ZERO to SOX after the JOBS act

Similar documents
Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo

Audit of the Policy on Internal Control Implementation

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Sarbanes-Oxley 404. Sarbanes-Oxley Background. SOX 404 Internal Controls. Goals of Sarbanes-Oxley

International Institute of Management

AUDIT EFFICIENCIES: IS YOUR RELIANCE STRATEGY WORKING FOR YOU? Kyleen Wissell, CRISC, PHR, RCC

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

Risk Management Advisory Services, LLC Capital markets audit and control

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX

PwC. Bill 198 Overview September 2004

) ) ) ) ) ) ) ) ) ) ) ) AUDITING STANDARD No. 17. PCAOB Release No October 10, 2013

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Auditing Standard 5- Effective and Efficient SOX Compliance

Charter of the Audit Committee of the Board of Directors

A LAYPERSON S GUIDE INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)

Guide to the Sarbanes-Oxley Act:

Guide to Internal Control Over Financial Reporting

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

A Sarbanes-Oxley Roadmap to Business Continuity

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

COSO Internal Control Integrated Framework (2013)

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

COSO Framework 2013 & SOX Compliance. Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013

Auditor's Objective in an Audit of Internal Control Over Financial Reporting

SOX FDICIA COSO 2013 Best Practices Presented by: Raji Sathappan MBA, CRCM, CAMS, CISA

Social Sciences and Humanities Research Council of Canada

The Role of Internal Audit in Risk Governance

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

2nd FCF IPO Conference

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Sarbanes-Oxley Section 404: Management s Assessment Process

persist after the IPO may expose the company to stockholder litigation, SEC enforcement action, and criminal prosecution. 8

January 2005 Lynda Radke, CPA CFO, ProCognis, Inc. Abstract 1. Planning for Sarbanes-Oxley 404 Compliance

Internal Controls and Risk Management Report

) ) ) ) ) ) ) ) ) ) ) )

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

How To Get A Tech Startup To Comply With Regulations

Sarbanes-Oxley Compliance at the Federal Reserve Bank of New York

JOBS Act: Eases Capital Formation IPO Candidates and Private Companies

Preparing for a Smooth IPO Process a Guide for In-House Counsel. Preparing for a Smooth IPO Process a Guide for In-House Counsel

CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT

Guide to Public Company Auditing

Beyond Sarbanes-Oxley: Improving Corporate Value With a 4th Generation Balanced Scorecard Approach

OF CPAB INSPECTION FINDINGS

Changeover to the SEC s New Smaller Reporting Company System by Small Business Issuers and Non-Accelerated Filer Companies

Appendix G Implementation Guide (Guide) for the Annual Financial Reporting Model Regulation (Model)

Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect. A Smaller Public Company Perspective

Corporate Governance Code for Banks

J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007

Risk Assessment & Enterprise Risk Management

Sarbanes-Oxley Control Transformation Through Automation

Risikobaseret tilgang til revision

SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners

Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies

Sarbanes-Oxley Act: Section 404 Practical Guidance for Management*

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

IMMUNOGEN, INC. CORPORATE GOVERNANCE GUIDELINES OF THE BOARD OF DIRECTORS

Internal Control Integrated Framework. May 2013

issuer. The requirements include an obligation to file These Frequently Asked Questions may be read together with

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

MANAGEMENT LETTER. Nassau Health Care Corporation and Subsidiaries

From Vision to Implementation: Integrated Strategic Planning

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

BOTTOMLINE TECHNOLOGIES (DE), INC. AUDIT COMMITTEE CHARTER

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

Audit of the Test of Design of Entity-Level Controls

BAKER HUGHES INCORPORATED. CHARTER OF THE AUDIT/ETHICS COMMITTEE OF THE BOARD OF DIRECTORS (as amended and restated October 24, 2012)

26 February Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

SOX 404 Compliance Challenges for Small Companies

Inspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through No.15)

How To Audit A Company

Blending Corporate Governance with. Information Security

Considering an IPO? The costs of going and being public may surprise you

Third Party Risk Management 12 April 2012

Management s Discussion and Analysis

Ten Steps to SOX Compliance for Smaller Public Companies

In a Search for Regulations on Risk Management, Internal Control and Internal Audit

Jumpstart Our Business Startups ( JOBS ) Act

Roles and Responsibilities Corporate Compliance and Internal Audit

Audit of Financial Management Governance. Audit Report

Chapter 5. Rules and Policies NATIONAL INSTRUMENT CERTIFICATION OF DISCLOSURE IN ISSUERS ANNUAL AND INTERIM FILINGS

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

How quality assurance reviews can strengthen the strategic value of internal auditing*

The PNC Financial Services Group, Inc. Business Continuity Program

Transparency of Firms that Audit Public Companies

The Auditor s Communication With Those Charged With Governance

Service Organization Control Reports

The Procter & Gamble Company Board of Directors Compensation & Leadership Development Committee Charter

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Initial Public Offering. Are you ready to float?

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

NYSE Listed Company Manual Section 303A Corporate Governance Standards Frequently Asked Questions

About ARMA International

Internal Financial Controls

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

3.B METHODOLOGY SERVICE PROVIDER

Transcription:

ZERO to SOX after the JOBS act AN OVERVIEW The process of building a sustainable, comprehensive internal control environment sufficient to comply with the Sarbanes-Oxley act of 2002 (SOX) requires a significant investment of organizational resources. During April 2012, the Jumpstart Our Business Startups (JOBS) Act became law creating an "IPO on-ramp" for emerging growth companies. An emerging growth company is generally defined as a company with less than $1billion in annual gross revenue in its prior fiscal year. Emerging growth companies are temporarily exempted from the internal control audit requirements of SOX, whereby their independent auditors are required to report on management s assessment on the effectiveness of the company s internal control over financial reporting. A company would no longer be an emerging growth company five years after completing its equity IPO OR if it meets any of the following criteria. More than $1 billion in gross revenue, Issues more than $1 billion in non-convertible debt in a 3-year period, or Is a large accelerated filer (generally, public float of $700 million or more) While this exemption affords an organization a lengthened time-line to address the external audit requirement, it does not apply to the management reporting requirements of Section 404 of SOX. The requirement that remains is that a company s annual report contain an internal control report that; states management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, contains an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. In planning for and during the five years following an IPO, an emerging growth company should take a riskfocused approach to SOX compliance by specifically identifying, implementing and monitoring those internal controls that enable management to achieve these regulatory requirements with confidence as well as practice good corporate governance. At SSF we have re-structured our Zero to SOX implementation process to assist organizations in this evolving endeavor.

TIMING Year One Pre-SOX Activities: Activities in the first post- IPO year are focused upon the identification of HIGH Risk processes and the implementation of the documentation and monitoring activities necessary to support management s annual reporting requirements under Section 404. Specific project phases during this period are: Planning and Scoping Documentation of Processes and Controls Internal Control Design Assessment Control Testing Remediation of Design and Testing Deficiencies Years Two and Three Pre-SOX Activities: Activities in the second and third post-ipo year are focused upon evaluating and understanding the company s internal control priorities in light of the company s growth and evolution. Monitoring activities necessary to support management s annual reporting requirements under SOX continue. Specific project phases during this period are: Internal Control Design Assessment Control Testing Remediation of Design and Testing Deficiencies Year Four Pre-SOX Activities: Activities in the fourth post-ipo year add the additional objective of documentation and assessment of the MODERATE and LOW Risk processes. Evaluating and understanding the company s internal control priorities in light of the company s growth and evolution continues along with monitoring activities necessary to support management s annual reporting requirements under SOX. Specific project phases during this period are: Planning and Scoping Documentation of Processes and Controls Internal Control Design Assessment Control Testing Remediation of Design and Testing Deficiencies Year Five SOX Activities: Activities in the fifth post-ipo year are focused upon the monitoring activities necessary to support management s annual reporting requirements under SOX continue and those necessary to support the integrated audit work of the company s external auditors. Specific project phases during this period are: Planning and Scoping Internal Control Design Assessment Control Testing Remediation of Design and Testing Deficiencies

ZERO TO SOX IMPLEMENTATION PROCESS OVERVIEW At SSF we have organized the Zero to SOX implementation process into distinct phases. The activities and milestones in each phase are designed to be integrated resulting in an efficient and effective process. A discussion of the objective and elements of each phase follows. PLANNING AND SCOPING PHASE In this phase of the Zero to SOX implementation, Management's team assesses the key financial reporting accounts and footnotes, including supporting processes. This phase will include evaluating quantitative and qualitative factors to determine the High Risk processes and applications for SOX compliance, as well as the risk of misstatement associated with these processes and applications. A critical aspect of the initial preparation is the development of a top-down, risk-based approach consistent with guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). PLANNING AND SCOPING MILESTONES Identify Project Manager and Implementation Team Members: Clear project management responsibilities and multi-departmental team project team membership is key to an integrated and effective project. Identify Significant Accounts: To maximize the efficiency of Management's SOX compliance efforts it is essential to identify the accounts that have a material impact on Financial Reporting. Utilizing best practice guidance on materiality, the SOX team calculates the significant account threshold and utilizes this along with qualitative factors to identify the significant accounts at the trial balance level. Identify In-Scope Process and Application: Utilizing the significant account listing identified above, Management's team identifies the underlying business transaction cycles and automated processing applications that impact the significant accounts. These are the processes and applications that will be documented and assessed in later phases. DOCUMENTATION OF PROCESSES AND CONTROLS PHASE Management's team determines the risks of material misstatement for each process identified in the Planning and Scoping Phase, documenting the current control environment, and assigning the ownership of certain processes and controls to key internal stakeholders. The control environment consists of those entity-level, transaction-level, and information technology general controls (ITGC) that affect the financial statement accounts and footnotes that were defined during the Planning and Scoping Phase. This documentation typically takes the form of flow charts and narrative documents that detail the business process transaction cycles. Risks and controls are identified and documented in matrixes to allow for a full evaluation of how well risks are controlled and form the basis for the Control Design Assessment Phase.

DOCUMENTATION OF PROCESSES AND CONTROLS MILESTONES Document the Current Control Environment - Transaction Cycles: Utilizing standardized internal control walkthrough procedures, Management's team creates a narrative document of the in-scope business transaction cycles identified in the Planning and Scoping Phase. Document the Current Control Matrix: Management's team will analyze the process documentation created in the previous step to identify existing controls that address the risk of misstatements for the significant accounts identified in the Planning and Scoping Phase. These controls will be summarized by transaction cycle and presented in a COSO Risk Control Matrix for control design assessment. CONTROL DESIGN ASSESSMENT PHASE Management's team evaluates the design of the controls identified during earlier Phases. Proper control design will help ensure the effective mitigation of the risks of material misstatement and achieve the control objectives that have been defined for each business transaction cycle process. Effective control design will usually include controls with a variety of characteristics (preventive, detective, automated, and manual, for example). During this phase, Management's team identifies controls that are missing or designed improperly to achieve the objectives. CONTROL DESIGN ASSESSMENT MILESTONES Evaluate Existing Control Design by Transaction Cycles: Management's team will analyze the COSO Risk Control Matrix created in earlier phases and evaluate the sufficiency of current control procedures for each transaction cycle and significant account documented. Provide Control Design Recommendations by Transaction Cycle: Management's team will recommend procedural changes for business processes where it is determined that existing controls are either deficient in design or in application. Recommendations will be specific to process, frequency and control owner. Observe Control Design Recommendation Implementation: Management's team will oversee the implementation of all procedural changes and observe at least one cycle of operation prior to commencement of Control Testing Phase. Document Revised COSO Key Control Matrix And Update Business Transaction Cycle Documentation: Management's team will update the key control matrix and revision of business transaction cycle process documentation to reflect the implementation of procedural changes identified above prior to commencement of Control Testing Phase.

CONTROL TESTING PHASE Once the processes, risks, and controls have been defined and design assessed the focus of Management's team shifts to testing the operating effectiveness of internal controls. A testing regimen is developed that is consistent with the risk-based approach established in Planning and Scoping and with the most recent SEC guidance. Typically, the team establishes a testing standard consistent with the guidance and input from the external auditor that articulates transaction sample sizes based on risk and control characteristics. Testing should be performed early enough in the year to enable management to remediate control failures so that the controls can be retested with sufficient transaction population sizes later in the year. Management's team should document and share test results with all stakeholders so that plans for remediation can be made. CONTROL TESTING MILESTONES Prepare Key Control Test Plans: Management's team will prepare control test plans for all key controls identified in Control Design Assessment. These will include the intended test procedures and timetable for all Key controls and be reviewed with external auditors to insure coordination with their efforts. Coordinate Testing Timeline With External Auditors: Management's team will present control test plans and timeline to external auditors for coordination with external audit procedures Execute Testing: Management's team will execute test procedures for all controls selected for testing. Summarize Test Results and Report to Project Manager: Management's team will report results of testing to project manager. Emphasis will be placed on failed controls requiring remediation. Provide Remediation Plans For Failed Controls: Management's team will provide remediation plans to the project manager and external auditors for all key controls that failed testing. Remediation plans will address procedural and resource requirements. REMEDIATION OF DESIGN AND TESTING DEFICIENCIES PHASE Remediation is the correction of controls deemed weak or ineffective. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when (a) a properly designed control does not operate as designed or (b) when the person performing the control does not have the authority or competence necessary to perform the control effectively. Once deficiencies in the design evaluation are identified or failures in the control testing are found, they are reported to Management's team and process owners to develop a plan for taking timely corrective action.

REMEDIATION OF DESIGN AND TESTING DEFICIENCIES MILESTONES Implement Remediation Plans: Management's team working with affected process owners will establish timelines and metrics for the implementation of the approved remediation activities. Monitor Remediation Plans: Management's team working with process owners will monitor the progress of remediation efforts and revise timelines or processes as required. Summarize Results and Report to Project Manager: Management's team will report results of remediation activities to project manager. Summarize Results and Report to External Auditors: Project manager will report results of remediation activities to external auditors consistent with their requirements. FILING-YEAR: CONTROL TESTING AND RETESTING PHASE Testing should be performed early enough in the year to enable Management to remediate control failures so that the controls can be retested with sufficient transaction population sizes later in the year. The SOX team documents and shares the test results with all stakeholders so that plans for remediation can be made. Following up and retesting failed controls is equally critical. As noted earlier, once a failed control has been remediated, it must be retested to demonstrate its operating effectiveness. Retesting of failed controls should be performed after a post-remediation population of sufficient size has been accumulated. The final two quarters of the filing year are critical. Retesting results must be positive in these two quarters to allow the CEO, CFO, and external auditors to state that the control environment is effective as of the fiscal year-end. The SOX certification validates the controls effectiveness at a point in time (at year-end) not over a period of time. Thus, once the control has been retested and found effective, the failures that were identified before remediation no longer factor into the company s conclusions. Once the fiscal year is complete, activities to complete the SOX compliance program remain. Any additional processes and controls that occur after or in conjunction with the Form 10-K preparation will require testing along with year-end closing procedures and disclosure processes. The external auditor and Management's team must also evaluate and rate any un-remediated deficiencies based on how much impact they could have on the financial statements.

FILING -YEAR: CONTROL TESTING AND RETESTING MILESTONES Update Key Control Test Plans: Management's team will evaluate control test plans in light of previous test results for all Key controls identified in Control Design Assessment. All changes will be reviewed with external auditors to insure coordination with their efforts. Execute Testing: Management's team will execute test procedures for all controls selected for testing. Summarize Test Results and Report To Project Manager: Management's team will report results of testing to the project manager. Emphasis will be placed on failed controls requiring remediation. Provide Remediation Plans For Failed Controls: Management's team will provide remediation plans to the project manager and external auditors for all key controls that failed testing. Remediation plans will address procedural and resource requirements. Evaluate Failed Controls: Management's team will prepare an evaluation of the impact of any failed controls on financial reporting. This will be coordinated with the external auditors to support their evaluation as well. Report to Audit Committee: Management's team will provide reporting to the Audit Committee summarizing the annual compliance efforts and results of testing as well as recommendations for future periods. ATTRIBUTES OF A SUCCESSFUL ZERO TO SOX PROCESS Successful projects have certain features in common. Management sets the right tone from the top. It provides visible support and multiple communications to the organization on the program s importance and sets the proper expectations of the organization at the steering committee and audit committee levels. The Board in particular the Audit Committee is actively involved in understanding significant issues and expects regular communication from management on progress and results. Management's compliance team coordinates all events and participants to keep the compliance program focused. SOX compliance involves senior management, process owners (from accounting, finance, IT, HR, operations, legal, and across operating units) along with board members, and external auditors and external consultants supporting management's implementation. To minimize the chance of unforeseen expectations or unfulfilled audit requirements, external auditor collaboration occurs at every step of the process. This includes collaboration on scoping, control design, remediation plans, testing results, and steering committee meetings. IN CONCLUSION The Zero to SOX process designed with clearly defined goals, executed by experienced team members will lay the foundation to meet your company s regulatory compliance requirements as well as practice effective corporate governance now and into the future.

ADDITIONAL INFORMATION Feel free to contact us on this, or any other accounting or reporting issues, at info@ssfllp.com or our team below: Jeff Stark, Audit Partner jstark@ssfllp.com With over 22 years of dynamic business experience, Audit Partner Jeff Stark is dedicated to quality financial reporting where he specializes in revenue recognition, complex debt/equity transactions accounting for income taxes, and purchase accounting. Combining his audit expertise with his extensive background in information technology and internet security, Jeff is also an expert in information risk management services, including SSAE16 Service Organization Control (SOC) reporting and IT general controls (ITGC) consulting. Jeff works extensively with professionally managed venture-backed companies seeking to grow and ultimately be acquired or pursue an IPO path. He works with clients in enterprise software, cloud/saas, network equipment, internet security software, fab-less semiconductor, development stage enterprises, healthcare, internet advertising, print media, market research, and communications. Jeff is a dual graduate of San Jose State University, where he received his bachelor s degree in management in 1990, and a master s degree in accounting in 2004. He is a licensed CPA in the state of California and an active member of the AICPA. Bill Phillippe, Senior Audit Manager bphillippe@ssfllp.com With over 20 years experience in public and private accounting, Bill Phillippe has worked as a chief financial officer for multiple start-up companies and as a controller for a publicly traded company. Now as a senior audit manager at Sensiba San Filippo, Bill teaches clients best practices for establishing internal controls and keeping them apprized of the changing requirements. Bill works extensively with clients in technology, consumer products, and medical device manufacturing and specializes in audit and assurance services, Sarbanes-Oxley compliance, and the evaluation of internal controls. He is an expert in the development and implementation of accounting processes, preparation for annual audits, and the creation of business modeling programs. Bill received his bachelor s degree in accounting from Illinois State University in 1984.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information