SOX compliance is a critical milestone in prepping for your first SEC audit, but it’s easy to stumble into costly mistakes without the right preparation.
Why it matters:
As a finance leader of a new public company, you have a lot on your plate — meeting investor expectations, navigating regulatory scrutiny and establishing credibility in the market. One of your biggest mandates? Managing your company’s SOX compliance (Sarbanes-Oxley Act) program.
To help you avoid missteps and keep your audit and compliance efforts on track, let’s look at eight common SOX pitfalls that trip up newly public companies.
Nearly every control that exists today is based on some type of data. Auditors are placing increasing scrutiny on how data is sourced, transformed and used within controls, including the steps around the integrity of the data. So, you need to identify data sources and assess the integrity of those sources: Are they accurate, complete and reliable?
When reports, metrics or system outputs used to perform or evidence controls aren’t complete or accurate, auditors may consider your controls ineffective. Even incomplete or unvalidated information produced by the entity (IPE), such as key reports or spreadsheets, can lead to findings in internal controls over financial reporting (ICFR).
Of course, you need the right controls around your systems. But what about headcount-related competencies — the skills, knowledge and abilities needed for an efficient audit?
We’ve seen management, especially in growth-focused or under-resourced companies, run a lean organization with their people spread too thin. Staff may oversee key controls without the expertise to really understand the risk they're trying to manage, or they may lack the training to properly check the accuracy of system-generated data (like IPE).
Errors can go undetected and critical activities may be skipped or performed incorrectly. This puts your company at risk of material misstatements and introduces a higher likelihood of audit findings or material weakness, as well as regulatory and reputational damage.
We’ve also seen instances where management didn’t prioritize governance. In other words, they failed to emphasize accountability or the importance of internal controls — leading to lapses throughout the organization. Typically, compliance is an extra step that staff must take as part of their day job. If it’s not highlighted as an important task, your team may see it as a low priority, making compliance a constant battle.
Another common issue: Relying on controls without understanding who can override or manipulate the controls. You must address foundational elements like segregation of duties (SoD) at the system level.
SoD failures are a common cause of internal control deficiencies, leading to potential for material weaknesses that impact investor confidence. Case in point: Your accounting team performs manual reviews every day, but there’s no oversight on who holds super administrator access — the highest level of system control. As a result, the SOX auditor may deem your internal controls meaningless.
Another example: An AP clerk requests access to issue vendor payments. To expedite the process, someone with admin access grants the clerk the ability to process payments. However, no one reviews whether this access creates a SoD conflict. As a result, the clerk can now create vendor records and issue payments. This creates a significant fraud risk because the clerk could create fictitious vendor records and issue unauthorized payments.
With SoD in place, you ensure that no single individual has control over all aspects of a critical transaction or process — preventing fraud, errors and conflicts of interest.
Often, newly public companies lack the level of required documentation to support conclusions on management review controls — a control that requires a high degree of judgment.
Let’s say you have a significant estimate such as revenue recognition, reserves, impairments or contingencies. The process owner executes a control and has the final copy that management reviews or senior leadership sign off on. However, the auditor can’t effectively measure what went into the review to the level of precision required to support the conclusions reached without detailed documentation.
Do you have earlier versions? Do you have questions and answers from the reviewers? If there’s no audit trail showing the review process — the questions asked, alternative scenarios considered or issues debated — you’ve got the “what” but not the “how.” All that information is evidence supporting that the control operated effectively as designed.
With a constantly evolving regulatory environment, training the right people on emerging risks, regulatory guidance and best practices are critical. But this can be challenging, and companies often fall short.
Trends in best practices related to internal control evaluations continually evolve. For example, a decade ago, IPE wasn’t even a focus area. The best practice was more about whether controls existed and were performed, not how reliable the data supporting those controls was. As companies adapt and expand their use of technology and automation, the control environment must also adapt and respond to these changes. Imagine if process owners and control executors were not kept aware of what’s required to maintain compliance.
Often, we see a public company do a one-time risk assessment, also called an enterprise risk assessment. After this one-time assessment, we see leaders design their internal controls once and think they’re good to go — forever.
But what happens when the business changes or new accounting guidance comes out? What if you acquire a new entity? What if your product or business operations change, or you have turnover in different departments?
Risk is fluid and always changing. “How does this affect our risk assessment?” needs to be a question on your management’s minds at all times.
Whether done internally or outsourced, your company should complete a risk assessment at least annually and after any major business changes. This way, you can capture all business or regulatory changes and adjust your internal controls accordingly. For larger or more complex organizations, it’s wise to supplement annual reviews with quarterly or ongoing assessments as part of enterprise risk management or internal audit cycles.
Going public has its benefits, but it also comes with SEC scrutiny and high costs. Newly public companies are sometimes ill-prepared for the expense of meeting SOX requirements. In year one, you may spend anywhere from $250K to $2 million SOX compliance, depending on company size, complexity and industry.
Whether it's sticker shock or reluctance to invest, some business leaders inadequately fund SOX compliance — knowingly and willingly. This could mean assigning too few resources to internal controls, testing or documentation, delaying necessary control enhancements or avoiding investments in technology or automation.
Yet, as the company grows, automation and investment in scalable solutions become critical. Inadequate spending early can lead to much higher costs and effort down the road.
Consider a growing company with manual compliance processes that acquires five companies. Suddenly, that manual process, multiplied by 5X, becomes cost prohibitive. Management must consider that automating would not only create efficiency for process owners but also reduce SOX risk by preventing manual errors. That, in turn, could save the company millions in penalties and fees every year.
Failing to start your SOX compliance preparation early can lead to two major challenges: overwhelming documentation burdens and missed opportunities to identify and mitigate risks. Many companies wait until they are public or on the verge of an IPO to engage a SOX compliance advisor, leaving process owners scrambling to document workflows and adapt to regulatory requirements.
More critically, starting too late can hinder the identification of gaps in risk mitigation. Without adequate time to assess risks and design effective controls, you can expose your company to errors or even fraudulent reporting as a public entity. This can result in costly financial restatements, reputational damage or penalties.
To avoid these pitfalls, begin SOX compliance prep work six to 12 months in advance. Early engagement allows teams to thoroughly document processes, address business changes and establish solid internal controls, ensuring a smoother transition to compliance and reducing the risk of costly mistakes.
If you recognize any of these pitfalls in your organization, it’s a good indicator that your SOX program needs a boost. Start with our SOX 101 Guide ― a comprehensive resource to help you navigate compliance with confidence. Then, find out how our SOX compliance experts can help you deploy the latest tools and best practices to meet your regulatory requirements, reduce your administrative burden and ensure a stress-free audit process.
Our seasoned audit experts can help you streamline your audit experience and strengthen your financials. Contact us today for a free scoping call to assess your needs.
