2023 Year-End SOX Compliance Considerations

NEAL: Hello and welcome to Cherry Bekaert's Risk and Accounting Advisory podcast series. My name is NEAL BEGGAN, firm leader of Risk Advisory, and today we are going to be talking about some of the hot buttons and topics that will be important to companies going into year end.

NEAL: Joining me are two of my favorite SOX practitioners, PEYTON BLACK and YANI DIAZ, both leaders in Cherry Bekaert's Risk Advisory SOX practice. Payton and Yanni, thanks so much for joining me.

PEYTON BLACK: Happy to be here.

YANI DIAZ: Thanks.

NEAL: A little recap. Last year we talked about the items we expected to impact 2022 year end, and in early 2023 we discussed lessons learned in a separate podcast. Those discussions included items such as managing hybrid teams, being mindful of your market capitalization, and the concept of common controls, among other things.

NEAL: As we close out 2023 SOX efforts and get into final year end testing, we thought we'd walk through some of our current hot buttons that folks should be thinking about. As always, we structure this podcast series with five key questions, so let's try and stay with that and get started. Yanni, ladies first—what are you talking to your clients about in Q4?

YANI DIAZ: Thank you, NEAL. This is not a new topic, and hopefully most companies have thought through it and had discussions with their external auditors. As we go into year end, it's a good time to revisit the topic of external audit reliance and alignment.

YANI DIAZ: The external auditors are being regulated by the PCAOB on how well they perform an integrated audit, while companies are regulated by the SEC on how effectively they report results to investors and the public. This is important and impactful in terms of the nature, timing, and extent of procedures used by management versus their external auditors, especially when documenting the effectiveness of controls and processes for the company as a whole.

YANI DIAZ: I want to remind the listener of the 2007 SEC Commission guidance regarding Management's Report on Internal Control over Financial Reporting. Some differences between that final interpretive guidance for management and the PCAOB's audit standard remain. While these differences aren't necessarily contradictions, they reflect that management and the auditor have different roles, responsibilities, and priorities with respect to evaluating and auditing ICFR.

NEAL: Payton, let's tie this back to your side. Yanni just referenced the 2007 SEC Commission guidance regarding Management's Report on Internal Control over Financial Reporting. Payton, what does that mean to you and your clients?

PEYTON BLACK: Thanks, NEAL. In practice, and in more plain terms, many people don't know that guidance by heart. If there is limited or no audit reliance on internal audit testing, management may have the ability to do less work.

PEYTON BLACK: Areas where companies might do less include the sophistication of narrative or flowchart documentation, a conscious decision to reduce sample sizes and when and how to test—think roll forward periods—and reduced rigor around completeness and accuracy testing. Management is closer to operations and the execution of controls, and that familiarity can give them the comfort or assurance to support management's assertion.

PEYTON BLACK: While this flexibility may be attractive to management, auditors cannot avail themselves of a less rigorous approach. As Yanni mentioned, the PCAOB is more prescriptive in their expectations of internal auditors. There are annual requirements on updates and testing, sample sizes, completeness and accuracy levels, precision, and more. Management should constantly reevaluate where they want to be in terms of reliance, considering cost and internal effort to respond to auditor requests.

NEAL: That makes sense, and the comment regarding the PCAOB holds true. You clearly have strong views on this complex issue. Yanni, what else besides what Payton just described is keeping you up at night going into year end?

YANI DIAZ: What Payton said is important because coordination between external audit and management can help reduce costs. Also, the overall complexity and increase in regulatory compliance pressures are impacting SOX controls and the SOX area.

YANI DIAZ: The SEC finalized regulations around cybersecurity recently, and there is a lot of noise around proposed ESG reporting and how they overlap with the existing SOX framework. We've seen a significant increase in the number of comment letters issued to registrants about their disclosures in periodic SEC filings compared to the previous year. Paying attention to those compliance requirements is a key focus going into the coming year.

PEYTON BLACK: If I can add, don't forget Chair Erica Williams's comments in July in response to an audit report that audit deficiencies rose for the second year in a row to 40% of audits in 2022. She called the findings "absolutely unacceptable" and said audit firms must make changes to live up to their responsibility to investors. This reflects the PCAOB's current mindset and drives what auditors will do.

PEYTON BLACK: Also note the PCAOB's September proposal to strengthen accountability for contributing to firm violations, which proposes to allow the PCAOB to hold associated persons accountable when they negligently, directly, and substantially contribute to firm violations. How all of these changes will solidify remains to be seen, but there will likely be downstream impacts on SOX departments as part of the external audit on a company's financial statement audit. The profession may have a reflex to do more testing and ask for more evidence.

NEAL: A hard left into a Debbie Downer moment there, but fair. Let's pivot to being consultative. Payton, what can companies do to weather this perfect storm?

PEYTON BLACK: Thinking about my time as a CAE, it comes down to a few fundamental tasks. First, planning—companies need to understand all that will be required this year to conclude on SOX. Second, communication—you must sync up with your external auditors on a tactical and detailed level to discuss and understand the nature, timing, and extent of their proposed testing and whether there have been any changes in their approach based on the current environment.

PEYTON BLACK: It's all about avoiding surprises. This can be a big effort and take a lot of time in a normal year; for this year, it's going to be ramped up and require a larger effort on the company's behalf.

NEAL: Agreed. We're wrapping up, and I want to thank you both. In the interest of time, let's do a rapid-fire list of three or four other topics or areas that companies should keep their eyes on as they close out Q4 and head into Q1 of 2024. Payton, go first.

PEYTON BLACK: Budgets and potential unfavorable economic headwinds. The shortage of talent continues to be a significant issue, especially in the IT space.

YANI DIAZ: I second Payton. Also be mindful of overreliance on common controls. Identify any significant and unusual transactions and get the accounting right, as well as the controls around the accounting. Maintain a holistic approach and retain the right type of evidence of review and approval, because auditors will look for that evidence.

NEAL: Great points all around. Thank you both again. This series covers a lot in a short amount of time, and the topics are time sensitive as we speak in early December.

NEAL: One of the ways we drive topics is through a series of in-person and virtual roundtable forums we facilitate every quarter. Attendees are primarily internal audit directors and chief audit executives in market, as well as professionals who have sat in that chair. These events allow folks to collaborate with peers and share ideas, and those discussions help us develop topics we share via this podcast series.

NEAL: If you would like to be added to our mailing list and potentially attend and contribute to some of these discussions with your peers, please email us at risk@cb.com. For more information on SOX compliance and/or internal controls, please visit cb.com/slrk.

NEAL: Please like, share, and subscribe to the Risk and Accounting Advisory podcast. Happy holidays.