Demystifying SOX Compliance | What Public and Pre-IPO Companies Need to Know

So together this group as I moderate, we're going to have a little bit of a panel discussion at the end if we have enough time. But we're really going to explore what it means to tailor your SOX approach, build efficiencies, balance that with rigor, and take away even some of the rigor in some areas and creating a lasting value program. So that's the most important part that we're going to cover. So let's move to the agenda. So as you can see, we're going to break this down into a couple of key topics, tailoring your SOX approach and key requirements and timelines. I think that's sometimes overlooked and trying to decide where we go, how much time do we have and how do we do this with the right resources, including those inside our company and those that we need to use outside our company. And that's usually where we come in.

We're going to talk about deficiency and material weakness, remediation still a hot topic. There are hot button areas that we're going to bring up, including even leading into those spotlight on IT risk areas. I think that's really important. Definitely a subject matter on the external audit side with the P-C-A-O-B and the regulators looking at different areas of it, risk including cyber. And then we'll end with this panel discussion around cost effective compliance, avoiding some pitfalls, things that you can think about today, even if you're been a public company for 10 or more years or since the beginning, there are different ways to provide value as you look at SOX compliance and then some future outlook items that we'll bring up as well. So we're at our first polling question. We just want to understand where are you in your maturity as a company? Are you a pre IPOA private company? You'll be public established or it may not apply, so please take a moment to answer the poll.

So thank you for responding. We'll just move to the next one. This will help us tailor the conversation a little bit as well. I want to make sure we mention that a few other polling questions are going to be in here that we'll moderate through. So thank you for completing. I think we're up to 70%, which is good, but great. We have a good mix established pre PO, some that are new and some or it doesn't apply. Now we'll say even when it doesn't apply, there's some things around SOX that play a part in private companies in terms of good governance, good controls, trying to maintain that resiliency and even consistency around controls. You can mitigate a lot of risk when looking at this risk-based framework. So it still may apply to you as well.

So let's go right into tailoring your approach and key requirements. This is where Marty and I are going to talk a little bit about this area and why it's important. I really wanted to start with the drivers for optimization. A lot of the times when we're going through maturity, even if we're starting from scratch, what do we need to be thinking about? Sometimes it's great to even thinking about having the end in mind at the beginning. So did we ever have audit weaknesses and do we have a culture that's resistant to change? Sometimes that can occur, there's going to be increased scrutiny and certainly resource strains. So we want to bring this to the forefront when it comes to optimization because it's important. So at the top you see audit weaknesses. These occur when documentation isn't consistent or controls aren't executed with precision. Things are incomplete.

You may have some IT dependencies that aren't well managed. These are things that come up, even the course of your external audit and even when regulators are coming in if you're regulated even outside of the public company realm. So these are things that we could think about and anticipate and plan for. So that's important. So having an optimization strategy and how you deal with weaknesses, and again, Jerry Maloney's going to talk a little bit about that as well. Resistance to change in employees and just managers and those that are clinging to legacy processes, which really slows adoption. You may even be slow to adopt new technology. It can create some friction as you get ready, and that's important to recognize, to build a culture. And we'll talk a little bit about that. Building a culture of readiness, building a culture that can change, building a culture that looks at good governance and a risk-based framework or just risk management is important.

And then just increased scrutiny. I mean people and processes in terms of pushing back, going public brings that heightened oversight, right? Not even just from your auditors, your regulators, investors, the board, every business process connected to financial reporting really takes a sharp review and we're going to look inside those four walls to make sure that we're doing all the right things. And then this resource strain and efficiencies. What we find, especially when you're getting ready for the first time, this is a big area where you have manual processes, even some outdated tools, inconsistent documentation, trying to create that consistency and it becomes less of a strain and a drain on resources by curating that over time. It doesn't overnight, but making socks feel heavier than it should be. We see this a lot, so let's make sure that we're looking at the resources as we're doing this and optimizing. I think that'll help build as we go through some of these requirements. So with that, I'm going to transition over to Marty to go through some approach and timeline requirements and just things to consider again as we lead into talking about some of these other areas. Marty, I'll pass it to you.

Martin West:Alright, thanks Jerry. Appreciate that. I just want to say all those challenges that Jerry brought up, it's super common and like you said, it's not just for newly public companies or companies thinking about going public, but also mature companies as well. So I guess the best thing I can say, and the big theme that we're going to hear today is start early. The earlier you start, the more runway you have and the more time you have to work things out, be less of a burden on your employees or departments and just give you opportunity to move your program forward and react as needed. So to kick it off, just looking at the program as a timeline, we break it out into four phases. So you have your phase one, which is that upfront readiness assessment. Phase two is documentation. Phase three is testing and reporting, and phase four is deficiency analysis and future roadmap.

And throughout all four phases, you're going to be constantly remediating throughout. So there'll be remediation at each of these phases. The earlier you start, the more time you have to get through these phases. So I'll say for newly public companies or companies thinking about going public, really you're going to spend most of your time in that phase one, phase two. That's where a lot of the upfront time will take, right? So when you're thinking about readiness, it's really getting your lay of the land thinking about what do we already have? Where's our starting point? Do we have policies and procedures in place? Do we have committees set up, charters, our ELCs set up? Are they in place yet? You may have them, you may not, and that's really where you're going through and trying to start to lay the foundation for that. Then when you go through and you identify really that high level of your starting point, then you start moving into digging more into the different process areas as well through documentation and test plans and just trying to get everybody involved and work through that and stand up their program.

So between both those phases, we're going to talk about risk assessment. So risk assessment is a huge part of this. You're also going to think about risk mapping. You're looking for gaps. Where should we have controls and maybe we have controls in some areas, maybe other areas we fall short. So that's all that phase one, phase two, phase three, you get into testing and reporting. That's when you start to have your program a little bit more established and maybe you start to expand sample sizes and you look at more testing, more sampling over a period of time. And then phase four is just that final readout. On the next slide, we'll go through some differences between 4 0 4 A and four four B. Before I jump to that slide, just think that 4 0 4 A, again, we're going to sit a lot in that phase one, phase two, and that 4 0 4 B is really where we branch out and we get into a lot more of the phase three.

With that said, section 4 0 4 A, this is management's representation of controls. This is the expectation that as internal audit or as a provider as the company, we're saying on behalf of management, we represent that our controls are in place accordingly. So for here, you're going to initially focus on that design and implementation. How does that look? Do we have the proper controls in place? Do we have the controls to mitigate all our risks? What kind of gaps are we seeing? As you go through that roadmap and you start to move towards 4 0 4 B, that's when you'll see more of the external auditors come into play. Because when you cross the threshold for 4 0 4 B, the external auditors now have to opine on the control landscape. So even though the external auditors are performing their own assessment and independent assessment of controls, management will want to work alongside them as well to collaborate with them and arrive at the same conclusion and help them get to where they need to be your externals.

They're going to have their own sample size and methodology. So usually a lot of times we'll want to mirror what they're doing and work with them and make sure that we're operating at that same level to help get them there. Whereas on the 4 0 4 A standpoint, when we're dealing with management representation, at the very least, you want to nail down that design and implementation of controls, that test of one. And then you also may want to think about where your high risk areas are, risk rank them, and maybe you have some higher risk or more key controls where you may want to do a key to the keys and maybe do some sample testing and higher risk areas. It's a little more flexible from a 4 0 4 A standpoint than 4 0 4 B, but it all comes down to how you risk ranking your organization. How are you looking at things? How are you planning and rolling that out during the year?

Now thinking about the risk assessment and SOX compliance, really it all starts at risk. The whole point of controls is to mitigate the risks. So when we think about having an optimized program, we want to make sure that all of our controls align with our risks. Obviously, we want to make sure the controls mitigate all of our risks, but at the same time, if we have many risks bunching up, I mean we have many controls bunching up and mitigating a single risk, there can definitely be some room to maybe key some controls and make sure we streamline it. So we're making sure that we have the right size and the right number of controls and that we're not doing too much. Also, really evaluating the risk for SOX compliance and the mitigation strategies. Really just identifying those design gaps early and getting fixed with enough time to remediate.

I mentioned getting in early timeline is key, right? So the earlier you get in, the more time you have to roll out your program and to work with your team because like Jerry said earlier, the teams, sometimes they're resistant to change or sometimes they have a lot on their plate already. They're not going to understand why we're doing socks. It's going to seem like a burden or extra work for them to do just for the sake of doing something versus seeing the value of that. So the earlier you get in, the more time the more runway you have to help them get to a good place to help them work around any deadlines that they have. So say we're getting into a monthly or quarterly closes, we can work around that and help fit their schedule better. So that's really key there too, is working with them.

In addition, you also want to start early because any of these gaps that we identify, the earlier you find them, the more time that you have to actually go through and remediate those and show a proper amount of passing samples later on in the year. So then when you get to the first year that you're required to present management's representation, you could be in a fully remediated state. I mean, we've seen all different sorts of scenarios with our clients. We've had clients bring us in say six months prior to year end where they have to be live and we're throwing the kitchen sink at everything. And ultimately you can get there, but when you do everything in the last six months of the year, you run a risk where if things don't pass, you really don't have ample time to remediate. So you're going to end the year with a bunch of unremediated deficiencies and you have to be careful if you have too many of those, they can start to elevate to things such as significant deficiencies, material weaknesses, things of that nature, and Jerry's going to hit on all that in the next section.

So really getting in early allows you that runway to identify the gaps, get proper controls in place, and really get things remediated way out in front of when it needs to be remediated so you can have a nice clean year that first year.

Jumping into just the overall internal controls framework, when we think about pre I-P-O-I-P-O and really getting through that first round I mentioned earlier we're going to be spending a lot of time in the design and the implementation phases of our controls, right? Really making sure we have our internal controls are designed effectively to mitigate all those risks that we need, that we need covered, any gaps, we're out in front of those and we can handle them early, and then implementing those controls as well. When we look at this, the whole framework, I kind of think of the maturity model a little bit. I don't know if you guys have seen the maturity model. One of the main ones I see in you is it has five phases where it starts with initial, and then as you work your way up to an optimized maturity model, you kind of start where it's unpredictable, it's unorganized, it's not very consistent.

Then you start to move up where maybe you have a little bit more consistency where you get your policies and procedures in place, and then following that, you want to get people to start operating those controls more efficiently and effectively. And you also start when you start a maturity model and it's a little inconsistent, it's also very reactive, but then as you climb the maturity model and you get your processes in place, you become a lot more proactive and addressing these things on the front end versus reacting to things when they go wrong. So really from a framework standpoint, again here I just want to say you want to start early. You want to get out in front of everything. You want to make sure you're driving that consistency too, because consistency is going to be key, and that's going to help all the employees at the company really see the value and drive the program forward.

Next, I'm not going to spend a lot of time on this, but really just you want to stay in front of your regulatory changes and evolving standards. Really a lot of the regulators here, you had the SEC, which is introducing new regulations recently there were some cyber procedures and disclosures going out there. There's also been some recent climate disclosures that are heading, especially in California with California ESG, and also you have some state and local regulations where you want to be in front of them, especially if you're in some of the higher scrutinized states like New York and California. So be in front of those. Also from a standard standpoint, right? The Institute of Internal Auditors, they rolled out global internal audit standards earlier this year, and as this year rolled on, they started to put emphasis on what they call topical requirements, which there's a cyber topical requirement out there, and the third party topical requirement just hit as well.

So it's being up to date with those standards and making sure you're working them into your program, into your risk assessment and being aware of those. In addition to that, you also have updated updated audit standards and pronouncements as well. So past few years, we had to deal with 8 42 for leases, 6 0 6 for revenue and things like that. So make sure you're staying up to date with those, and as these new standards come, we want to make sure that that could bring new risks. So we want to make sure that we have proper controls in place to cover those off as well. Move to the next slide. Again, adapting to regulatory changes. Just similar, going back to the other slide with the regulations, just want to stay up to date and abreast of all the changes, regulatory standards wise. Stay close to the audit committee and the board too, see what they're worried about, what they're thinking about, and how do we bring that into our program and help us cover off and manage all that risk.

Yeah, really this is just staying up to date and stay on top of your risk assessment too. When you think about the risk assessment, it's what are we bringing, what are we covering off on? How often are you doing it? So when you do your risk assessment, if you're doing it from a financial statement impact, okay, you're looking at your dollar changes and size, but you also want to take into account all of the complexity, known issues, any of these regulatory issues, things like that. So make sure you're being proactive with your risk assessment and not just going through the motions, but also really thinking about what else is out there that could potentially impact my program and how do we need to work that into the risk assessment in planning for the year. And then lastly, before we switch over to remediation, just want to touch on just some of the key focus areas that we've seen recently from a SOX compliance standpoint.

Really these focus areas, these are the real areas that we've seen the external auditors focusing in on and things that we need to be proactive when we bring controls to the table, right? User access reviews, application programming interface, and information produced by the entity. Another bucket we can put in here is segregation of duties too, because that's been a huge focus as well. But really when you look at all these buckets, it's all based in technology, it's all based in it, and Frank's going to talk about that a little bit later as well to cover it and some of these focus areas, but you'll see if you have any key takeaways here for what to focus on and what to key in on. These are the big ones, right? User access reviews, what are our key systems, right? That's another piece. Going back to risk assessment.

When you're doing risk assessment, identify those key areas and what are those key systems and applications that we want to make sure we're covering off on user access review, who has access to the system? Who can do what? Who are the administrators and is it the right people who can, when you think about financial reporting from a general ledger or opening and closing the ledger standpoint, or when you think of procurement, who's able to create vendors and who can actually create invoices, issue checks. That's from an SOD standpoint too, so you want to make sure you have all that covered because it's been scrutinized a lot more than we've seen in this past year, getting out of just looking at it from an independent control level, and it's been looked at more at a blanket just overall universal level application programming and interface. Where do we have those application controls?

That's another part on the maturity table. As we start to move up and become more mature in our programs, we're going to rely more on technology and have more application controls, which are easier to test. And since they're system controls, they're free from manual error, so they're better controls to have and they're, especially when you're thinking about optimizing your program, you want to make sure you really hone in on those controls and make sure that all the interfaces are operating correctly, especially when you kind of bridge the gap between your business process controls and your IT team and how it relates to their ITCs, and then information produced by the entity. Even on our business process side, all of our controls are using data and information that comes from somewhere. Where is that information coming from? Is it from key systems? And if it's coming from those key, are those systems controlled and locked down? Again, all these things relate back to our ITGC controls, which Frank is going to cover in our later session. So with that said, I'm going to pass it over to Jerry Maloney and he can dig in a little bit more on the deficiency and remediation section.

Jerry Ravi:Yeah, and before you, I just wanted to mention one quick thing. I know some of the key questions that we hear from our clients, whether they're a mature public company, even a larger accelerated filer versus smaller reporting company is one of the key milestones. Even as you go through this, as you look at optimization, obviously the larger companies, project management's going to be a key milestone or a key area to focus on around all these different things. And the common areas that are overlooked are basically those areas that Marty just went through, the use of the system, the key reports, refreshing that risk assessment as you're going along, and then obviously dealing with a number of things that Jerry's going to talk about around deficiencies and material weaknesses, because some deficiencies continue year after year. That's common, but there's a way to deal with that even as you look at the risk assessment. So as we transition thinking about that, that's what we get. What are the areas that I need to focus on? What are the top priority areas, the top risks, how do I rightsize this? There are ways to do that even through project management, which we'll go through later in this session. So Gerry, I'll pass it back to you.

Gerald Maloney:Great, thanks Jerry. And it's always important to take into consideration the continuous improvement ideology, this work that we do and everybody involved with it. It's that risk-based approach. So making sure that what you're going through is the risk is area, focusing on that, and obviously having a roadmap to ensuring you remediate all the deficiencies that are noted. So that being said, I'm going to get into just really understanding the severity and essentially how we measure deficiencies. So you see on the slide right here, we have controlled deficiencies from right to left, starting with least severe to most severe. We have controlled deficiencies, significant deficiencies, and then material weakness. Controlled deficiencies, typically a flaw in the design or operating effectiveness of a control. This could be identified during your design phase or your operating effectiveness phase. This would be inadequate documentation of procedures or minor errors within your reconciliation process.

This doesn't necessarily result in a misstatement, but it indicates a potential risk. So that's why it's rated as the least severe solution for this. Sometimes a process redesign, reviewing current controls and strengthening those, enhancing those, determining whether or not additional controls need to be put in place. Or in some instances it may just be that the control did operate as, I'm sorry, was not appropriately designed, but then there's other instances where it was appropriately designed and it just did not operate. So identifying specifically what that is and then figuring out how to remediate that for instances such as these, we would just roll forward, make those changes, and go ahead and retest those in later areas. The way we broke up, as Marty had brought up before, is we have our test design phase and then our operating effectiveness phase, which we break into two areas.

First of which is your interim period testing and then your roll forward testing. So if something's identified in one of the previous areas, we go ahead and expand that testing in the further areas. Going to the second level of severity, moderate is a significant deficiency. So this is really classified as a deficiency or group of deficiencies that's less severe than a material weakness, but important enough to warrant to the attention of those charged with governance. So what that means is essentially these significant deficiencies would be funneled up to the board or audit committee, and it's not required to be disclosed in your financial statements or your 10 Qs, 10 K. Some examples of this would be general oversight, lack of oversight in financial reporting, potentially inadequate segregation of duties. Of course, a combination of these, any level of deficiency could elevate that deficiency to a higher level. So it's important to take that into consideration, and I'll go through a little bit of how we measure these deficiencies as well. Last area is the highest most severe. So material weaknesses, deficiency or again, group of deficiencies such that there's a reasonable possibility that a material weakness in the financial statements could exist was not prevented or detected in a timely matter. Essentially, this then needs to be disclosed within the SEC filings. It also may lead to an adverse audit opinion. Of course, this is funneled up to the audit committee as well.

I had said a couple of times that measuring these deficiencies is obviously key. So really how do we do that? So essentially the first step would be identifying that deficiency and then you would assess the likelihood of the misstatement that evaluate the magnitude of the impact potential, and then you consider compensating controls. So this is where it gets into an aspect of developing a robust program so that you have redundancies in place in order to guard against the material weakness. So this might be one of those backstop controls where something's dialed in at a level precision necessary in order to identify a material weakness in say a account reconciliation or a flux analysis, a peer tope review. So that's where it's a holistic approach where we would install these redundancies to ensure that we would be able to identify or prevent or detect a material misstatement prior to it hitting the financial statements. And then at that point you would then aggregate your related deficiencies. So if you have multiple deficiencies that have the same general theme, those would get aggregated into potentially a significant deficiency or even potentially a material weakness. And then we would just conclude on the severity of that. So that's obviously just finalizing whether or not it would be a controlled deficiency, significant deficiency or material weakness.

So next step is obviously the remediation portion of everything. So typically the way we think about this is in a three phrase approach. So we have the investigation and analysis phase, so really what happened and how did it happen? And then you really want to align with your stakeholders throughout this entire process of either pre IPO or recurring sox. Engagement communication is key. You want to make sure that you're communicating with your stakeholders, management, the board, your external auditors, any other service providers that are potentially within the company, and have that clear cut program of where it is that you're trying to take it. We talked about it continuous improvement just a little while ago. That's making sure that you're always advancing your program each year and you're laser focusing it to your organization. We would never want controls to outweigh the burden of controls to outweigh the benefit that they yield.

So making sure that each program is focused to a company focus specifically on their risk areas essentially. Then during this phase, we'd really just focus on establishing priorities and your specific timeline. The second step is the solution identification and communication. This is where you would start developing your solutions, whether or not that's redesigning a control, implementing new controls or potentially adding to a process that already exists in order to backstop that control, I'm sorry, that risk. Make sure that it's covered elsewhere. And then you want to make sure you build a team and establish ownership. That's very key in all this. Project management is huge. We want to make sure that the individuals are aware of what it is they're responsible for, ensuring that they're aligned on ownership, accountability, and that a timeline is hugely important. So making sure that you set deadlines and get everybody on the same page.

And then you also want to obviously connect with your external audit team. Essentially, they're the ones that are going to be signing off on the financial statements. Obviously there's the attestation for management that they have. And for a publicly traded company, you have your certifications that get signed, but making sure that they see a clear cut plan towards remediation, giving them the comfort that the management team has this under control where we operate in a co-source environment or outsource environment for companies. They still do have ownership of soc. We may be the ones running it, but making sure that everybody's communicating, having regular cadences set up so that we can understand how we're progressing remediation and making sure that anything that we have identified or the external auditors have identified or management has identified gets remediated by that company's year end. Most instances for the companies we deal with, a lot of 'em are 1231 year ends, so that October to November timeframe is a very busy time, making sure that we are all aligned.

We're having conversations regularly now with all of our external auditors and team members to make sure that we're developing a cadence and there's no surprises towards the year end. Last step is execution. So really this again, communication and ownership and really accountability. You want to have a healthy sense of urgency and making sure that individuals who have tasks assigned to them are accountable for those. Keeping the team on track, again, the communication aspect of it is huge, so we want to make sure that you have that aspect. Having conversations regularly is of the utmost importance. And then you see on the right hand side, we have keys to success. A lot of times when we have a deficiency or something that's noted, we want to make sure that we break it up into free bucket. So we have people processing technology or people making sure that they feel supported, making sure that they have a plan in place, making sure that they're really where they need to be and have the adequate guidance. The process itself, that's just going through and making sure that controls are appropriately designed. You have a process that again, isn't overbearing. Everybody has a day job.

Gerald Maloney:He's very, very good. It's a lot better to have the communication, I'm sorry, have a technology where you can really focus in on the higher risk areas, making sure that you're driving that efficiency and getting essentially to a successful audit program, an internal audit program.

Jerry Ravi:So I'll give it back to you, Jerry, for the next question. Yeah, I appreciate that. I know we will go through a couple of the key highlights as we get into the panel after this next piece on it. Another polling question we wanted to ask, and I know documentation sometimes that's part of the rigor that even Jerry was talking about that not a lot of people want to do. It is still important. There's value in making sure that we have proper documentation on things like policies and procedures and the evidence behind controls even Marty talking about. So this question really just around IT, policies established, do you have 'EM established, limited in progress, no formal policies. If you could just take a second to answer this.

And part of the reason why documentation, if we talk about pre IPO versus mature companies, I think as those companies do mature out of the IPO stage and readiness, they see the importance of documentation and keeping it updated. And this is where you get streamlining by using technology to enhance that, not making it such a burden on the team and process owners to do this. So just wanted to make sure that we mentioned that. And I see we have a little over 50%, so I'm going to stop it now and the answers so great, almost 50% of that group. So you have established policies and regularly updated. I think if you ask yourself, what do we see that's different again from getting started to mature, it's that top piece of making sure that that documentation has a cadence, that the process is efficient to update it, looking at it on an annual basis, and the business changes.

Obviously roles change, but the business can change too. So and technology will change. Ultimately, we can make this as more of a continuous improvement approach. And I see others had limited scope. We're not consistently updated. We typically see, again, on a minimum an annual basis that they're least refreshed. We sometimes even have that in our coast, more model where we look at it at the beginning and end. There's always an optimization. And you saw the chart that Marty put up in terms of the approach. The collaborative approach is at the bottom. That's where project management sits and collaborative approach is continuous. It goes through the entire process from the beginning to the end. So we'll pass it on to Frank at this point to talk about it controls to Frank. We'll pass you.

Frank Auddino:Thank you, Jerry. So spotlights on IT risk. So over here we have four areas I want to hit on today, but first and foremost, my favorite is it GCs and then how do we optimize them? So I know when we hear optimization, it's like, oh, how do we make them better? But we want to go back to the basics. How do we start small? And I want to make sure if you're already public or IPO, readiness is always okay to a refresh. So how do we do it in an agile way where every little win could technically be a huge win? So where do we start? So for me, understanding it GCs is do we have controls in place right now? Is the rack 'EM on an annual basis? Are we reviewing the risk and controls matrix? And especially around not just the controls itself, but who is owning each of those controls?

Who are the owners of the application, who are the owners of the process, et cetera? Because making sure we identify accountability is one of the main ways to make sure that these controls keep going up with quality. Every little step of the way throughout a lot of big things here and bigger small companies we see is how often you say this was designed, it worked perfectly last year and then something happened. So when we talk about accountability, we really want to make sure that those individuals or doing their role appropriately. And there's also the big thing is succession planning. There's a lot of IPOs. You might have maybe two people in your IT department and you're telling me that they're supposed to be responsible for all these controls. One happens where even a small gap from a user access review, one of the individuals just went on leave, the control didn't operate because there was no one there as a backup.

So thinking little things like this on just saying who's going to do it, that's a big key step on that. We want to start making sure we instill in all our clients and everyone who is IPO or already a public company. And from there it goes on to is if that person's a backup, how are they going to know what to do? And Jerry said earlier, no one wants to write it policies. They are tedious, some of them. But when we talk about not just policies, but SOPs is the big area, we want to make sure that management has a guide. So we could call 'em tabletop exercises or a checklist, but something there to make sure that if something happened to that main owner, that those individuals have something to go off of.

One of the big things we hear, and what Jerry Ravi said, and also Marty said earlier is where do you see the most exceptions in it? And the big issues now around the user access review. And right now we see the user access few started real simple like give me the users their roles, and was it signed off? Now, if you do the internal audit and you ask your internal auditor, now they want us to do test against what, almost seven to 10 different attributes now. So every year we know we get new regulations and the enhancements we need to do, but for the big picture there is now we're going deeper into permissions. So before we would generate the user access review where we had some exceptions is user to roll, now we're going to that level deeper where we're going to say, okay, well now what permissions does each of those roles have?

Are they appropriate from an IT and business finance side? So they want to know is now once you know those permissions, are there any SOD issues? And then to circle back where it adds on is working with it, working with business to now create maybe a access provisioning matrix. So someone with this title could get these roles. So not just the user access view. Now this helps and the control of user provisioning. So rather than doing the mirroring, oh, give this person this access because it's a replacement, how do we know that that individual didn't have elevated or inappropriate access when provisioning? So once we go through these steps a little by little, it will help streamline the process and actually enhance additional controls in the access space, which is a really big thing. The other area I want to hit on from just an ITGC standpoint that we're seeing areas of improvement is change management, segregation of duties, right? So right now we see individuals where they have the users with development access and production. So they just want to make sure that, do you guys have a pipeline or anything that system configured to restrict that access so no one could just make changes into the production environment.

So then we want to talk about the next things here is the software solution for SOX compliance and the role in automation in the compliance. So when we go to the next slide here, I'll talk more about workiva, and this is just something that we here at EisnerAmper we're familiar with, but there could be any other compliance tools. But really technology plays a pivotal role in enhancing SOX compliance by automation, enhancing data capabilities, improving overall efficiencies. The areas that we see that IT here is around the automation tools it streamlines for us that we saw is simply with status decks using workiva and other tools for reporting dashboarding. It really helps drive efficiencies throughout everywhere and to get that sharing and collaboration not just with internal but with management and also some of the times the external auditors. So what we really like about it is other than just doing all the automation here is really being able to go in live so you don't have to worry about versioning control and so on.

All right, so now we're going to talk about the cybersecurity regulations. But before that, one of the other pillars we talked about was vendor relationships. So when we talk about vendor relationships, what are the four things that we could do, especially if you're IPO or already established, you might not have those big departments or established risk management processes yet. So really it's just making sure that, are you asking the question before you use a third party service provider? Are they trustworthy organization, right? These are little things is asking the question, Hey, do you have a SOC one report? We're viewing that under report and then always maintaining a positive relationship with vendors. And then so far that once you establish those vendors, you start to create a process. Where are we addressing this risk? Is our data secure? Who's responsible for any backups or restores, et cetera.

So those are certain things from a vendor management, those are areas that we want to consider going forward. So I'll quickly hit cybersecurity regulations as Marty hit earlier, it's a couple of regulations around time reporting and public disclosures for materiality on cybersecurity incidents and managing risks from cybersecurity threats. There's a couple best practices is really just more about establishing those processes, creating the incident reporting disclosure procedures, and truly understanding and getting sign off from the board of directors for oversight over cybersecurity risks. And again, I want to bring it to that basic step where it says, let's keep it simple. How can we do this? Right? We might not have those departments yet. So the first thing is, did we do an effective risk assessment over the controls in place for cybersecurity? Has management done any tabletop exercises? And some could be like unpatched vulnerability, cloud service provider outages inside threat during financial close.

And again, people always think that some of these are just IT related, but realistically, sometimes it has more impact on the financial controls than it does on the IT controls because operations go down to a threat. Business stops, right? So there's a lot more awareness now under cybersecurity and I think it's both sides see it from the IT and business and there's a greater appreciation. But the biggest risk after that is once you do these assessments, right, are we sharing the results? Are we educating? Are we investing the time that we need to make sure that there's lessons learned, action plans, and then updating current policies. So from there, I like to close it saying that there's nothing too small that we could do a huge difference, especially on understanding the certain risk and each control a little win could go a long way. So now I'll kick it back to Jerry for our next polling question.

Jerry Ravi:Thanks Frank. All important key factors in building and optimizing the program. So we're going to go to another polling question, asking about your biggest challenge in SOX compliance. I know some of you did say that your private and it's not applicable, but even in terms of controls over financial reporting or controls in general, if you swap out socks with just controls, that could still stand, but please answer this polling question and then we'll move on to our panel discussion. And obviously we hit on a lot of these with resource constraints, manual effort, automation, making sure you're interfacing with external audit requirements and just making sure that you have that in your cadence. And obviously project management be another big one. All key factors, a reason why we wanted to put this out there and addressing where things could go wrong potentially, and just addressing how to build a program. And we're going to get into that in just a second. So I see we have a decent amount of answers. I'm going to actually toggle here.

So not surprising the top two. And it continues to be the top two resource constraints, having the right people in the right seats, having resources to help in different pockets as well. And it doesn't even mean they need to have a role. Looking at outside providers and code sourcing and just having, there's a lot of effort that needs to be done right away. So obviously resources a big thing. And the manual effort that goes into this, you don't get as much value in the program when there's a lot of manual effort. That's where again, technology, as Frank mentioned, could also come into play. Technology can also be a risk. Again, you have to address that as you move along in your program. So let's transition to the next section. And I know we only have 10 minutes left, so we're just have a little bit of a panel discussion on a couple key topics that you could take away.

Some drivers. Again, we talked about optimization and the mechanics of sox, and let's shift gears now and focus a little bit more on people and culture because at the end of the day, SOX compliance isn't just about controls or even documentation. I know we talked a lot about that. It's about how the teams are working together to uphold them. So how do we continue to do that? So a lot of what we see comes down to culture and just education and fostering that. So Jerry, I wanted to just pass a question onto you. How do you see project management, for instance, fostering a better culture as companies mature from the beginning stage to a later stage?

Gerald Maloney:It focuses well, the basis of the project management is obviously putting together your risk assessment, and that really is the basis of how you move through your actual engagement itself. So the level of detail you go into for each one of the specific areas, I think that in terms of setting deadlines, making sure that people have ownership and then are accountable for what it is that they need to be doing is key. Because you don't want to bite off more than you can chew and making sure that in the event that there is too much asked for that you do get the support that you need. And then in the aspect of really just your timeline, staying on track and making sure that you're getting things done on a timely basis, that's also performing the controls as well as then managing the actual program itself and developing a cadence.

We see a lot of our clients, they're putting a lot of their controls into their financial reporting close process itself, aligning it to that. So it's clear cut again, that accountability, ownership responsibility, and making sure that people have the ability to get, obviously their day jobs done, and making sure that they still have that four eye approach and ideology over controls themselves. So having that four eye approach within your culture, and that's the prepare reviewer, prepare reviewer, and making sure that there's a second set of eyes on everything that gets done. That's really the control. So a lot of times we have clients that come in, they say, oh, we have a ton of controls in person, but they're more of a process itself. So the review and approval of going through the actual program itself, that's paramount. That's what the auditors are going to want to see. That's why us as internal service providers, co-source outsource want to see it's the evidence that something was actually in fact done.

Jerry Ravi:Yeah, all very important to kick it off that way as well. We get into training. And Marty, I wanted to kick it over to you on that topic and we could talk, I see there's a question too about who typically owns it, which we'll get to in a second. Thank you for that question. I think from a training standpoint, we've seen a lot of different things and you can make this unique to your organization and how you do this. Piggyback off of other trainings that you may have done. I know Frank talked about cyber. Obviously that's been a big educational and awareness campaign at many companies to make sure we know what to do when that happens. But what does good look like? And a lot of this gets back to how you train your key team members. So Marty, I wanted to pass it to you to talk a little bit about training and a little bit about ownership around that.

Martin West:Yeah, no, thanks. Jerry. Training is super important. A lot for pre IPO and IPO when first going public, but we also do it for a lot of our existing and mature companies. The idea there is you're letting the team know what's important and why it's important. I know in the beginning people are less adapt to change or they want to hang on to what they know. So you really need to train them up and make them aware of why we're doing this. Why do we have controls? How are we protecting the company and the value that controls brings and get them out of the mindset where it's just kind of a check the box necessary evil, right? That's super important. And the other thing I'd say is I saw in the last poll, we talked a lot about, it looked like the biggest challenges were resource constrain constraints. It was too manual and a lack of automation. Well, automation that can help with things that are too manual or resource constraints. But in order to automate and in order to get better, you need to have consistency, right? If your process isn't consistent, there's really no way to streamline it because it's too fragmented, it needs to be repeatable. And then once you really drive that consistency and training is a big part of driving that consistency, that's how you really get your program to become more mature and all those other efforts will follow.

Jerry Ravi:Thanks, Marty. I think it's all very important too, as you take ownership. And to answer the question about who typically owns it, we typically see the ownership of SOX compliance within finance. There's a unique sense of the so-called, however, it definitely could be somewhere outside of finance, meaning internal audit plays a key role and they don't necessarily manage the program, they support it. If you have internal audit, we sometimes act in that role on behalf of our clients. We come in to help streamline efforts, do some of it. What you even see on this slide around training to process owners, but it should reside within finance, somebody that typically owns, that sits with the CFO or the office of the CFO, and then ultimately there's a dotted line or help from others. And there's even pieces of it, depending on how you scale and how large you are, there are pieces of it, we call it first line of defense, where a process owner sits those that are actually executing the controls.

Sometimes it's benefit to have somebody within that first line that's dedicated to making dirt controls are intact, that we're thinking about them the right way. Going back to the risk assessment, that's how you foster the culture. Now, again, if you're smaller, that's probably not feasible, but then there's an element of who wants to wear that hat and how do we do that collectively together, because sometimes we're co-source with clients where we're wearing that hat as well, but you have to get through it and have a plan. So that's where that project management piece comes into play. So let's transition to the next slide here. I know continuous monitoring and testing around controls, that's certainly paramount as we move through the maturity model here. So Frank, I wanted to just pose it to you because I know you talked about workiva and just tech enablement. How do you mature through their growth? How do you look at continuous monitoring when we talk about controls?

Frank Auddino:Yep. Thanks Jerry. So really at the highest level is maturing through growth to us is continue to get little steps and to get that streamlined process. But a really simple example, people talk about automation. How can we do this? If your environment has a ticketing system? We could start off saying, scheduling the automation of a ticket creation to remind management of when to kick off the user access review. That's a very simple reminder, but it is a step two automation. Then how do we get the user listing in there, right? The big thing that we see with the continuous improvement is documentation around the completeness and accuracy from an ITG standpoint and also business process. Everything that comes up from auditors is how is management comfortable with the completeness and accuracy of data? So I know a lot of this we're talking about is real time continuous improvement, but how do we do that?

It's back going to the basics and that SOP, it should say step by step how to generate the listing used and the user access review. How is management comfortable? Is it complete and accurate? You had to screenshots total row count, take a sample trace vouch for accuracy. And by doing those steps, you would be surprised how much you learn every time you go back to that SOP. So year one, you might think, oh, I got the permissions. But then year two, you ask that question saying, how do I know what permissions are they doing? Does this permission read, write, execute, et cetera. So those are some ways where we could see how continuous improvement could really shape and educate and grow the program.

Jerry Ravi:Thanks, Frank. And I know we're transitioning fairly quickly here. I didn't see any other questions, and if there are questions, we'll make sure that reach out to you once the webinar is done. Just one last thing I know Jerry, just quickly if you can, I know you talk about this a lot when we're working on clients together as well, just tailoring the program and make sure that it meets the organization's needs. So can you just mention that quickly as we go through kind of the drivers here?

Gerald Maloney:Yeah, I mean, you really want make sure that you tailor your program to the organization and not the organization tailor itself to another program already stood up. So everybody has their day job. It's what they do, implementing those controls into the process. So a lot of times we'll come and talk with a pre IOPO company looking to go IPO. We really want to get an understanding of what they're currently doing because in a lot of instances, companies do have controls in place. They may not be framed exactly as a control. It may not have that four I principle or it may not be evidenced and then retained. So those are key aspects of it. So those are a lot of really good quick wins that we're able to get with companies to ensure that we get their program adequately stood up. So just, I mean in terms of some of these key tips, so planning and alignment with key stakeholders, you want to be focusing on your risk areas that you have that are the highest risk areas.

So that's your qualitative and quantitative analysis of your balance sheet income statement. Go through the whole process, funnel that down to each individual business process area, and that's essentially the rationale that you have for how you're going to approach the engagement. What areas are you going to put more scrutiny on, focus on more. And that helps alleviate some of the stresses of some of the lower risk areas where you may be able to go ahead and do observation or inquiry based on those areas. Those are still, we don't have the detailed test everything. If something is a low enough risk and it's a standard process that doesn't really have a lot of volatility in it, it's not really susceptible to fraud, doing that inquiry is definitely a benefit. The risk assessment, again, revamping that risk assessment in the event that there's significant changes within the culture, the team, the financial statements if they have an acquisition or anything because that could change how you're approaching the engagement for the rest of the year.

The roles, responsibility, ownership, we talked a lot about project management, talked a lot about accountability, making sure that you have a timeline to find deadlines and making sure that you hold individuals accountable to it. That continuous improvement, we've been talking about that since we got on. It's making sure that you bite off, like Frank had said, taking little baby steps. So don't bite off more than you can chew. Try to put together a program based on risk based on where you're seeing issues and making sure that that whole program itself is gone through and you have those redundancies in place. So in the event that you do have a control that's missed the beginning portion of a process, that backstop area, making sure that that is firmed up the way that it needs to do. And then again, that ongoing communication and collaboration. We have regular cadences with everybody.

I think communication is paramount and doing something like this, it's advisory work, what we perform and SOX is no different. It's making sure that you're understanding how the company's changing what's occurring, what it is that needs to be shaped or manipulated to ensure that you're covering the areas of risk that you need to and making sure that that gets funneled up. We talked about the deficiencies, the significant deficiencies and material weaknesses, significant deficiencies, go to your board, material weaknesses go to everybody. That's a reader of your financial statements. So making sure that you're communicating therein so that there's minimal surprises is really a best practice that we try to put forth for everybody what we serve.

Jerry Ravi:Our panelists. Marty, Frank and Jerry, thank you so much for being here today with everyone. Hopefully this session helped clarify some things around complexities, takeaways, and gave you some practical takeaways to think about as you're strengthening your program, including culture. So thank you again for joining. If you want to continue the discussion or explore anything, please reach out to us. Happy to help. But thanks again for joining us and as always, just stay audit ready.

^{Transcribed by Rev.com AI}