SOX Frequently Asked Questions
1. What is SOX Section 404 compliance in plain English?
The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to large corporate financial scandals involving Enron, WorldCom, and Arthur Andersen. The intent of the SOX legislation is to ensure financial reporting accuracy to in part, avert reocurrence of these tragic scandals. For non-accelerated filers, SOX Section 404(a) requires Management's assessment regarding the effectiveness of internal controls over financial reporting to be included as a report submitted with the Company's Annual Report on Form 10-K for years ending December 15, 2007 or later. Section 404(b) requires an auditor's attestation regarding the effectiveness of internal controls to be included as a report submitted with the Company's Annual Report on Form 10-K for years ending December 15, 2008 or later. The SEC Proposed Rule 33-8889 would extend the requirement date of Section 404(b), the auditor's attestation, from being required for years ending December 15, 2008 or later to being required for years ending December 15, 2009 or later. On June 23, 2008, this proposed ruling was formally approved by the SEC, therefore, the current requirement of the auditor attestation to be submitted with the Company's Form 10-K has been extended to years ending December 15, 2009 or later. However, Section 404(a) is still in force and must be completed on an annual basis.
Update: On October 2, 2009, the SEC announced a further deferral of Section 404(b) for non-accelerated filers. New compliance date for this portion of the Sarbanes-Oxley Act has been set for June 15, 2010. Companies with fiscal year end dates of 6/15/10 or later must comply with Section 404(b)--external auditor attestation. The SEC also announced that this delay would be the last one for non-accelerated filers. Section 404(a) remains intact.
On July 21,2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law. Section 989G states that non-accelerated filers are now exempt from the requirement of the Sarbanes-Oxley Act’s Section 404(b)—external auditor’s attestation of a non-accelerated filer’s assessment of internal controls over financial reporting. However, for a non-accelerated filer, the following is still intact:
- Section 404(a) remains in full force—a management assessment of internal controls over financial controls must still be completed annually.
- The assessment must be performed by both a competent and objective party per SEC guidelines.
- The assessment must include examining/testing IT controls in addition to financial and accounting controls.
- Companies must still include a certification of financial controls as part of their annual 10K or 20F statement.
- SOX Section 302(a) quarterly disclosure controls certification must still be completed.
2. Why is SOX so complex?
The long-awaited SEC interpretive guidance removed the uncertainly about how flexible management could be in its efforts to implement 404 programs. While the guidance created an opportunity for management to rethink its programs by sharpening its focus in areas of highest financial reporting risk, it neglected to provide a clear directive on exactly how to best to execute that strategy.
3. I only have 4 people in my company. How can I afford complex SOX controls?
Controls do not have to be complex to be effective. Your control environment can be properly aligned to the size of your business. Reports show that companies with effective controls experience an increase in average share prices over companies with ineffective controls. See, The Lord & Benoit Report: Do the Benefits of 404 Exceed the Cost?
4. How does Lord & Benoit drive down costs to make SOX Section 404 affordable?
The secret is in the Lord and Benoit framework. Lord & Benoit has extensive experience in scaling an assessment to the size and complexity of your business. This is primarily achieved by adjusting the framework to focus only on critical path areas.
5. Will I have to hire more fulltime people to comply with SOX?
Our experience has been that additional fulltime personnel were not needed for any of our clients. Also, investments in software packages, frameworks and other tools are not required. Lord & Benoit provides everything needed.
6. How does SOX apply to my foreign subsidiary?
All companies, regardless of location are subject to SOX Section 404 if they participate in the US capital and/or bond markets. Within a company, only in-scope locations (i.e. locations that exceed a threshold of materiality) are subject to the assessment. Please check with your SEC attorney for further information.
7. What is different about Lord & Benoit from other firms doing SOX Section 404 compliance?
Lord & Benoit focuses on a top-down, risk based approach which directs the assessment to the areas that really matter. Our scalable framework adjusts to your environment and changes as your company changes. Our techniques including “Virtual SOX” allow for maximum flexibility and minimal management disruption.
8. What is involved in the assessment?
Please check out our online presentation.
9. With regards to reporting, what is the difference between a deficiency and a material weakness?
There are three levels of deficiencies with material weakness being the most serious. A control deficiency is typically reported to management. A significant deficiency is reported to management, the audit committee and external auditors. If material weaknesses are found during the assessment, management must disclose to the audit committee, external auditors and the SEC (via the 10-K report).
10. Will Lord & Benoit issue my 10K report for me as part of your service?
By law, management is responsible for the creation and certification of their annual 10-K report. However, Lord & Benoit will assist in drafting the SOX Section 404 component of the report.
11. What happens if the external auditors find a material weakness in our company's internal controls?
Material weaknesses in internal controls over financial reporting must be reported in your 10-K report as part of your SOX Section 404 management assessment. Additionally, plans for remediation should be documented and carried out.
12. How is Lord & Benoit able to have such success with remote clients worldwide?
Besides traditional onsite testing, Lord & Benoit can utilize a method that it has pioneered called “Virtual SOX.” This approach allows us to remotely conduct major portions of your assessment with effective results. See our link “Worldwide Accessibility” for more information on “Virtual SOX”.
13. We have good accountants. Why can’t they do our SOX assessment?
They can but remember that effective SOX Section 404 compliance evaluations require a strong grasp of FASB, SOP, FIN, EITF standards as well as having in-depth understanding of IT control frameworks, COSO requirements, audit experience and other complexities. Additionally, the SEC has stressed that objectivity is an important and critical component of a successful assessment.
14. What happens if we just decide to not comply?
SOX legislation provides criminal and civil penalties such as fines, restrictions and even imprisonment associated with various degrees and matters of non-compliance.
15. What is the top-down risk-based assessment Lord & Benoit features in its approach?
We begin by examining your financial statement and then work to identify significant accounts, locations and processes. We assess risk and customize our framework to your business. As the circumstances of your business change and as the regulatory environment changes, we adjust the framework accordingly.
16. How much of our management’s time will be required if Lord & Benoit assists in our SOX Section 404 assessment?
Although that depends on the specific circumstances of your company, Lord & Benoit is known for minimizing management’s time and effort throughout the length of the engagement.
17. Our company has just gone public. Don’t we get a grace period before we are required to comply with SOX legislation?
Please check with your SEC attorney regarding your company’s specific filing requirements.