Sox Accounting: Compliance Guide for Accounting Firms
Author: Financial Cents
Reviewed for accuracy by: Alexis Sadler
In this article
The Sarbanes-Oxley (SOX) Act was enacted by the United States Congress to restore public trust in the country’s financial system.
This became necessary after inappropriate accounting practices led to the collapse of companies like Enron and WorldCom, which cost thousands of jobs and billions of dollars in retirement savings.
The SOX Act requires public companies to create internal controls that ensure accurate and reliable information for investors and the public.
With SOX accounting, auditors (and public accounting firms) are expected to examine the financial records of public companies and provide unbiased financial opinions in the interest of the company’s assets and the investors.
Failure to maintain fairness and accuracy in SOX audit can result in loss of auditing license.
Understanding SOX Requirements for Accountants
a. Auditor Independence
The SOX Act prohibits auditors from providing any other accounting services to their audit clients during the audit tenure. This prevents emotional and professional attachments, which might obstruct objectivity in public company audits.
Providing other accounting services to your audit client could get you too interested in the company, which might cause you to develop blind spots for certain irregularities.
If a personal relationship develops in the audit tenure, the SOX Act requires you to disclose it and withdraw from providing the audit services.
b. Internal Controls
Information, especially financial information, is power, but inaccurate information can be catastrophic.
Internal controls over financial reporting (ICFR) ensure that the information companies present to the public and investors is accurate, timely, and devoid of material misstatements.
Designed to protect your client’s assets and maintain the accuracy (and reliability) of your client’s financial reports, ICFR keeps your client compliant with laws and regulations–like SOX.
These controls prevent irregularities in the financial statements—intentionally or unintentionally, giving investors reliable financial information to make informed decisions about a company.
c. Public Company Accounting Oversight Board (PCAOB)
The PCAOB was created by the SOX Act to oversee the audit of public companies and minimize audit risks.
All public accounting firms are required to register with the Public Company Accounting Oversight Board (PCAOB) to qualify to play any part in the audit of public companies.
As the standard-setter, the PCAOB also penalizes violators of any SOX requirement.
For example, the PCAOB recently barred a public accounting firm (Gries and Associates) from auditing for failing to “respond to warning signs that Tingo’s financial statements misstated billions of dollars of goodwill and tens of millions of dollars of stock-based compensation expense” for the 2021 fiscal year.
SOX Compliance and How It Affects Accountants
a. Risk Assessment
The risk assessment stage of SOX compliance helps you to identify the potential for fraud in your client’s business.
Rapid business growth, complex organizational structure, and introduction of new technology are natural causes for compliance concerns.
When assessing the risks of fraud in a company, you should ask whether:
- The management knows about any allegation of fraud in the company.
- The management has previously identified any risk of fraud in the company.
- There are programs and controls the management has established to mitigate fraud risks.
- The company has multiple locations.
- The risk of fraud is higher in some locations than others.
- There are programs to train staff on ethical handling of financial data.
The answers to these questions will enable you to understand your client’s business processes, industry, and operating environment, which can enhance your audit outcomes.
Next, examine the control environment (the tone at the top). Is the company’s management and leadership committed to ethics and compliance? Their attitude towards ICFR can determine the effectiveness of the existing internal controls.
Also, decide how much you want to rely on your client’s internal control measures (from internal auditors trying to prevent fraud) for your audit opinion.
b. Testing Internal Controls
Testing internal controls helps you to understand the effectiveness of the control measures. Plus, are they operated by the right person? There are a few ways to find out.
They include:
- Inquiry: the external auditors ask process owners and managers about the effectiveness of the controls in place. This method is not the most effective because these employees can misstate figures to make their company look better than it is.
- Observation: the auditor pays close attention to the business in operation to see how the internal controls are implemented.
By such observations, the auditor can see where there are internal control measures and where they are nonexistent.
- Inspection or Examination: the auditors examine the control measures to see if they are strong enough to prevent fraud or errors.
The auditor can examine an IT device or solution to see the permission levels granted to employees and customers.
- Re-performance: This method enables the auditor to attempt a relevant operation to see if the internal controls are activated as required. For example, you can make a financial calculation here to see the accuracy of the figures, which can give you an idea of how the system is programmed to compute financial data.
- Computer-aided audit tools (CAAT): This is the use of technology to automatically analyze data to test the different types of internal controls.
These tools test internal controls by analyzing a large volume of your client’s data or transactions to catch errors.
As you might have noticed, each control testing method is more effective in catching errors and fraud, but using multiple methods gives you a more accurate picture of the financial records.
c. Audit Documentation
Audit documentation allows you to present the audit work in writing in terms of the scope, level, and quality of work done.
It is a record of the planning, fieldwork, and procedures performed. It includes memos, correspondences, schedules, confirmations, and every document that shows the reviewer that an audit was done on a company.
At the end of the documentation, the purpose and source of the audit and the conclusion reached should be clearly stated and organized to link every concluding assertion in the financial statements to their supporting evidence.
The audit documentation also shows how well you kept to the PCAOB standards in reconciling financial statements to the underlying accounting records.
d. Management Representations
Management representation gives your audit work the backing of your client’s management. If you need to defend an assertion in the financial statement in the future, the management representation letter can serve as evidence of the management’s contribution to your audit opinion.
The representation letter has to be written on the company’s letterhead, addressed to the auditor, and signed by the chief executive officer (CEO), chief financial officer (CFO), or someone in the company’s top management. It has the same date as the auditor’s report (covering the audit period) and confirms the information they provided to you (the auditor).
The representation letter should explicitly state that:
- Management is responsible for the preparation of financial statements.
- All assumptions and estimates are made in good faith and are reasonable.
e. Issuing the Audit Report
The audit report is the instrument of communication from the auditor to the investors and the public.
The audit report must include:
- The tenure of the auditor and their roles and responsibilities
The goal is to understand how long an auditor has audited a company. The longer an auditor examines a company’s financial records, the less likely they will be to maintain the objectivity and integrity that the PCAOB requires.
- Critical audit matters (CAM)
This section describes the issues the auditor found necessary to point out to the company’s management and investors.
Critical audit matters include entries or disclosures requiring complex judgment. Pointing these issues out will enable investors to make their own conclusions.
The audit report should communicate one of the following opinions:
- An unqualified (clean) opinion: This is when the auditor opines that the financial statements are presented fairly and without material misstatements.
- A qualified opinion: This is when an auditor certifies a company’s financial statement clean, but notices an irregularity for which it cannot find enough evidence to verify the error or misstatement.
- An adverse opinion: This is when an auditor believes the financial statements contain material misstatements or errors.
- A disclaimer of opinion
This is when an auditor cannot certify the financial statements free (or not) due to:
- The audit scope limitation
- Compromise of the auditor’s independence (and objectivity)
- Uncertainty in the company’s financial statements.
Best Practices for SOX Compliance
-
Embrace Teamwork and Communication
Communication (and teamwork) are essential to the audit process. At the planning stage, you need to help the client understand your responsibilities, the scope of the audit, and the timing. This understanding is foundational to the entire audit process.
During the audit fieldwork, you need to maintain an open line of communication with the company’s management. At the end of the audit, you are expected to communicate all relevant findings to the management, such as:
- Unusual transactions.
- Material corrected misstatements.
- The basis for the auditor’s report (if any).
- Any obstacle encountered during the audit.
- Anything worthy of note.
The communication channels include the engagement letter, conversations, and emails.
For your client email communication, Financial Cents gives you a focused folder that pulls all your client emails into your accounting workflow tool, so you don’t have to switch between apps to complete audit work. The best part is that any action you take on an email in Financial Cents reflects in your Gmail or Outlook account.
These communication efforts enable you to address any questions or gain clarity promptly. This saves your clients from getting overwhelmed or missing important information.
2. Streamline SOX Accounting with Technology and Automation
Technology has made SOX compliance significantly easier. There’s a technological solution for every SOX compliance task, from data entry to logging user actions, monitoring data, and enforcing control policies.
For example, Pathlock helps you secure your clients’ critical data in their enterprise applications. It also helps to monitor the data for exposures, business process exceptions, or IT general control failures, bringing all internal control violations to one place.
Technology reduces the time spent on manual SOX accounting processes to give you more time for complex tasks that require human judgment.
3. Empower Your Staff Training and Continuing Education
Employees are at the center of all internal control measures, so it makes sense that they are empowered to help clients set up and implement their internal controls.
One way to empower them is ongoing training and education that equips them with up-to-date PCAOB rules and standards for SOX compliance.
Benefits of SOX Compliance for Accounting Firms
1. Attracting and Retaining Public Company Clients
Knowing what constitutes a SOX violation makes accounting firms more attractive to public companies, who need competent auditors to help them build internal controls that prevent regulatory violations.
By simplifying the rigorous compliance process for public businesses, you free them up to focus on growing their businesses, which helps you to retain them (for as long as possible) and opens you up to referrals to other public companies.
2. Demonstrating Expertise and Value Proposition in the Marketplace
There are not many other ways to live up to your expertise and value proposition than helping clients maintain accurate financial records that help them avoid regulatory penalties.
3. Building Stronger Client Relationships Based on Trust and Reliability
A track record of helping clients avoid regulatory violations—and the sanctions that come with them—will strengthen your client relationships.
These relationships can transform into an internal audit opportunity (at the end of the tenure).
Bring All SOX Projects, Audit Documentation, and Client (and Team) Collaboration in One Place with Financial Cents
SOX compliance is non-negotiable for public companies, and as gatekeepers for investors, public accountants are required to help report fraud (if any) in your client’s financial records.
SOX compliance audits can be time-consuming and cumbersome. Between tracking tasks, communicating with your client’s management, and conducting testing procedures, you may lose your ability to see the financial records beyond their face value and fail to catch material misstatements.
The use of a workflow management software for SOX, like Financial Cents, will help you to maintain a keen eye for detail by:
- Gaining visibility into your SOX audit projects.
- Tracking all deadlines in a dashboard.
- Communicating and collaborating with clients and your team (where your team is doing the audit work).
- Organizing all client files and information in one place.
- Automating manual tasks to buy back time for analytic work.
Use Financial Cents for your SOX compliance workflow management.
Instantly download this blog article as a PDF
Download free workflow templates
Get all the checklist templates you need to streamline and scale your accounting firm!
Subscribe to our newsletter for an awesome dose of firm growth tips.
Subscribe to our newsletter for an awesome dose of firm growth tips.