How to take a risk-focused approach to SOX compliance

In April 2012, President Barack Obama signed into law the Jumpstart Our Business Startups Act. Meant to encourage initial public offering activity, certain provisions of the act impact the application of Section 404 of the Sarbanes-Oxley Act, which requires management to establish and maintain internal control procedures for financial reporting. So how do emerging growth companies cope?
Smart Business spoke with Bill Philippe, a senior audit manager at Sensiba San Filippo LLP, about SOX compliance and the JOBS act.
How would you define an emerging growth company and the requirements in question?
An emerging growth company generally has less than $1 billion in revenue in the fiscal year prior to its IPO and its status generally lasts for five years after its IPO. It is exempted from the internal control audit requirement of Section 404 of the SOX Act. In practical terms, this exemption from the audit requirement should reduce the cost of compliance for an emerging growth company, as its auditors will not be required to audit its internal controls over financial reporting (ICFR), thereby reducing the scope and focus of the annual audit process. However, emerging growth companies are not exempted from the management reporting requirements of Section 404 of SOX.
The most challenging aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company’s ICFR. This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires a significant sustained effort.
Under Section 404, management is required to produce an ‘internal control report’ as part of each annual exchange act report. It must affirm ‘the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.’ The report must also contain an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. To do this, companies generally adopt an internal control framework such as that described in Committee of Sponsoring Organizations of the Treadway Commission (COSO).
What should an emerging growth company do following an IPO?
During the five years following an IPO, an emerging growth company should take a risk-focused approach to SOX compliance by specifically identifying, implementing and monitoring those internal controls that enable management to certify the design and operating effectiveness of controls with confidence.
You want to develop a SOX implementation process that is designed with clearly defined goals and executed by an experienced team. You need to lay the foundation for your company’s regulatory compliance requirements as well as practice effective corporate governance now and into the future.
How does the post-IPO process break down?
Activities in the first post-IPO year are focused upon the identification of high-risk processes and the implementation of the documentation and monitoring activities necessary to support management’s annual reporting requirements under Section 404.
The focus in the second and third post-IPO years is on evaluating and understanding the company’s internal control priorities in light of the company’s growth. Monitoring activities necessary to support management’s annual reporting requirements continue.
In the fourth post-IPO year, add the additional objective of documentation and assessment of the moderate- and low-risk processes. Evaluation of  the company’s internal control priorities continues along with monitoring activities necessary to support management’s annual reporting requirements.
Monitoring activities necessary to support management’s annual reporting requirements continue in the fifth year, as do those needed to support the integrated audit work of the company’s external auditors.
What are the effects of the recent changes to the Internal Control – Integrated Framework?
On Sept. 18, COSO released Internal Control over External Financial Reporting: Compendium of Approaches and Examples.
It includes the Updated Internal Control – Integrated Framework, which reflects feedback from its recently closed comment period and the proposed Illustrative Tools: Assessing Effectiveness of a System of Internal Control.
The compendium illustrates how the principles set forth in the proposed updated framework can be applied in designing, implementing and conducting internal control over external financial reporting. It provides additional reference material for concepts discussed within the framework, including types of external reporting, suitable objectives, judgment, overlapping objectives, deficiencies in internal control and smaller entities.
The Updated Internal Control – Integrated Framework was initially made available for public comment in Dec. 2011, and incorporates the following major changes from the original 1992 framework:

• The financial reporting objective was expanded to address internal and external, financial and non-financial reporting objectives.
• An increased focus on operations, compliance and non-financial reporting objectives.
• Codification of the 17 principles that represent the fundamental concepts associated within the five components of internal control.
• Expanded discussion of the governance role of the board of directors and committees of the board.
• The changes in technology and how they impact all components of internal control.

Companies should assess the impact that the expanded areas of focus in the updated framework will have on their current internal control processes and draft an implementation plan for any enhancements deemed necessary by internal stakeholders and those charged with governance.