In light of the recent industry stressors and heightened scrutiny from boards, regulators, and external auditors regarding financial statement risk, we are observing proactive implementation of SOX-like programs by our non-public banking and fintech clients. The growing inclination of financial services (FS) companies towards pursuing initial public offerings and buy-outs further enhances the business case.
Our clients are particularly directing their attention to the corporate governance dimensions of SOX (e.g., sections 302 and 404), which aid in showcasing a robust control environment to both internal and external stakeholders.
These FS companies have the opportunity to design a SOX-like internal controls framework that aligns with their respective maturity levels, without bearing the documentation burden that accompanies full SOX compliance.
When designed correctly, the overall benefits linked to implementing a strong internal control environment tailored to SOX far outweigh the costs. These benefits include reduced external auditor’s substantive efforts, mitigation of internal/external fraud and conflicts of interest, and addressing cybersecurity events and information security issues.
In the event of an IPO or buy-out, SOX readiness leads to the demonstration of proper oversight, increased due diligence efficiency, and the facilitation of the integration of control environments into future holding companies. Each of these benefits tends to drive higher valuations and accelerate deal cycles.
Defining large and complex
An all-encompassing definition of complexity does not exist. Instead, regulators and other key stakeholders rely on the FS company to possess an introspective view.
Our clients are utilizing the following criteria, which were originally derived from Federal Reserve guidance, as a significant input for assessing size and complexity, coupled with other distinctive perspectives:
- Holds, or has intentions to grow to, more than $10 billion in assets within the next 2-3 years.
- Operates a sophisticated network within financial markets, credit markets, and payment systems.
- Operates across multiple regulatory districts.
- Generates fee income amounting to at least 2%.
- Holds derivatives constituting at least 10% of its portfolio.
The tactical impacts
To ensure compliance with key SOX corporate governance sections and to facilitate management and executive officers (e.g., CFO/CEO) in confidently endorsing the company’s corporate governance and financial statement accuracy, it is crucial for the FS company to establish a well-structured Internal Control over Financial Reporting (ICFR) program.
This ICFR program should be both efficient and effective, drawing on the FS company’s existing risk management, compliance, and Internal Audit infrastructure and capabilities where applicable.
Depending on the maturity of risk capabilities, some or all the following components may exist in various forms:
- Risk and control-specific policies and procedures
- Taxonomy for risk, control, and processes
- Testing of control design and operational effectiveness
- Detailed risk and controls matrices
- Process flows and/or narratives
Achieving a SOX-like approach involves either constructing or enhancing these capabilities to construct an effective ICFR program.
Regarding testing, clients frequently struggle with determining the appropriate level of effort for testing (i.e., limited versus full testing).
We often recommend that clients collaborate with external auditors to devise a progressive testing plan, with a long-term objective of fostering external audit reliance on the ICFR program. Each of these components should be thoughtfully discussed during the formulation of the SOX-like program roadmap.
By prioritizing these initiatives, the groundwork is laid for identifying opportunities to enhance the operational model, streamline processes, seek increased automation, thereby fortifying the FS company’s positioning for potential IPOs and/or buy-outs.
How MorganFranklin can help
MorganFranklin has extensive experience in assisting banks and FinTech companies by:
- Providing guidance and conducting assessments for complexity and the applicability of SOX requirements.
- Crafting or augmenting an ICFR strategy and program tailored to the FS organization, thereby aiding in showcasing a proactive regulatory and financial statement stance.
- Facilitating the process with technology to ensure its sustainability.