Five New Year's Resolutions for Sarbox Compliance

Lora Bentley

After the Securities and Exchange Commission granted SMBs one last Sarbox compliance delay, but before the House of Representatives passed legislation that would, among other things, exempt public companies with a market capitalization of less than $75 million from Sarbanes-Oxley 404(b) compliance, I had the opportunity to speak with Vibato CEO and co-founder Teresa Bockwoldt.


Vibato is a Sarbanes-Oxley and SAS compliance solutions provider that Buckwoldt co-founded in 2007. She is Six Sigma certified, and has been personally involved in dozens of "fullblown Sarbanes-Oxley audits from beginning to end." Her experience working for and with both regional and Big Four audit firms taught her what those auditors were looking for in a 404 audit, she said, and she was able to come up with "a single list of risks that each of the [firms] were looking for on a per-process basis, and [she] pre-defined the controls that would mitigate those risks." Then, using Six Sigma methodology and world-class best practices, she developed a product that the company says can cut compliance costs and audit duration significantly.


The company recently released a list of New Year's resolutions for small cap filers that want to be prepared in case the Senate or the president decides not to pass that compliance exemption. Bockwoldt told me the guidance comes out of experiences she has had working with small companies in the last year, or with larger companies that wanted to cut back their internal controls and lower their compliance costs.


Five of those resolutions are as follows:


  • Assign an internal resource (person) for managing/reviewing the audit progress. That way, the auditors have one person to whom they can direct feedback, questions, etc., and know that the right people will be informed.


  • Standardize the documentation formats you plan to submit for audit review wherever possible. Everything moves more quickly and smoothly if all departments report on the same controls in the same manner and "speak the same language," if you will. No one wastes time trying to translate.


  • Ask your auditors for feedback on your specific controls and documentation format as early as possible.


  • Perform testing quarterly to find and mitigate issues before it is too late to correct them.


  • Perform your own risk assessment so you can defend your position and prevent audit scope creep. If you defend your positions well, the auditors can and may agree that certain controls don't need to be tested. That saves everyone time and money.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.