Keep it Private: SOX Compliance and Private Companies

Written by - January 6, 2017

Smaller, privately held companies often view the Sarbanes-Oxley Act of 2002 (“SOX”) as being within the purview of large, publicly held corporations. Enacted in the wake of a steady stream of corporate misdeeds, SOX intended to protect employees and the public from corporate greed. Many small businesses, therefore, feel that SOX compliance is too large a cost, both in time and money, to apply to them.

Sections 302 and 404 Can Apply To Privately Held Companies

Although the financial reporting aspects of SOX do not apply to privately held companies, several sections of the bill integrate data management, reporting, and security. Section 302, although relating to financial reporting, focuses on internal controls to the extent financial information is stored electronically. Section 404 requires that businesses have an annual audit of their internal controls related to accounting and financials. Although these Sections may not specifically target privately held companies, they do affect them. The technology industry is strongly peer driven.  If competitors are SOX compliant, then customers will see compliance as a key differentiator.

For a privately held company, SOX compliance may not be formal. However, the business climate that the regulation created in the peer-driven IT community does mean that some form of compliance is often necessary. Some privately held businesses provide third party services to larger publicly held companies. Therefore, SOX compliance, whether formal or informal, matters to all companies who want to stay competitive.

SOX Compliance As Value-Add

At the end of June, Protoviti released its survey report Understanding the Costs and Benefits of SOX Compliance. Spanning publicly held, privately held planning IPO, and privately held companies, the information showed the importance of SOX compliance to organizations. According to Potiviti’s analysis, the bottom line is that compliance had a significantly front-loaded investment. After year three, moderate or significant improvements were reported. In addition, Protoviti noted that employing best practices such as automating more of the key controls had a “positive ripple effect” throughout the whole company.

Using a GRC Platform

Using a GRC software like ZenGRC can help with the process of documenting and automating these key controls. ZenGRC provides a continuously updated library of best practices and strategies. This library can help with structuring a formal SOX compliance program. It allows those companies intending to follow trends of compliance without the overarching formality of audit to streamline their decisions. The individualization that this library of best practices creates lowers the frontloaded time investment.

Many privately held companies are looking to move towards SOX compliance simply as a best business practice and way to stay competitive in a peer-driven market. As such, companies looking to find the best way to cut down on the up front human capital needed for compliance should think about investing in a compliance software tool.