and Reporting of Testing Results
Why outsource SOX compliance?
LBMC has a team of SOX Compliance experts and a well-established SOX compliance process that helps companies establish or continue compliance with the SOX Act in an efficient and cost-effective manner. Our resources can be allocated among multiple clients thereby reducing costs and providing significant cost savings to you.
Companies that outsource the SOX compliance process generally meet the following profile:
- Company is in the process of entering the public market through an IPO or a SPAC and doesn’t have an established framework to manage SOX compliance nor the resources necessary to establish a well-rounded and compliant program.
- Public company has experienced a significant increase in costs to retain the talent that is needed to manage SOX Compliance and/or unable to leverage the expertise within the organization resulting in underutilization of talent.
- Public company is unable to attract the talent that is needed to manage SOX Compliance.
LBMC SOX Compliance Services
LBMC provides a variety of SOX Compliance services which can be tailored to the needs of each company. The services that we typically provide include one or more of the compliance phases described below:
Documentation and Assessment of Compliance with the COSO Framework
We assist clients with documentation and assessment of compliance with the COSO Framework, completion of the COSO Framework templates, and assessment of control gaps. In addition, we provide entity-level control testing services for key governance controls identified when assessing compliance with the COSO Framework.
Risk Assessment Facilitation
When assisting clients with a risk assessment, we follow a top-down, risk-based approach to ensure that future compliance efforts focus only on critical processes and systems. The purpose of the risk assessment is to identify the significant financial processes and systems that will be documented and tested as part of the SOX compliance process.
We work alongside your internal audit department or directly with company management to understand the systems that generate your financial reporting and assess your risks related to reliability and accuracy of financial reporting. Then, we develop a list of internal controls that are or should be in place to safeguard the financial reporting process.
Documentation of Significant Processes and Systems
We can effectively document an organization’s significant processes and systems in an efficient manner. This phase of the SOX compliance process is often cumbersome due to the detailed interviews and documentation efforts that are necessary for all significant processes and systems.
By maintaining continuity on your SOX audit engagement year after year, our auditors develop a deep level of familiarity with your processes and systems, and you don’t have to waste time re-training our team members. This level of familiarity enables not only the most efficient SOX compliance but also strong working relationships.
Financial Reporting Risk and Internal Control Assessment
As we develop our understanding of our clients’ critical processes and document the related systems, we will assess the key risks inherent within each process to determine which key risks would most likely prevent the related processes from meeting their objectives. We will then understand and assess the key controls in place to mitigate those risks. We will then report any control gaps for remediation.
Internal Control Testing and Reporting of Testing Results
After the key internal controls are identified, we work with our clients to develop testing plans to assess the operating effectiveness of those controls. During this phase, we will communicate frequently with the related financial statement auditor to ensure we agree to the controls being testing, the frequency and timing of the testing, the documentation to the testing and the related testing sample sizes. Communication is critical during this phase to ensure all parties are on the same page.
During the testing, we provide frequent updates to client management to ensure all control deficiencies are known and corrected as soon as possible. In addition, after testing, we will provide formal reporting to management and the related audit committee, if requested.