One way of enhancing that value is to undertake the initial steps required for Sarbanes-Oxley (SOX) compliance.
Completing those steps signifies that a private company has identified and evaluated its highest-risk areas and designed controls to mitigate those vulnerabilities. Controls exist then to ensure completeness and accuracy in financial reporting processes and other significant activities. Controls exist to combat errors, fraud and other threats.
Completing those steps signifies that an organization recognizes the importance of having formal corporate governance practices in place. Those practices indicate that the company has attained a level of control maturity, a maturity that can sustain and guide the entity through growth and change. But that degree of control maturity influences an organization’s future options and opportunities. Consider the following examples:
• A privately-held manufacturer’s owners may wish to sell the company within a few years. Having completed those initial SOX compliance efforts increases the likelihood that the prospective purchaser will be favorably impressed with the manufacturer itself. The potential buyer is then more likely to pay a premium price for the entire business, rather than just negotiating purchases of selected assets, such as production facilities or a specific product line.
• Founders of a software development firm may pursue additional investment capital to fund future growth. Attaining that funding requires subjecting the firm’s business model, internal controls and other factors to considerable scrutiny. Having completed some SOX efforts helps allay investor concerns regarding potential risks.
• S Corporation shareholders of a community bank may be aware that larger publicly-traded banks are exploring local acquisition opportunities. Those larger banks, though, must integrate any acquired bank’s activities within their own SOX compliance efforts. If this community bank has already met some SOX requirements, that integration is less expensive and requires less effort. The community bank’s attractiveness as a potential acquisition increases.
• In a liquidation scenario, an organization enhances its value by completing initial SOX compliance requirements, while also providing litigation protection to outside directors. Enhancing that value begins with understanding the scope and concerns addressed in initial SOX compliance efforts.
Phased SOX Compliance JANET–PLEASE INSERT CHART HERE
A private organization anticipating a future liquidation or exit transaction event does not need to comply with all SOX requirements. It should, however:
• Conduct a risk assessment.
• Identify significant business processes.
• Determine the levels of vulnerability associated with those significant business processes.
• Design controls to mitigate those vulnerabilities.
Once those items are addressed, the organization faces lower costs and less effort later if it needs to meet full SOX compliance as an acquisition of a publicly-traded corporation.
Initial SOX compliance efforts require involvement from the company president and managers responsible for overseeing financial and operational concerns. To minimize business disruption while completing compliance tasks, an organization should begin its efforts at least a year before it anticipates a transaction event; a lead time of two years or longer is preferable. Those efforts begin with undertaking a company-wide risk assessment and identifying significant business processes.
A company-wide risk assessment examines all of the processes associated with a business, identifies the most crucial processes, determines the vulnerability associated with those significant processes, and the likelihood and impact associated with each related risk.
While every business is unique, each organization generally relies upon 15 to 20 processes for its various functions, with five or six of those processes regarded as crucial or significant. Those significant processes encompass financial reporting, information technology (IT) and vital operational functions as they apply to a specific organization.
Inventory, for example, represents a substantial operational expense for a manufacturer. Related significant concerns include the processes the company uses to track inventory from the time it arrives as raw material or parts until it leaves as finished product. Software must accurately capture what occurs within those processes. Physical cycle counts must assure that purchased inventory exists. Estimates, purchase price variance, salvage allowances, and other accounting methodologies used to assign value to inventory must be applied consistently and reflect true costs of sales.
For a business that generates accounts payable statements for other companies, data integrity, IT security and data recovery are crucial considerations. Processes that require manual intervention present opportunities for data entry errors or misconduct. Non-public information must be safeguarded from internal or external IT security breeches. The company must address how it will protect data and continually meet customer needs in the event that a power outage, fire, or other catastrophe threatens business operations.
An insurance company may pay all of its sales agents on a commission basis. It must require that commissions are only paid on policies approved, and not pending policy applications. It must monitor its underwriting processes to ensure that appropriate, established standards are followed in approving policy applications. It must review submitted claims to verify their legitimacy. It must also maintain sufficient reserves to meet claims obligations.
Organizations vary in the complexity of their operations, too. A company whose operations include product development, manufacturing, and distributing functions faces greater complexity than an organization that performs a lone function on an outsourced basis for a single industry.
That degree of inherent complexity is a factor in evaluating risks, as are particular vulnerabilities associated with a company’s specific established processes. The organization must assess those risks, based on such factors and the likelihood and potential impact of a risk occurring. Those risks should be rated, typically on a scale of one to three, with one representing a low level of vulnerability, two representing a moderate degree of risk, and three representing a critical threat.
Controls To Mitigate Risks
After a business has identified its most crucial processes and significant vulnerabilities, it can design controls to mitigate those threats, based on their risk ratings. Being aware of industry-wide best practices provides direction for designing controls that best address an organization’s specific vulnerabilities.
For companies involved in manufacturing or distributing various products, that might entail attaining the most applicable level of ISO certification. A company involved in handling sensitive customer data may consider undergoing an SAS 70 audit as a means of identifying and mitigating critical risks.
Companies also need to consider the importance of incorporating segregation of duties, which divides conflicting or incompatible duties among two or more individuals. That segregation provides natural boundaries that prevent fraud and promote detection of errors.
For financial processes, segregation of duties means that one person cannot handle every phase of a transaction. It means that one person does not address all of the authorization, custody of assets, record keeping, control activity, or reconciliation functions associated with any specific cycle. An individual who makes entries for accounts payable disbursements, for example, should not be responsible for reviewing monthly bank statements, or reconciling related accounts to those statements.
Segregation of duties needs to extend to crucial processes throughout an organization. Within a commercial construction company, for example, the same person should not be ordering building materials and then verifying that full shipments arrived, as ordered.
Smaller businesses may face difficulties implementing segregation of duties due to staffing limitations and other constraints. In such cases, compensating controls are necessary. Those compensatory control efforts may include examinations of detail reports to detect any anomalies or exceptions. They may include making periodic calls to customers to make sure they received what they ordered, or visiting the street address listed for a new local vendor to determine that the supplier actually exists.
Requiring that employees take annual vacations or regularly rotate duties also prevents someone from handling one task continuously. That reduces opportunities to repeatedly hide errors or fraudulent schemes.
Companies undertaking the initial efforts to comply with SOX need to develop an infrastructure and scalable controls that can accommodate growth, change, and possible integration with another company’s compliance efforts.
Incorporating control responsibilities into job descriptions and compensation considerations provides one means for building that infrastructure and scalability. Those responsibilities could include maintaining a regular schedule of account reconciliations or IT system log reviews. That incorporation enables an organization to expand its workforce without compromising control oversight.
Standardizing processes further enhances control infrastructure. That standardization could apply to the criteria used to determine line of credit limits, and the accompanying credit terms, including interest rates and due dates.
Automated controls provide another means for building the infrastructure and scalability needed to sustain growth. IT access controls provide an automated means for enforcing defined segregations of duties within an application, module, database, or file server. Automated controls that limit the functions or entries an individual can make also help an organization comply with any applicable industry regulations.
Such automated controls operate continuously in a preventative role. By updating related user directories whenever an employee is hired, leaves, or changes duties, those controls evolve to accommodate all workforce changes, as well as any process revisions.
Completing the initial requirements for SOX compliance enhances the future value of any organization anticipating a exit transaction. While preparing the organization for such scenarios, completing the initial SOX compliance provides immediate assurance to current stakeholders that the organization values strong corporate governance—governance that will support growth and sustain the business amidst change.
Alyssa G. Martin CPA, MBA, is the Dallas executive partner and the firm-wide partner in charge of the Risk Advisory Services group at Weaver and Tidwell LLP. With offices in Dallas, Fort Worth, Houston, San Antonio and Austin, Weaver and Tidwell is ranked the largest independent certified public accounting firm in the Southwest by Practical Accountant. Martin can be contacted at 817-332-7905, 972-448-6975 or at firstname.lastname@example.org.