As SEC filers prepare for the 2023 SOX compliance reporting season, public companies must evaluate their organization’s internal controls, policies and procedures, and IT systems, including user access reviews. Another common issue surrounds significant and unusual transactions, understanding the risks, and designing and testing controls to offset those potential risks.
On this episode of the Risk & Accounting Advisory podcast, Neal Beggan, Partner and Risk & Accounting Advisory Leader, welcomes two of the practice’s Managing Directors, Gareth Montague-Smith and Peyton Black. Together, they look back on hot button topics and lessons learned from the 2022 year-end SOX engagements.
For more information on SOX compliance or how your company can prepare, assess overall trends and benchmarking in the SOX regulatory landscape, and stay in compliance and proactively tackle any current or prior year issues, reach out to our Risk & Accounting Advisory SOX practitioners today.
View All Risk & Cybersecurity Podcasts
HOST: NEAL BEGGAN: Hello and welcome to the Risk and Accounting Advisory Podcast. I'm Neal Beggan, Cherry Bekaert's leader of Risk Advisory.
HOST: NEAL BEGGAN: Today on our podcast we will talk about hot-button topics and lessons learned from our most recent year-end SOX engagements. With me are two SOX practitioners, Gareth Montague-Smith and Peyton Black, leaders in Cherry Bekaert Risk Advisory's SOX practice.
HOST: NEAL BEGGAN: Gareth and Peyton, thanks for joining me.
GARETH MONTAGUE-SMITH: Thanks, Neal.
PEYTON BLACK: Thank you.
HOST: NEAL BEGGAN: Last year we discussed items from the 2021 year-end, including managing hybrid teams, market capitalization considerations, and the concept of common controls. As we close out 2022 SOX efforts, we thought we'd walk through our most recent observations.
HOST: NEAL BEGGAN: As always, we structure the Risk and Review series with five key questions. Gareth, I'll pick on you first. In your opinion, what was one SOX concept that clients really struggled with in 2022?
GARETH MONTAGUE-SMITH: One area that sticks out, although it's not new, is completeness and accuracy. That applies both to populations for testing and to the reports used to perform controls.
GARETH MONTAGUE-SMITH: This is evident in many PCAOB inspection reports of the larger firms. Auditors continue to challenge the completeness of populations used for testing, aiming to ensure every element or transaction had an equal opportunity to be selected.
GARETH MONTAGUE-SMITH: It becomes more challenging when there are ad hoc or point-in-time controls where reports are run when the control is performed and auditors request that evidence after the fact. How do you recreate an ad hoc or point-in-time report?
GARETH MONTAGUE-SMITH: Another point is what management does to verify completeness and accuracy each time the control is performed. We've seen final testing where companies claimed reports were canned or off-the-shelf with no modifications, but auditors challenged that assertion and asked to contact the SaaS provider or review the manual to confirm the report was indeed canned.
HOST: NEAL BEGGAN: What's the lesson or surprise out of those two points?
GARETH MONTAGUE-SMITH: The lesson is that these issues should be fleshed out in walkthroughs in the summer, not in January and February. The surprise is that these are still surprises, given they're not new concepts.
HOST: NEAL BEGGAN: Very interesting. Peyton, how about you for 2022?
PEYTON BLACK: One area that caused issues this past year was significant, unusual transactions. Companies generally identify these transactions, but they struggle to understand the new risks that result and to design controls that offset those risks.
PEYTON BLACK: The main area where I've seen this problem is acquisitions under ASC 805, accounting for business combinations. A company can exclude the acquired company's internal controls from management's assessment of ICFR in the year of acquisition, but they still must get purchase price accounting correct at the parent level.
PEYTON BLACK: That accounting is complicated, often involves third-party specialists and many estimates, which auditors and regulators scrutinize. Management cannot outsource their financial reporting responsibilities; they need to understand the estimates and assume ultimate responsibility.
PEYTON BLACK: Because these calculations are unusual or infrequent, remediation is often difficult to perform timely.
HOST: NEAL BEGGAN: Definitely a nuance—putting controls around something by definition unusual. Gareth, any practices based on Peyton's example?
GARETH MONTAGUE-SMITH: It's difficult to show remediation, especially if a company is not acquisitive and uses a third party. Sit down with the specialist to understand the data, assumptions, calculations, rates, and model inputs.
GARETH MONTAGUE-SMITH: Involve your external audit firm specialist early. Actuaries and valuation specialists don't always use the same methods for discount rates or betas, so getting upfront buy-in from all parties is important and must occur before the report is finalized.
GARETH MONTAGUE-SMITH: The worst place to be in January is having specialists arguing with your external firm's specialists at final. We often refer to this as having enough red ink on the page—have we ticked and tied, done sensitivity analysis, and understood how numbers could move based on inputs?
GARETH MONTAGUE-SMITH: As Peyton said, management cannot outsource their responsibility for financial reporting.
HOST: NEAL BEGGAN: Agreed. Peyton, we haven't touched on IT yet. Anything to note on the IT side?
PEYTON BLACK: Similar to Gareth's earlier point, completeness and accuracy are ongoing issues. Less mature SOX programs need to address user access reviews at the appropriate level.
PEYTON BLACK: We saw a number of issues this past year where user access reviews were performed but not followed up on, which defeats their purpose. Reviews may not be frequent enough or may not cover all in-scope systems.
PEYTON BLACK: Sometimes reviews are performed only at a high level and not with the precision needed to prevent exceptions. A recurring problem is lack of or incomplete documentation of reviews.
HOST: NEAL BEGGAN: IT is not always known for its documentation prowess. I appreciate it—believe it or not, that's already five questions. Thank you both for your insights.
HOST: NEAL BEGGAN: Sounds like an interesting, busy season this past year. As we wrap up fiscal year 2022, stay connected for more episodes on what people call the SOXification of ESG, covering the SEC's climate proposal, the impact on internal control programs from proposed disclosure changes, and other updates to support an ESG program.
HOST: NEAL BEGGAN: In prior podcast series we touched on ESG, so we welcome you to check those episodes as well. We also have a new virtual forum series called The View from the Chair, where team members will discuss the perspective of the chief audit executive and current topics in internal auditing and SOX gathered from roundtables with current CAEs.
HOST: NEAL BEGGAN: For more information on SOX compliance or internal controls, visit cbh.com/risk. Please like, share, and subscribe to the Risk and Accounting Advisory Podcast.
HOST: NEAL BEGGAN: Thanks for listening.
