The Sarbanes-Oxley Act of 2002 (SOX) was enacted on the heels of a number of accounting scandals and acts of corporate malfeasance to provide a variety of regulations for publicly traded companies. In addition, these external factors have driven an increased interest by regulators in Enterprise Risk Management (ERM) to effectively identify, assess and manage risk. Because both of these are risk-based initiatives and part of good corporate governance, we often get questions on exactly how they differ.
Every company is exposed to a wide range of risks. It is crucial for organizations to understand and manage the risks it faces. But what’s the right approach to identify and manage your company’s risks? Let’s take a look at some of the basic principles and objectives of risk management — COSO, ERM, and business risk assessment — to see if we can help provide some guidance.
All companies face and manage a variety of risks every day. Some risks are extremely important and others not so much. So how do you know which ones are which? Having a good enterprise or business risk management program helps to identify, measure and prioritize the organization’s risks. This is best done using a defined methodology and with the oversight of senior management and the Board of Directors. Additionally, a good ERM program promotes a common understanding within the organization of the company’s risks and their potential consequences.
As the watchdog for professional services firms that audit public companies, the Public Company Accounting Oversight Board (PCAOB) continues to take on new areas of focus through its inspections. If you thought you were caught up with the PCAOB hot topics for SOX compliance – you may want to think again. It’s never too late to get up to speed on what’s trending though. Here is a brief summary of what our clients at AC Lordi are experiencing.
Read More “Are You Up to Speed on the Latest PCAOB Hot Topics?”
Section 404 of the Sarbanes-Oxley Act is one of the more complicated parts of the legislation. Section 404(a) requires that the management of publicly-held companies assess the effectiveness of their internal control over financial reporting (ICFR). Section 404(b) requires a publicly-held company’s independent auditors to attest to, and report on, the company’s internal control over financial reporting. But what exactly are the differences between 404(a) and 404(b) with regards to requirements and the extent of the effort necessary for compliance?
Read More “What Is the Impact of SOX 404(b) over SOX 404(a)?”
For most newly public companies, the Securities and Exchange Commission (SEC) offers relief from certain Sarbanes-Oxley (SOX) requirements allowing time to prepare for the more vigorous aspects of SOX compliance for up to nearly two years. But what if you end up a public company as part of a reverse merger? Can you still get the same relief?
Management, in every type of business, use Key Reports as a basis for making decisions and for financial reporting (not just operational). Key Reports are now being tested due to the need for reliance on the accuracy and completeness of the source data within the reports. Every day businesses rely on the information in these reports, which is why it is so important to validate the accuracy and completeness of the data. Read More “A 3-Step Process to Ensure Key Reports Are Accurate and Complete”
In Part 1 of this post, we tried to better define just what Management Review Controls are and looked at some examples. The next step is to develop a process to identify and document your organization’s management review controls (MRCs).
The process for identifying and documenting management review controls (MRCs) can be extremely challenging for many companies. It takes significant resources and focus to initially implement. If done properly though, it can return substantial value, helping you to better evaluate the controls within your Sarbanes-Oxley compliance program and serving as an important roadmap in the event of employee turnover. In Part 1 of this post, we will see if we can better define exactly what qualifies as MRCs.