Menu Close

#37 | Part 2 – Tick-Tock Tick-Tock the SOX Clock

This is part 2 on building a project timeline for SOX 404.  We answer tactical questions like:

  1. Which processes should we start with?
  2. When should we do the process documentation?
  3. When should we do the walk-throughs?
  4. When should we do the testing?
  5. How many rounds of testing should we do?
  6. How does the JOBS Act or being an emerging growth company factor into the timeline?

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

Which processes should we start with?

We started with equity and order-to-cash processes. A couple of things you may consider here …. One is we usually start with the bigger processes or higher risk processes like order-to-cash and financial close. We like doing the messy work up front.

Equity, while it’s a smaller process, has a lot of hand-off between HR, finance and legal.

Order-to-cash and financial close tend to be higher risk processes. If you are a biotech company, you may not have an order-to-cash process but you do have financial close and clinical trials.

Notice that we have some time allocated for entity level controls and it looks like there’s a lot of time. The extra time here is not because of the extra time to do the tasks. Entity level controls can be done quickly but you need to work with legal and HR or other departments outside of accounting.

For younger companies that are getting ready to be public or going through SOX for the first time, some of the policies are still getting finalized.

You will also notice IT general controls as a key process. We allocate more time for it because with IT general controls, you’re working with the IT department.  Often, system controls take more time to implement because of system constraints and capabilities.  The timeline to complete the work is based on who is available.

When should we do the process documentation?

We have budgeted about a week to do the documentation and a week to do walkthroughs. Typically, it’s easier and more efficient to interview and document and do a walkthrough right afterwards.

When should we do the walkthroughs?

Once we do the initial interview, we actually like to do the walkthroughs right away. The walkthrough is essentially saying ‘You’ve told me what you do during the interview and now let’s go to your desk and show me the steps. Let’s select major classes of transactions and take me through it”.

SOX 404 walkthrough timeline
Fig. 1 – walkthrough and documentation timeline

That’s why you see in this timeline that we have built, we often connect the documentation and the walkthrough tasks close to each other because it’s more efficient.

When should we do the testing?

See the lighter blue bars. This is what we call Round 1 testing. Round 1 testing typically covers the first six months. If you have a different year-end, it’s your Q1 and Q2.

SOX 404 testing timeline
Fig. 2 – Round 1 testing timeline

We have about 5 weeks allocated. It doesn’t take the whole 5 weeks to test equity.  We have extra cushion in this timeline because it is the first time doing the testing. There is always that coordination of the name of the report, the report parameters.  What’s the population? Once we have the population, we can then select the samples and give the process owner time to gather the support.

How many rounds of testing should we do?

By the time you get to Round 2, which is testing Q3 activities, you have now worked out the kinks. Notice that the Round 2 testing happens after Q3. What we do for many of our clients is we block out the first 2-3 weeks after quarter-end because we know that everyone is busy closing their books.

The time to do the testing has shrunk a bit because we know how to coordinate and work with each other.

Now, look at Round 3 testing. This happens after the year-end close. The year-end close takes a good 3 weeks to do and the last round of testing is mostly for high risk controls and controls that only happen once a year.  Drafting the 10K and disclosures only happens once and so we reserve time of those last tasks to be done here.

How does the JOBS Act or being an emerging growth company factor into the timeline?

I’m showing you an example of a timeline under the JOBS Act requirements.  You may remember from previous trainings that the JOBS Act was a law that passed in 2012 which says if you are in an Emerging Growth Company, you are exempt for 5 years from following SOX section 404B.

JOBS Act Timeline
Fig. 3 – Example of timeline under JOBS act

The timeline lets you visualize the activities needed under SOX 404A and 404B.

SOX 404B is the requirement to get an audit from the external auditors on internal controls over financial reporting. The company is still required to document and assess that controls are in place and operating (that’s SOX 404A). If you do your process documentation and walkthroughs, you would be able to fulfill this requirement. The external auditors under 404A only need to verify that you have documented your controls and the controls are in place.

You are an EGC if your revenue is less than $1 billion or you have public debt less than $1 billion or your market capitalization is less than $700 million. If you meet these criteria, then you are exempt from SOX 404B.

SOX 404B is the extra work for Round 1, Round 2, and Round 3 testing. Your external auditors have a requirement to test controls to ensure they are operating effectively. Most companies do testing to make sure they know what the results are before the auditors do it.

There’s another reason why I planned the walkthroughs to stop in June. June30 is the measurement date, which is the date that you do the calculations to know if the company is an EGC or not. If you are a December 31st year-end company, you would measure on June 30 (6 months before the year-end date).  If you have less than $700 million market capitalization, you are an EGC. If you are an EGC, the auditors don’t have to do all of the testing activities.

That’s why most companies do their documentation, their risk assessments, and walkthroughs by June 30 so that they can say they are done with SOX 404A requirements. If needed, they can then jump into testing to meet 404B requirements. Some companies actually start to prep for 404B by doing testing even if they are not required. They do the testing to make sure that their key controls and high risk areas have been covered.

To recap, today we covered building the SOX project timeline and the rationale for:

Leave a Reply

Your email address will not be published.

Share This

Copy Link to Clipboard