System Deployments in 4th Quarter

[CEMSOX]

At a prior company I worked for, I have had experiences where the CFO has stated that we cannot deliver systems changes in the 4th quarter that have a direct impact on financials, all in the name of SOX. In reviewing the SOX regulations I did not find any restrictions around deploying financial systems in the fourth quarter; therefore, I am under the impression that this was just a preference of the CFO in order to reduce the risk of significant or material issues arising in the last quarter of a financial year from the implementation. So I have the following questions:

1) Is this just the preference of the CFO or did I miss something in the SOX regulation indicating that implementation in the 4th quarter is not allowed.
2) If this is just personal preference, has anyone been in this situation before and how did you address it?

My thought would be to a two fold approach:

1) Evaluate the risk of implementation against the risks associated with not implementing the system in the 4th quarter and base the decision to implement on this review.

2) Discuss the topic of implementation with our external auditors to understand what there concerns would be.

Any feedback would be greatly appreciated.

[gmerkl]

There is no requirement, it is just the preference of the CFO.

Section 404 of the Sarbanes-Oxley Act requires an issuer of securities that use the public capital market of the US to
(a) have its management evaluate the effectiveness of the issuer's internal control of financial reporting
(b) have its registered public accountant to audit the effectiveness of the issuer's internal control over financial reporting.

Both opinions on the effectiveness of ICFR are provided as of the end of the financial year, but in practice they also test controls that relate to transactions that occur during the financial year. In order to have a sufficient degree of assurance that controls were operating effectively as of the end of the year, it is usually necessary to test their operating effectiveness over a minimum time period before the end of the year. Otherwise they may have worked by pure chance at the end of the year, but may have not worked before and probably may not work afterwards.

There are no details concerning IT security of the deployment of new IT systems or changes to IT systems in the law, the rules of the US Securities and Exchange Commission (SEC), or the Public Company Accounting Oversight Board's auditing standard.

Keep in mind that the registered public accountant will be risk averse and will probably also tell you not to do the system implementation in Q4.

In principle, an IT system that has a material impact on the consolidated financial statements can be implemented in Q4. However, you would need to assess risks that have an at least reasonably probable likelihood to result in material misstatements to the consolidated financial statements. As long as you come up with controls, which may also be compensating controls that mitigate those risks, you are fine. The main question is whether management and the auditor have enough time to come up with an test the effectiveness of those controls before the annual financial statements need to be filed with the SEC.

[harrywaldron]

As gmerkl shares, freezing system changes in the final quarter is more for stability and organizational preferences to avoid impact. SOX 404 doesn't specify these types of freezes as companies must continually meet changing business and regulatory requirements.

Hopefully in the Project Management system or SDLC, there are existing risk management techniques and contigency plans to reduce potential exposures during that last quarter. Preferably major financial system changes or new system implementations should be done outside the final quarter -- but a company has to do, what it has do for business survival as well.