Smaller Reporting Companies (SRCs) can improve SOX compliance by using a risk-based approach to prioritize control testing and allocate resources effectively.
As companies continue to evaluate their SOX compliance strategies, it’s important to recognize that SRCs may take a more tailored, risk-based approach to their annual SOX testing, rather than defaulting to blanket testing of every key control listed in the risk and controls narrative. Here are five key considerations to help Smaller Reporting Companies prioritize SOX control testing effectively and strategically:
- Regulatory Flexibility: SRCs are not required to obtain auditor attestation on internal control over financial reporting (ICFR) under Section 404(b) of the Sarbanes-Oxley Act. This allows for greater latitude in determining the scope and depth of control testing.
- Resource Optimization: Given typically limited audit budgets and lean staffing, SRCs can focus their testing efforts on controls that are most closely tied to higher-risk financial statement line items and processes.
- Risk-Based Prioritization: Annual testing should be aligned with a dynamic risk assessment. Controls linked to material financial line items, known process vulnerabilities, significant system changes, or fraud risks should be prioritized, while lower-risk areas may be rotated or tested less frequently.
- Testing Rotation Strategy: Controls identified as “key” within the narrative may not all warrant annual testing. If some controls show a strong historical operating effectiveness and present a lower risk, SRCs may choose to scope them out for Internal Audit SOX testing and rely on other forms of management testing.
- Documentation & Justification: It’s critical to clearly document the rationale for control selection and rotation, supported by risk assessment findings. This establishes audit defensibility and aligns with best practices, even in the absence of an ICFR attestation.
SRCs have the ability to shape their SOX testing framework around their evolving risks. By focusing resources on the most impactful areas, companies can ensure robust compliance while maintaining cost efficiency and operational focus.
How Can Schneider Downs Help?
Schneider Downs assists SRCs not subject to the SOX 404(b) auditor attestation requirement in achieving SOX compliance that aligns with management, and where necessary, external auditor, expectations. Our experienced team collaborates with companies to design and execute a cost-effective approach for management’s attestation of effective internal controls over financial reporting.
For more information contact our team at [email protected].
