In the latest episode of our Risk & Accounting Advisory podcast, Neal Beggan, Risk Advisory Leader, and key leaders from Cherry Bekaert’s Risk Advisory SOX practice, Gareth Montague-Smith and Peyton Black, discuss the concept of SOX “Lite,” a controls diagnostic service for smaller or private companies that can help prepare companies to go public, help remediate material weaknesses or significant deficiencies, provide efficiencies for companies facing difficult SOX audits and more. Their conversation analyzes what type of client would benefit from a SOX “Lite” program and how the service is performed.
Listeners will learn about:
- Why a company might need “SOX Lite” compliance services
- How the service is implemented and how it differs from a traditional SOX program
- Potential benefits to the company
Other Relevant Insights
- 2023 SOX Compliance Reporting: How to Prepare & Lessons Learned
- Examining the Differences Between SOX 404a and 404b
- Are You Ready for Enhanced Cybersecurity SEC Reporting Requirements?
View All Risk & Cybersecurity Podcasts
NEIL BAN: Hello and welcome to the Risk and Accounting Advisory podcast. My name is Neil Ban, and I am the leader of the Risk Advisory Group at Cherry Bekaert.
NEIL BAN: Today on our podcast, we are going to be talking about a newly branded service offering called SOX Light.
NEIL BAN: Joining me today are two of my favorite practitioners in the Cherry Bekaert Risk Advisory practice: Gareth Montague-Smith and Peyton Black. Both have a wealth of knowledge in the risk and control space, and I know they are both excited to share their thoughts on SOX Light.
NEIL BAN: Gentlemen, thank you for joining me today.
GARETH MONTAGUE-SMITH: Thank you, Neil. Honestly, this is not really a new service; we have been doing it for a while.
GARETH MONTAGUE-SMITH: Typically, when we mention SOX, many private companies immediately tune out, thinking it does not apply to them. For the most part, that is correct.
GARETH MONTAGUE-SMITH: Interestingly, we are seeing some states starting to ask companies that work for specific state entities to provide an internal control opinion as part of a standard financial statement audit. However, we did not want to address that specifically today.
GARETH MONTAGUE-SMITH: Our target companies for SOX Light include business owners who may not be super involved in day-to-day operations but would like comfort that policies and procedures are documented.
GARETH MONTAGUE-SMITH: Another target would be a company that has material weaknesses or significant deficiencies in prior year financial statements which they wish to remediate.
GARETH MONTAGUE-SMITH: We also consider companies contemplating a transaction, such as a sale or an IPO, to give the potential buyer comfort regarding the operations of the company.
GARETH MONTAGUE-SMITH: This approach also benefits companies with difficult or lengthy audits that wish to reduce completion time and potentially manage down fees.
GARETH MONTAGUE-SMITH: Finally, I think the biggest benefit applies to both public and private companies with subsidiaries that are almost material to the parent company.
GARETH MONTAGUE-SMITH: If the parent company is where the audit is performed, you might want to get comfort on certain processes at the subsidiaries, such as inventory and revenue processes for a manufacturing subsidiary.
NEIL BAN: That makes sense. Peyton, I want to go to you next. In any of the situations Gareth described, how would you go about this?
PEYTON BLACK: Thanks, Neil. First, we take the company's financial statements and discuss them with management to run them through our risk assessment tools.
PEYTON BLACK: These tools consider both qualitative and quantitative factors. They allow us to quickly create documentation indicating the current state of an organization's controls and provide recommendations for improvement.
PEYTON BLACK: In these situations, we focus on the "critical few" risks of material misstatement. We encourage a simplified system of control to allow focus on control maturity and effective change management.
PEYTON BLACK: We do not see the point in overcomplicating or over-engineering an internal control framework.
NEIL BAN: Peyton, talk to me a little bit about what the deliverables look like coming out of a SOX Light project.
PEYTON BLACK: After performing scoping and diagnostic procedures, we create a customized Risk and Control Matrix (RCM) and generate process narratives or flowcharts, depending on what the company desires.
PEYTON BLACK: We focus on creating a personalized and actionable gap analysis and roadmap. That is where we find a lot of value, identifying the gaps that need to be remediated.
PEYTON BLACK: Again, the focus here is on the most critical processes rather than all of them. It is a laser-focused approach and is not one-size-fits-all.
NEIL BAN: Much like other formal, large-scale SOX projects we perform, it sounds like the deliverables overlap considerably. Gareth, any other thoughts on why this is applicable across industries?
GARETH MONTAGUE-SMITH: This is completely agnostic. We have the flexibility to scope the key and significant processes specific to the risk profile of the company.
GARETH MONTAGUE-SMITH: As a company matures its internal control environment, this enables them to chip away at getting their processes documented over a period of time. They can control that pace.
NEIL BAN: Peyton mentioned deliverables like RCMs and documenting walkthroughs. Gareth, what about testing as it relates to SOX Light?
GARETH MONTAGUE-SMITH: The best thing about the initial rollout is that it does not consider testing. We could do that eventually, but initially, that would be further down the road.
GARETH MONTAGUE-SMITH: The real win is that it gives a company flexibility to achieve the coverage and comfort they need while allowing them to mature that environment over time.
NEIL BAN: In case anyone is still not convinced, can you sum up the benefits of undergoing a SOX Light project?
GARETH MONTAGUE-SMITH: Clearly, the biggest benefit is peace of mind for a business owner. Significant risks to their financial statements will have been documented and established.
GARETH MONTAGUE-SMITH: It gives them a starting point to evaluate where they go in overall control maturity. If they were to go public and comply with Sarbanes-Oxley, they have already started that journey with this effort.
NEIL BAN: Peyton, any final thoughts on SOX Light and what we have touched on today?
PEYTON BLACK: I agree with Gareth. It is the simplicity coupled with the impact that it can deliver relatively swiftly. I see this as something any company could use to get their arms around key controls.
PEYTON BLACK: Not only is this useful for private companies, but even some of our public clients use this service to support management's assessment of ICFR required under SOX Section 404(a).
PEYTON BLACK: Regarding cost, as SOX Light does not contemplate testing, we can provide a quote by process. If you have a tight budget, you can plan to roll it out over time and manage your budget accordingly.
PEYTON BLACK: We can tailor this to your needs and your budget to chip away at the process narrative and controls build-out.
NEIL BAN: Tailoring it obviously creates a lighter lift, which translates to a lower cost and less impact on the budget. It is a great alternative.
NEIL BAN: Thanks to Peyton and Gareth for your insights. I like the fact that it is flexible and scalable for a number of clients, not just those that are publicly traded.
NEIL BAN: I want to thank our audience for listening. For more information on traditional SOX compliance, internal controls, or internal audit, please visit cbh.com/risk.
NEIL BAN: Please like, share, and subscribe to the Risk and Accounting Advisory podcast. Thanks again for listening.
