Section 404 of the Sarbanes-Oxley (SOX) Act of 2002 often makes compliance extremely difficult and expensive. Among other requirements, SOX 404 means organizations must have a reliable and effective internal control structure including reports of any failures to comply.

Additionally, registered external auditors must verify all of the above is true.

The pandemic forced many organizations to make some or all the following significant operational changes:

• Switch to a remote work environment
• Reassess audit fees
• Reduce staff assigned to operating controls
• Decrease support for external auditors
• Furlough employees or reduce work schedules

These changes have ramifications for a control environment, and companies had to adjust accordingly.

For example, when an employee who is a control activity owner is furloughed, laid off, or put on a reduced work schedule, companies must reassign the responsibility and decide how to maintain proper segregation of duties. And, given the economic impact of the pandemic, companies had to navigate these challenges while keeping their SOX costs as low as possible.

Many companies inadvertently complicate their control environments unnecessarily, which can result in errors and delays and unmitigated risks to reliable financial reporting.

Companies often compromise the efficiency of their control environment when they:

• Maintain different financial reporting processes across business units and geographies
• Expand the number of applications impacting financial reporting
• Allow the number of key control activities and operators to grow
• Postpone their annual risk assessments
• Postpone annual SOX training
• Overlook the importance of attracting and retaining the necessary finance and accounting staff to design and operate SOX controls
• Delay integrating acquired companies into their control environment

Increase in Financial Reporting Applications

One of the more common mistakes is expanding the number of applications impacting financial reporting.

For example, if your primary general ledger application doesn’t provide great reporting, you could introduce new technology.

That could include data visualization tools and reports as part of your internal controls evaluation, as they produce information the company can use. This typically requires more effort and can lead to errors.

To avoid common internal control mistakes:

• Understand how to use source information in financial reporting controls
• Limit these controls to systems and applications where you use source information in financial reporting
• Reduce financial reporting system complexity

These opportunities could create possibilities to reduce overhead expenditure.

There are four key steps to keep in mind for a top-down approach to internal controls compliance:

• Reevaluate your organization’s current controls
• Reexamine and refresh your risk assessment strategies
• Compare your control strategies to the external auditor’s report
• Integrate your audits

Reevaluate Current Controls

Controls can directly influence the work and effort by audit firms; reevaluating the current controls and implementing a top-down approach can help cut down the length of your audit process. Less time means less impact on your organization and potentially less money.

The more detailed and precise you are when describing and documenting your entity-level controls, the greater the opportunity to minimize cost and impact.

For many reasons, audit firms have a natural tendency for testing more process-level controls in lieu of testing entity-level controls; either the audit team is unable to assess the entity-level controls, or they don’t understand how the entity-level controls operate at a level of precision necessary to prevent and detect material weaknesses.

This is critical when an organization seeks to reduce the number of process level controls, especially when entity-level controls can provide a needed-level of precision over financial assertions.

Process-level controls operate where most of the company activity occurs—such as a division, plant, or revenue cost center—while entity-level controls happen at higher levels in the organization.

Specifically, process level controls directly relate to a specific business cycle impacting financial reporting while entity-level controls focus on reviews that may cover one or more business units. 

Reexamine and Refresh Risk Assessment

Reexamine your company’s risk assessment to reduce the number of control activities necessary to mitigate risks to material misstatements. Identify entity-level controls that address relevant risks operating at an appropriate level of precision.

Document the design factors of your entity-level controls so your external auditor can understand and use them.

Example design factors include:

• Competence of the person performing the control
• Frequency and consistency with which the control is performed
• Level of aggregation and predictability
• Criteria for investigation and follow-up
• Dependency on other controls 

Consider completing your risk assessment on an annual basis. You might discover you can eliminate testing of controls over accounts that aren’t material by themselves, or in the aggregate, and cut costs as a result.

External Audit Comparison

Compare your SOX population of control activities to your external auditor’s population.

If the auditor tests more controls than your company, you could help your auditor identify the entity-level controls that prevent and detect material misstatements.

Evaluating your regulatory requirements and consolidating those controls can create opportunities to reduce the impact of audits and improve efficiencies within the organization, while creating greater line of sight to the controls that truly support regulatory needs.

Your company is ultimately responsible for defining controls and generating evidence to support the effective operation of those controls; the key is to ensure controls are precise and evidence demonstrates the precision.

SEC Guidance

Throughout the process, reference the Securities and Exchange Commission (SEC) guidance to optimize the evidence generated to support your 404(a) assertion. Optimization could reveal opportunities to reduce the cost and impact of SOX.

Integrate Audits

Organizations are integrating their controls audits by taking advantage of the SOX overlap with the following:

• System and Organization Controls (SOC) 1 testing
• SOC 2 testing
• National Institute of Standards and Technology (NIST) assessments
• Health Insurance Portability and Accountability Act (HIPAA) testing
• Financial Industry Regulatory Authority (FINRA) examinations
• North American Electric Reliability Corporation (NERC) testing
• Customer Identification Program (CIP) testing
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) regulations

Your company can optimize evidence of your controls and support the assertions of your audit and help cut costs in the following ways:

• Use control self-assessments
• Remediate significant deficiencies and material weaknesses
• Consolidate controls

Use Control Self-Assessments

Consider using control self-assessments for all SOX controls that your external auditor chooses to test independently.

Control self-assessments can be an efficient, cost-effective way to provide reassurance to your executives without hiring a third party to test your controls.

If you have a third-party test controls to support your 404(a) assertion and your external auditor ignores this work, discuss next steps. Consider whether the cost of a third-party is worth the expense if the external auditor isn’t going to rely on this work.

Use this understanding to increase your external auditor’s reliance on your organization’s work while they test high-risk areas independently. This could provide leverage to negotiate your audit fee.

Remediating significant deficiencies and material weaknesses may enable the auditor to rely on controls for the financial statement audit and simultaneously reduce the number of items selected for testing.

This reduces the audit firm’s overall sample sizes and minimizes the time your company spends responding to audit requests.

If your company receives a list of deficiencies that haven’t been assessed as significant deficiencies or material weakness, your external auditor may be testing too much.

In this case, remove deficient control activities from the SOX population if the ineffective control didn’t result in a significant deficiency or material weakness by itself or in the aggregate.

Remember your auditor doesn’t have to test controls that don’t prevent or detect a material weakness by themselves or in the aggregate. Therefore, if the control fails and it’s evaluated as a deficiency, you could have an opportunity to remove the control and point to another control—especially if the evaluation of the deficiency leads to other mitigating controls.

Consolidate Controls

Many public issuers that identified and documented their controls 10 to 15 years ago haven’t revisited them since. There’s a good chance redrafting controls and consolidating redundancies could improve SOX efficiencies.

Broad or generic control statements can result in ambiguity. Consider rewriting controls to be more specific and precise to the activities and events the organization performs today, and adding controls to directly and precisely mitigate the risk.

As you remediate and think about improving controls, be specific and precise in the activities and look to consolidate controls that seem redundant.