Sarbanes-Oxley Compliance Roadmap

Compliance with Sarbanes-Oxley, Section 404(a) and 404(b) is a multi-step implementation process that can be broken down into the major steps and descriptions identified below. A typical implementation roadmap:


Stage I - Risk Assessment

Sarbanes-Oxley Section 404(a)

This stage defines the scope of the project and ensures that all relevant areas of the business are examined to adequately address financial reporting requirements. The number of high-risk, or "in-scope", areas will depend on the size and structure of the company and may include industry-specific factors as determined by the external auditors. Performing a Risk Assessment from scratch can be a lengthy, and thus expensive, process that can yield a variety of results depending on the factors considered beyond just materiality. Vibato offers a Risk Assessment toolset that performs quantitative calculations, beyond just materiality, to determine risk while also allowing for qualitative inputs to accurately represent the results based on individual business conditions.

Stage II - Internal Controls Documentation

Proper documentation of internal controls is critical to ensuring a clean audit opinion. The areas of focus during documentation should include thoroughness, accuracy, and simplicity. Documentation should be easy to update and review. This minimizes the amount of time spent by external audit to develop their opinion and resolve any outstanding questions or concerns. Most companies do not want to spend the significant time and effort necessary to adequately document the appropriate controls and corresponding policies, procedures, forms, and approvals.

Vibato provides a complete set of supplemental documentation for all internal controls. This allows an organization to quickly implement every internal control, by process, to mitigate the corresponding risks.

A Segregation of Duties Analysis (SOD) is also important for examining any segregation risks and their corresponding mitigating activities. Vibato provides a comprehensive Segregation of Duties tool that analyzes up to 930 potential conflicts across 14 business process areas.

Stage III - Remediation, Implementation, Training, Walkthroughs, and Testing

Section 404(b) requires an independent audit of internal controls over financial reporting. If all required controls are not in place, documented, and working properly, then remediation for any deficiencies must be performed. This may include implementation of new procedures and training of personnel or testing samples for new and existing controls to ensure performance.

Vibato has extensive experience training all levels of management on how to properly execute internal controls. We have consultants available worldwide who are ready to guide you through your compliance initiative. We are available to assist you and your team with portions of your project or we can handle the entire project to allow you and your team to focus on more pressing issues.

Stage IV - Audit Begins and External Audit Feedback is Obtained

This can be a particularly challenging stage if your organization is not prepared. Audits often take longer than expected, are more expensive or extensive than expected, and always present challenges. The Vibato Internal Controls Suite™ will show you how to organize your data to make your audit more efficient and reduce your audit fees and durations. Additionally, Vibato's consultants are available to manage your external audits to ensure audit scope creep is contained and to act as a liaison between you and your external auditors to advocate for your best interests.

Stage V - Opinion Letter is Issued

Vibato has extensive experience with financial reporting and writing even the most complicated Item 4's and 9's. An example of this work includes VaxGen Inc.'s 2006 and 2007 10K's where we had to condense 101 material weaknesses into 11 categories and have the language approved by over two dozen Big Four Partners across the country. This work set precedent and is often cited today for appropriate language when completing these sections of public financial statements.