How SPACs Can Avoid SOX Compliance Surprises

Compared with traditional initial public offerings (IPO), special purpose acquisitions companies (SPACs) have rocketed in popularity in recent years as a faster route to going public.

According to Grant Thornton’s research, SPACs raised more than $26 billion in investment capital in January 2021 alone.

After going public, the SPAC (created for acquisition as a legal entity with no commercial operations) must seek a suitable target to acquire. Once the SPACs have taken over the privately-held company, the SPAC entity fulfilled its purpose.

Despite their utility in simplifying the process of going public, SPACs come with potential hidden risks when complying with regulatory Sarbanes-Oxley Act obligations (SOX).

SPACs vs Traditional IPO: SOX Compliance Risks

Typically, SPACs face SOX compliance risks that IPOs are better prepared to handle. Traditional IPOs take a longer route to initial public offerings that involve greater financial due diligence before achieving the required investment.

Consequently, SPACs companies going public can be surprised with urgent SOX compliance requirements they’re not prepared for.

To summarize

Despite the differences in the routes for going public, SPACs and traditional IPOs are subject to the exact SOX compliance requirements.

 SPACs Management must be cautious not to let the perceived ease and convenience blind them from personal regulatory mandates that the Sarbanes-Oxley act places on them.And the surprises don’t end there—once SPACs discover their SOX compliance obligations, another little surprise may lay in store—IT General Controls (ITGC).

SPACs, ITGC and IT Audits

ITGCs are ongoing processes designed, implemented, and monitored to ensure the integrity of financial information sourced from a company’s information technology systems and environment.

SOX compliance is dependent on SPACs being able to produce the right ITGC documentation generated through an internal IT audit.

Your ITGC obligations won’t wait; you shouldn’t either

Unless you’re using ITGC automation, designing, implementing, and monitoring ITGC doesn’t come easily, so leave plenty of time.

Doing the basic groundwork and preparing ITGC for successful SOX IT audits requires fundamental changes in mindset and culture.

CFOs and CISOs of SPACs going public must ensure this culture change is consistently advocated for so that it trickles down into relevant teams and remits.

If you’re starting your SOX audit and ITGC journey:

Study the Sarbanes-Oxley act: Sections of specific importance and relevance include sections 302, 404, and 906, though we recommend not limiting your research only to these sections.

Build a relationship with SOX industry insiders: This may be an external auditor registered with the Public Company Accounting Oversight Board (PCAOB), or it might be us—before we automated ITGC, we used to be Big 4 auditors, so we’re ideally positioned to share a detailed insider perspective on what you need to do.

Build and educate your IT & MIS teams: Don’t assume the Accounting department will care for things. SOX compliance and ITGC responsibilities run deep into an organization—from Payroll to Sales, IT and beyond.

Closing Advice for SPACs Seeking SOX Compliance

Don’t panic. Automate what you can: Don’t rush the process if you discover your SOX and ITGC requirements late. Gather the correct information to share with the right stakeholders to raise awareness and make a case for automating ITGC.

Create a coherent plan: If you decide not to automate ITGC, you’ll have much work to be completed quickly. Even if you already have a reasonably healthy control environment. Once you’ve built your IT audit team and strategy, work backward from your compliance deadlines—ensure time to fill ITGC gaps identified and allocate the right resources to fix them.

Test your ITGC before your auditor does: Your new ITGC may look great on paper, but it may also be inconsistently performed. Ensure to test and monitor ITGC standards over time before requesting an external opinion.

DO SOX IT Audits Faster and Automate ITGC Monitoring, With AudITech

Due to the complexity involved in manual ITGC audits, the processes implemented to overcome SOX compliance risk can create other increased risks of error and oversight.

By simplifying and automating ITGC, AudITech protects organizations from those increased risks while providing a fast track to confident SOX compliance readiness.

Request a demo and discover the fast, simple, valuable route to ITGC and SOX compliance peace of mind.

What Is SOX Reporting? (And Why CFOs Should Care)

Professionals and publicly listed companies facing new Sarbanes-Oxley Act requirements (SOX act) may be familiar with the basics of emerging SOX obligations. Getting to know SOX reporting duties in great detail requires deep background reading and a 2nd opinion from people in-the-know. Here we hope to condense the key points around ‘what is SOX reporting?’ and why it’s super important for new CFOs and CEOs especially.

The Sarbanes-Oxley Act, Section 302 and SOX Reporting

If you’re researching SOX reporting then you’ve likely achieved at least the basic grasp of why the Sarbanes-Oxley Act passed in 2002 in the wake of high-profile financial scandals in large corporations.

Following these scandals, the SOX Act was created to regain confidence from investors and protect shareholders from fraudulent financial reporting, particularly from public or newly-public companies, though SOX reporting requirements also apply to some private companies and non-profit organizations.

CEOs, CFOs and Section 302 of the SOX Act

Section 302 of the SOX Act is of special importance for CEOs and CFOs who must certify as part of the SOX reporting process the completeness and accuracy of financial records produced by their company or organization.

CEOs, CFOs and internal control responsibilities

CEO and CFO SOX reporting duties don’t end there. Besides formally validating the integrity of company finances, they must also be prepared to formally accept personal, legal responsibility for internal controls while also confirming that the internal controls environment has been reviewed in the previous 90 days.

If that wasn’t a big enough burden of responsibility to bear, company leadership must in addition report internal control deficiencies identified in the environment, plus any fraud detected involving the management of the internal audit committee.

Getting a professional 2nd opinion on SOX reporting

If you’re a CEO or CFO reading this, it’s no wonder you’re spending the time doing the deep research on SOX reporting. The company and personal risks of SOX reporting oversight are truly eye watering.

If you’re in any doubt about your obligations and SOX reporting requirements, get a 2nd opinion from former Big 4 auditors who know everything there is to know about SOX compliance, internal controls and ITGC.

SOX Reporting The SEC and Your IT Team

Although the buck ultimately stops with senior management when it comes to SOX reporting, the IT department also plays a critical role. In 2007 the U.S. Securities and Exchange Commission (SEC) issued SOX reporting guidelines defining the role IT teams must play. The guidelines lay out how IT Teams should support the SOX reporting process to minimize all identified risk.

To help IT departments fulfil this role effectively, senior managers must invest time and energy building strong relationships with IT teams based on open, transparent collaboration.

How Can Senior Managers Help IT Teams to Enable SOX Reporting Integrity?

To empower IT departments for SOX reporting, senior management must first understand the scope of their reporting responsibilities that unpack like this.

Giving senior management visibility

IT teams must deliver real-time reporting that gives CEOs and CFOs clear, accessible visibility of the health and status of financial reports.

Establishing ITGC that support SOX reporting

IT teams must identify key IT assets and processes involved in initiating, authorizing, processing and summarizing financial information. ITGC automation in this context can greatly assist IT team’s goal of ensuring internal control procedures support accurate and complete transmission of financial data.

Supporting timely disclosure of critical events

IT teams must ensure robust mechanisms for quickly alerting senior managers, shareholders and regulators of any risks and events that change or may change company financial statements and compliance.

Making Sure SOX Reporting Goes Smoothly Is All About Refining Process and Reducing Complexity

SOX reporting is a delicate balance of diligence, processes design and dedicated collaboration between key stakeholders to ensure processes are strictly followed. There is a lot to think about because there’s a lot at risk. And the reality is that complex SOX reporting processes (that aim to reduce financial risk) can create new, counterproductive risks and personal liabilities.

Mitigating the risk of manual SOX reporting

What great SOX reporting should aim for is to find simplified ways of providing auditors with credible SOX reports and ITGC documentation. Ultimately, the most effective way of achieving this to minimize the risks that manual SOX reporting creates is to automate the ITGC processes that underpin integral financial reporting and internal controls.

The ITGC Guide for Newly Listed Companies CFOs and SOX Compliance Officers

All you need to know in 10 simple steps

When implementing Internal Controls as part of SOX compliance readiness, taking risk with ITGC just isn’t something companies can afford to gamble on. That’s why we created this ITGC guide for SOX compliance.

We’ll explore step-by-step how compliance stakeholders of newly-listed companies can become the SOX leaders advocating for continual ITGC monitoring. If you’re new in your compliance role, or have just joined a newly-listed company, it’s natural to have unanswered questions about ITGC. In 2021 alone, there were almost 1000 newly-listed public companies facing critical ITGC and SOX compliance obligations. Add to that company mergers that also result in SOX compliance needs and it’s clear that defining and continually monitoring ITGC is a common challenge in many industries. Let’s dive right into it.

1. Do you really need ITGC?

Even if your company is not public yet, keeping internal controls in place is very important for the organization’s safety and performance. Moreover, the transition towards ITGC readiness will be much smoother when the day comes. These are the situations in which ITGC requirements will apply:

Mergers: When one of the merging companies becomes public.

Newly-listed companies: When a company goes public for the first time.

Special-purpose acquisition companies (SPAC): When an acquired company becomes public.

Each case and scenario can present different reporting rules of what ITGC reports will need to be presented, by who and when. Be sure to be explicitly clear on which reporting rules apply to your circumstances. For a detailed understanding of your ITGC obligations, you can consult an external auditor, a lawyer, or you can consult with AudITech.

2. Understand if you need to get an internal opinion, or both an external and internal opinions

Once you’ve established that you need ITGC, the first thing to do is to find out what regulatory requirements your formal, final ITGC opinions must meet. For example, your final ITGC opinion may need to come from your senior management only, or a combination of your senior management and an external auditor.

The purpose of these formal opinions is to align internally and externally on the health and status of your ITGC environment. Since you haven’t yet at this stage implemented robust ITGC, it is likely that the two opinions will converge around a verdict that your ITGC have either low weakness, or severe weakness. The amount of time that you will need in order to implement successful and ongoing ITGC and to monitor them, will depend on the outcome of your ITGC opinions gathering.

There are circumstances in which your company may be exempt from obtaining an external auditor’s opinion on the health status of your ITGC environment. These exemptions do not mean you won’t need to be ITGC compliant, it simply means you may not be obliged to obtain an auditor’s opinion.If you’re unsure, check with AudITech. We’ll tell you everything you need to know about your ITGC and ITGC opinions obligations.

3. Onboard the CIO

Ok, now that you understand that you need ITGC in place and which opinions you need to gather, it’s time for ACTION. Before rolling out your ITGC action strategy, you’ll need to build strong allegiance with the right stakeholders. This starts with your CIO.

For an effective ITGC and SOX compliance strategy to integrate into daily business operations, your CIO must be onboarded into the strategy, to become your co-advocate.

Build trust with your CIO: If you’re in a new role, or you’re not close to your CIO, take the time to break the ice. You need to get a trusted buy-in for this to work, so don’t just burst into their office with ITGC demands.

Educate your CIO on ITGC: If they’re unfamiliar with ITGC, tactfully share the right information. Educate them about the lasting organizational benefits, plus the compliance benefit to their role of making strong Internal Controls part of compliance culture and best practice.Give your CIO confidence: Show them that you understand the ITGC gaps in the organization, that you know how to fix them and that you know which tasks must be administered to which people.

4. Build your ITGC strategy A-team

Ok. Now that you’ve gained your CIO’s trust and understanding, it’s time to collaborate on building your ITGC A-team.

Your ITGC A-team could include:

  • An IT department project manager
  • IT Controls Owners with a heavy burden of controls
  • IT security personnel
  • Your Chief Information and Security Officer (CISO)
  • Any other stakeholder of IT governance in the organization

To choose your ITGC and Internal Controls superstars, it helps to first define what each member’s ITGC superpowers should be, then you can decide which remits can best meet each need. To do this, you should follow these steps:

Define ITGC goals: and don’t just make it about ‘SOX compliance’. Make it about the benefit to data integrity and overall organizational performance.

Define ITGC actions that will fulfill each goal: and make sure the actions you define are sufficient to carry your ITGC goals forward continuously.

Define who needs to be responsible for each action: It could be your IT team, it could be your CIO, it could be your finance team, or it could be you—the CFO or Compliance Officer. Remember—building your ITGC and SOX compliance A-team is about fundamental change to certain roles and remits. Each new ITGC task delegated should become a continual part of a yearly ITGC process—not as part of a single project—so your ITGC strategy stakeholders must embrace this reality. Your IT team is crucial in facilitating system access and helping you perform IT audits.

Once you’ve mapped out your ITGC A-team, it’s time to connect them to the new, emerging ITGC strategy mindset, workflows and responsibilities. We highly recommend to personalizing your rapport with them, while emphasing on the unique value they can bring to ITGC implementation and monitoring. It’s incredibly important that you take the time and care to do this well. The long-term results of your ITGC strategy will depend on it. If you fail to build the right relationships, educate the right people on ITGC and achieve committed stakeholder adoption, then ITGC will become neglected. You’ll regress back to square one.

Gain their trust: Just as you did with your CIO, gain their trust first. Don’t do this by email. Meet with them at a time of their choosing. This doesn’t need to be first thing on a Monday morning, or in a formal presentation. Perhaps over a working lunch when the atmosphere may be more relaxed and less formal.

Empower and educate them: Work collaboratively on helping them fully understand importance to the organization’s overall success of integrating new ITGC responsibilities into their daily work.

Emphasise the personal value they’ll gain: Help them understand how adopting new ITGC-related responsibilities into their work can help raise their profile within the company, gain senior stakeholder trust and develop their career skill set.

Great. If you’ve built the right ITGC strategy allegiances well, you’ll be in a strong position to start actually implementing your ITGC strategy.

5. Roll Out Your New ITGC Strategy

Ok, ITGC advocacy over. If you advocate well, your ITGC strategy stakeholders should be onboarded, briefed, aligned and motivated. Now it’s time to get practical and understand the business processes and the associated IT systems. In order to help your newly-formed team of ITGC advocates and implementers succeed, you’ll need to have a firm grasp of how business processes are designed and how they combine with the IT environment. You may have internal documentation available on this, or you may have to coordinate with key stakeholders that can share granular details. The key theme is to be exhaustive in mapping business processes to associated IT assets.

6. Identify IT Systems’ Control Owners

Once you’ve mapped business process design and associated IT systems, you’ll need to discover who the Control Owners are for each IT asset and arrange to meet with them collectively.

Gain their trust and collaboration: It’s hard to overstate the importance of identifying and working closely with Control Owners. They are your ITGC front line. Without their collaboration, there is no ITGC.

Sell the value of ITGC to Control Owners: The best way to gain trust and collaboration from Control Owners in your organization is to help them understand the business value and personal value of ITGC—just as you did with your CIO.

7. Train Each Control Owner on New ITGC Controls Obligations

Following your personal meetings with IT-system Control Owners, you’ll need to arrange to meet with each of them for a full ITGC training. Each

Control Owner must be crystal clear on:

  • The definition and control process for new ITGC that they must learn
  • How the internal IT audit process works
  • How ITGC are tested
  • How to document ITGC

Don’t make your Control Owner ITGC training a one-way monologue of ITGC dictats. Make it interactive. Use it as an opportunity to learn what each Control Owner actually does. The last thing you want is for ITGC to be treated as unimportant or optional by Control Owners. Unless ITGC training is delivered thoroughly, with a shared vision of their paramount importance, Control Owners will lapse into poor ITGC habits.

8. Meet the External Auditor

Meeting your external auditor is the final step before gaining your ITGC and, eventually, SOX compliance certification. When you meet your external auditor, your ultimate goal is to leave them with the impression that your company is 100% ready for SOX compliance, with strong, continual ITGC firmly in place. Show your external auditor every step of your ITGC strategy design and implementation. To gain your external auditor’s trust, you’ll need to forensically present every stage of your ITGC implementation strategy.

Present everything—all the steps you’ve taken, your ITGC stakeholder team, processes, ITGC controls design, monitoring metrics—tell them your CIO, IT team and SOX compliance manager are all included in your ITGC A-team. Providing your external auditor with confidence will impact his/ her professional opinion. When the time comes, his/ her opinion on your ITGC will be more assured and more valuable.

9. Keep the Continuous Monitoring

The guidelines detailed here should be continually deployed in your organization. They also need to be continually maintained by the various ITGC stakeholders identified as responsible for new ITGC best practices long-term. You need to picture this as an ongoing strategy.

10. Bonus Step – Automate Your ITGC

Congratulations, you’ve completed your journey along the long, winding road to designing and establishing ITGC. However, there must be an easier way. Why not bypass complex IT interventions? Ask us for a demo or discover how to implement ITGC the simple way

Traditional ITGC strategy involving heavy IT interventions can cause delays and loss of business continuity. Why not automate ITGC with AudITech? This way, your IT team doesn’t have to get involved. You’ll perform IT audits flawlessly and independently from your browser. 

Let’s get IT audits done simply, so that you can spend more time getting things done.

IT General Controls Automation: Why Your SOX IT Audits Need to Go Digital

What do IT General Controls (ITGC) and SOX compliance readiness bring to mind? Does your company treat IT General Controls as a project or process?

The Problem of Pop-Up SOX Compliance Projects

Many enterprises and newly-listed companies move quickly with unexpected ITGC and SOX compliance projects to meet emerging requirements. After heavy IT interventions, costly multi-stakeholder coordination, and trial-and-error bottlenecks, an internal IT audit is finally complete, the auditor’s opinion on internal control over financial reporting  is gained and the compliance project is temporarily gone. CFOs, Compliance Officers, and management teams must realize that SOX compliance is not a project that is long forgotten after the audit period but an ongoing business process, one that is in urgent need of a 21st Century digitization. Legacy internal IT audit processes need to be modernized. Too long has the complexity of internal IT audits been allowed to go unchallenged. If the aim of IT risk management is to ensure that enterprise IT infrastructure remains an asset instead of a liability, then challenging IT audit inefficiency should be standard practice.

Allow us to illustrate the point with two brief anecdotes

Case 1: picture the screen

Before founding AudITech in partnership with the VAT IT Group, we worked with Big 4 consultants, advising global enterprises on IT risk management. We found ourselves talking with IT teams for hours, wasting their time, taking endless and often irrelevant screenshots of IT system backup settings. After all, you have to leave an audit trail, right? Many of the IT system settings we took screenshots of could and often did, change soon after, rendering most of the process almost redundant – redundancy that eventually heavily impacted cost-efficiency.

Case 2: ‘Whatever you say, .doc’

Working with external auditors, we witnessed so many ITGC evidence documents requested in order to close perceived compliance gaps that in most cases simply weren’t relevant or valid. As auditors usually take samples of the audited population and do not examine the population as a whole, so that many risks stay under the surface. The same risks that ITGCs are supposed to monitor. 

Don’t Blame the Player, Blame the Game

Let’s get one thing straight – we’ve worked with some inspiring, intelligent, and highly competent people. The compliance industry and the companies it works with are full of talent. The problem of IT audit and ITGCs complexity isn’t the people involved, the auditors, or the in-house audit stakeholders they work with. The problem is a collective lack of insight about new, digital possibilities in this space, and sticking to old habits, financial year after financial year. Too many enterprises and newly-listed companies force their organization to work for the audit instead of innovating digitally so that the audit works for them.

It’s time for IT audits and SOX compliance readiness to go digital.

Digital IT Audit Automation Is Here. Now Is the Time for Industry Adoption

When introducing ITGC automation to Big 4 clients, it became obvious that compliance stakeholders – both external and internal – just wish there was a simple technological solution that would ease off the work and reduce the pain involved in SOX readiness. We’re reaching a moment in our industry in which manual work can become a real burden, slowing companies down, making organizations less efficient, and as a consequence – less competitive.

What does it mean to ‘go digital’ with ITGCs and SOX readiness? It means that all your in-scope IT systems are audited automatically using out-of-the-box integrations. It means pivoting from manual, complex system-by-system ITGCs monitoring, countless email exchanges, and endless screenshot evidence collection, to IT General Controls automation tools with minimal human interventions. Instead of forensically examining each IT asset individually, it’s now possible to integrate all IT systems into a single platform and achieve continuous controls monitoring.

No more IT interventions

One of the biggest challenges of a successful IT audit is getting the expertise and access. A single IT audit can involve countless people working with the IT department that holds the keys to all company IT assets. When you automate and digitize IT audits through a SaaS platform, complex collaboration and access roadblocks give way to seamless A-to-B straight-line audits owned and managed within a single source of truth, allowing your time-to-audit is cut by weeks.

No more granular pop-up compliance projects

Digitizing ITGC monitoring and internal IT audits through automation will bring an end to pop-up SOX compliance projects designed with urgency in the heat of the moment. Instead of one-time compliance missions involving numerous stakeholders, enterprises and newly-listed companies can create live, ongoing compliance processes of continuous and effortless ITGCs monitoring. The net benefit, in the long run, will be faster time-to-compliance year after year, with decreasing cost, risk, and investment.

AudITech Has Made IT Audits Smarter, Simpler, and Valuable

Take the first step towards ITGC digitalization. Ask us for an AudITech demo and we’ll show you how to complete certifiable IT audits in minutes, with complete, auditor-recognized documentation provision. Speak to us about your current ITGCs monitoring process and SOX compliance. If you’re unsure how ready your ITGCs are and what you need to do, we’ll guide you through it and show you how to establish a clear set of internal IT general controls.

Achieve full IT-audit Independence & peace of mind

We’ll guide you through your first IT-audit in minutes. Learn to create fast, official, trusted ITGC reports recognized by IT-auditors

Schedule an AudITech Demo
This field is for validation purposes and should be left unchanged.