Did you know that on July 30, 2002 the U.S. Congress passed the Sarbanes-Oxley Act (SOX or the Act) to protect employees, investors and the public from fraudulent financial reporting in response to numerous corporation finance scandals?

These scandals shook the financial world and confidence in the trustworthiness of financial statements plummeted, resulting in the need for updated financial reporting regulations. The Act created new rules for auditors, accountants and corporate officers as well as financial recordkeeping requirements to remain compliant with the law.  SOX also imposed criminal penalties for Certifying Officers who violate certain provisions of the Act, and established a new entity, the Public Company Accounting Oversight Board (PCAOB), to regulate the public accounting industry.

Additionally, SOX requires Certifying Officers as well as public accounting firms providing financial statement audits for public companies to both establish and report on annual assessments of Internal Control over Financial Reporting.

In 2017, the Public Company Accounting Oversight Board (PCAOB) adopted—and the SEC approved—a new auditing standard: AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion. The second phase of this standard’s implementation and a new fundamental required element of the auditor’s report, the auditor’s responsibility to determine and communicate critical audit matters (CAMs), begins its effective date this year.

This is effective for audits of large accelerated filers for fiscal years ending on or after June 30, 2019 and for all other filers, the CAM requirements are effective for fiscal years ending on or after December 15, 2020

CAMs are defined as any matter arising from the audit of the financial statements that:

  • Was communicated or required to be communicated to the Audit Committee,
  • Relates to accounts or disclosures that are material to the financial statements, and/or
  • Involved especially challenging, subjective or complex auditor judgement.

The implementation of CAMs is expected to have a significant impact on the length and detail contained in the external audit opinion, and we encourage our clients to work closely with their external audit providers during this initial implementation period.

Like CAMs, cybersecurity was historically not part of the standards on what to look at when SOX was first enacted, but with the complex nature of many of today’s cybersecurity attacks, the implications of a cyber event are also beginning to creep into aspects of internal controls over financial reporting.

In October 2018, the SEC issued an investigative report cautioning that public companies should consider cyber threats when implementing internal accounting controls. The report was based on the SEC Enforcement Division’s investigations of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process. Findings focused on “business email compromises” in which perpetrators posed as company executives or vendors and used email communication with the intent of changing financial transaction origination and destination points. In the end, the SEC concluded that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.

Interpreting and following the Act’s requirements can be a difficult and daunting task. Finding a reputable and qualified source to help your company be SOX compliant is an additional hurdle. Stinnett aids companies by engaging in full SOX project management and execution, readiness programs for companies preparing to go public, co-source resources with existing internal audit or control team leaders, training with focus on specific subject matter expert areas and staff augmentation.