SOX Compliance in 2024: Where’s the best place to start?

Written by Addam Stone, Director

Corporations today operate in an environment of increasing, not decreasing, regulatory scrutiny. The microscope is more powerful if a business is publicly-traded. However, private firms looking to go public might have the toughest compliance job. Why? Because, typically, compliance as a corporate function tends to be an afterthought, yet the market’s expectation of compliance begins even before a company’s stock makes its first trade. Given the plethora of regulations that require compliance, it is essential to prioritize. In this article, we will discuss three areas which any private company with plans to go public (and all publicly-traded firms) should concentrate on to ensure they have the foundations for regulatory
compliance in 2024. These areas include financial controls, systems and operational controls, and timeliness of reporting.

Financial Controls

Financial controls sit at the heart of good corporate management and serve as the foundation for public company compliance from Sarbanes Oxley to exchange regulations, like those of NASDAQ, NYSE, Cboe, and others. Good financial controls along with requisite policies, processes and systems provide the basis for public companies to make certain assertions about their finances and operations. When a public company goes through its annual audit, the auditors will look closely at the firm’s financial controls as they consider whether the financial statements provided by the company are reliable or not. For publicly-traded companies, this is life or death. For private companies, if the future includes outside investments or going public, learning the best practices and putting them in place early will make those actions easier down the road. For newly public SEC reporting companies, there is a one year grace period from the first 10-K filing on the requirement to fully and formally install and comply with SOX, but given the complexity of ensuring strong controls, twelve months is not much time. This is why starting earlier is key.

A business’ financial control environment will be assessed by their auditors, and any deficiencies noted by management, or the auditors will be classified as one of three categories: 1) Control Deficiency, 2) Significant Deficiency, and 3) Material Weakness. The first two, while serious, are not required to be reported publicly. Material Weaknesses, however, must be disclosed in quarterly and annual filings, which means that analysts, investors, potential lines of credit, debt partners – basically everybody – will know about them. A public company should do its best to avoid Material Weaknesses in its financial controls. A reasonable analog would be the letter grade the Department of Health gives restaurants. An A means the establishment is clean, safe, well-maintained, and the food is stored properly. A letter grade of D suggests consumers may wish to avoid at all costs- in other words, not reliable. Material Weakness is a D.

Now that we know how important financial controls are for public companies, let’s take a closer look at what they are so we can understand why they’re important to private companies as well. Financial controls are the recordable, auditable trail of preventive or detective steps taken by Management designed to mitigate risk of misstatement in the financial statements. These records provide a history of everything management has done to ensure their financial statements are materially correct and reliable. For example, cash and other balance sheet reconciliations are financial controls, and serve as important sanity checks between account balances and account details, as well as internal Company records, and records kept by third parties (i.e., internal cash accounts vs. bank statements). Both public and private businesses benefit from having a clear and transparent view of their cash position, income, payables etc. provided by reconciliations. Equally beneficial – and critical- to both private and public companies is segregation of duties- i.e., ensuring that the movement of key assets, such as cash and inventory, is kept separate from the approval over those movements. Even the smallest non-public businesses are advised to keep the approval of payments and the actual disbursement of payments separate. Most corporate fraud, in companies large and small, occurs because of a lack of segregation of duties.

Systems and Organizational Controls and Reports

Purely financial controls are not the only area that auditors will review. Systems and controls for other areas of your business, such as IT and cybersecurity, are also important, and are an integral part of an increasingly higher scrutiny focal point for auditors: Third Party Service Organization (“TPO” or “TPSO”) management. Increasingly, companies are expected to obtain a thorough understanding of the control environments of other companies they are relying on for their own activities and reporting. For publicly- traded companies traded on US exchanges, this is a requirement. For example, if your company uses reports from ABC Co. payroll company to record material payroll entries, it is incumbent upon your management team to understand and get comfortable with the control environment at ABC Co. The compliance documents that describe and attest to the state of a company’s systems and organizational controls are known as SOC (System and Organizational Controls) Reports, and there are common SOC report categories that factor into a public company audit. SOC reports are attestations issued about an organization’s financial controls issued by audit firms and are typically issued for companies that produce financial information being relied upon by other companies (such as payroll, or claims and payment processing companies.) A clean, or unqualified SOC-1 report assures clients or partners that a company’s systems and output are reliable. SOC-2 reports are assessments of company’s IT control environment (cloud, data management, and data center security, etc.). Similarly, an unqualified SOC-2 report asserts that the company’s IT environment and controls are sound and can be relied upon. SOC-1 and SOC-2 reports both include management attestations that the controls are in place, as well as the opinion of an independent audit firm.

These two SOC reports come in two varieties, Type 1 and Type 2. Type 1 reports essentially evaluate whether an organization’s controls are designed appropriately and focus more on a single point in time. Type 2 reports examine both the control design and operation and include testing of controls to show how well those controls perform over time (typically 3-12 months). Based on these assessments, a CPA firm will decide whether to issue an unqualified report, which signifies a clean bill of health, or qualified report, which usually indicates significant control failures, and serves a warning for other companies using their services. There is a third type of report called a SOC-3 that is often provided to stakeholders. SOC-3 reports are typically a less detailed version of a SOC-2 Type 2 report.

SOC reports are important for your management team, and for all your stakeholders, as part of your fiduciary duty; it’s important you can rely on your third-party service providers, so the financial community can, in turn, rely on you and your financial reports. As an extension of this principle, if you use third party services like payroll providers, cloud storage, or other SaaS providers, your own audit is going to require obtaining the SOC reports from your key vendors. The PCAOB has recently been more heavily scrutinizing its member audit firms and focusing on enforcement of the standards they have set for the widening set of audit requirements, particularly as more companies outsource critical aspects of their businesses to third parties and IT security increases in importance. Long story short, SOC reports provide necessary information about how you and your third party vendors are implementing controls that keep their business – and critical information – safe.

Timeliness of Reporting

Timeliness is related to how quickly information is made available to users of your accounting information, such as investors, regulators, and lenders. The less timely (and, therefore, older information), the less useful the information is for decision-making. Timeliness matters for accounting information because it competes with other information, and, for publicly-traded companies, timely financial information is a requirement for continuing to have publicly-traded equity.

For publicly-traded companies, the basic SEC reporting requirements include three 10-Qs per year and one 10-K. These reports are made at quarterly or annual intervals. However, there are different timeliness expectations for companies with various levels of public float, or the amount of a company’s shares that are available on the market for purchase by the public. Public float often corresponds to how closely held a company is or isn’t – and whether the firm’s financial information is being looked at by large numbers of stakeholders.

10-Q and 10-K Filing Deadlines

Company Category 10-Q Deadline 10-K Deadline
Large Accelerated Filer ($700MM or more) 40 days 60 days
Accelerated Filer ($75–$700MM) 40 days 75 days
Non-accelerated Filer (less than $75MM) 45 days 90 days


Ultimately, any company, private or public, will want to make sure they have the systems, processes and controls in place to deliver timely financials. For example, if you are contractually required to report monthly to a debt holder, the financial reports with any supporting footnotes and or schedules must be prepared, reviewed for accuracy and completeness, and delivered monthly. Whatever the periodicity is that you’re contractually expected to report, you have stakeholders and counterparties that are relying on that information to be reported within that timeframe, and you are relying on your systems, controls and processes to keep your commitments. Streamlining a book-close process to support timely reporting can be a challenge, and improvements in overall operational processes controls can make a big difference.

The cornerstone of any healthy financial reporting endeavor is the thoughtful design and timely execution of a company’s processes and controls, and they can mean the difference between a company being able to keep its commitments and access capital and equity markets, or not.

Sarbanes Oxley regulations cover a wide spectrum of corporate activities. However, if you take a closer look and focus on these three core areas – financial controls, systems and operational controls, and timeliness of contractual or regulatory reporting – you’ll be going a long way to check off as many of the SOX boxes as possible. These areas are of importance to your company, your third-party providers, customers, vendors, regulators, and investors. The systems and processes to meet your reporting requirements from the SEC, your lenders, or other stakeholders who expect timely accounting and audit information are complex and critical parts of running your business efficiently and effectively.

If you’re struggling to make deadlines, or get the systems up and running, there is no reason to let your firm get behind. Eventus provides customized support for public and private companies so they can meet their deadlines and satisfy their controls requirements without the challenge of finding qualified full-time staff to hire and build out an internal team.

Subscribe for the latest!