The Sarbanes-Oxley Act (SOX) was enacted in 2002 to protect investors from fraudulent financial reporting by public companies. One of SOX’s key provisions is Section 404, which requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR).
While SOX 404 compliance can improve a company’s internal control environment, it can also create a significant administrative and cost burden due to control requirements that can be time-consuming and resource intensive. Therefore, it’s important for management to find ways to continuously improve its SOX 404 compliance program to reduce the impact on company resources.
Develop a strategic compliance approach that includes understanding key SOX 404 pain points, knowing the rules for specific circumstances, evaluating SOX 404 delivery models, and evaluating specific activities in each phase of the SOX 404 compliance program.
One of the main pain points of SOX 404 compliance is rising costs, including costs for internal audit personnel, external auditor and consultant fees, and required investment in technology such as governance, risk and compliance (GRC) systems and automation tools.
Additionally, SOX 404 compliance requires significant time and effort from company personnel, including project management, continuous process and control documentation creation and updates, and increasing documentation requirements to meet external auditor or regulator requirements.
Some of the root causes of these pain points include:
According to the 2023 SOX Compliance Survey, SOX 404 compliance costs per location are trending down; however, they remain a significant expense, especially for emerging growth companies. Companies can expect sharp increases in costs when going through the initial stages of SOX 404 readiness, transitioning from 404(a) to 404(b), and moving out of the emerging growth category.
While SOX 404 compliance costs haven’t risen dramatically from the 2022 to 2023 SOX 404 Compliance Surveys, 58% of survey respondents reported an increase in SOX 404 compliance hours. According to the survey, increasing expectations, scope of activities, and inquiries from external auditors were cited as the drivers for the increase.
The PCAOB reported that insufficient audit evidence was obtained to support the auditor’s opinion in 40% of inspected audits in 2022. This figure is up from 34% of 2021 audits and 29% of 2020 audits.
Internal control over financial reporting continues to be a focus area of PCAOB inspections and a frequent cause of audit deficiencies. Increased pressure on audit firms has created additional work for organizations subject to SOX 404 (b) compliance provisions which require an audit of IFCR in addition to the financial statements.
Despite the challenges of SOX 404 compliance, there are opportunities for improving efficiency and ultimately reducing SOX 404 compliance costs and burden on personnel. Some key areas that may offer opportunities include:
It's important to understand the difference between the requirements for SOX 404(a) and SOX 404(b). Having a strong understanding of the organization’s current situation regarding SOX 404 compliance can help ensure an efficient program.
SOX 404(a) requires each annual report required by section 13(a) or 15(d) of the Securities and Exchange Act 1934 to include a report on ICFR. The report must state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and to include an assessment by management, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
The SEC provides guidance on management's assessment requirements in SEC Interpretive Release 33-8810, which establishes the minimum assessment activities to be performed and sets forth a top-down, risk-based evaluation of ICFR.
This guidance creates a safe harbor for management's SOX 404 compliance and states that management has significant discretion in the compliance approach. The guidance also notes that management's ongoing monitoring and daily interaction with control procedures could provide sufficient knowledge required to evaluate ICFR.
SOX 404(b) requires each registered public accounting firm that prepares or issues the audit report for the issuer to attest to and report on the assessment made by management of the issuer. The auditors report under SOX 404(b) includes what’s referred to as an integrated opinion as the auditor is opining on both the financial statements and ICFR.
In performing the audit, the external auditors must follow Auditing Standard (AS) 2201. This standard enumerates the minimum professional standards for conducting an audit of ICFR that’s integrated with an audit of the financial statements. Under AS 2201 the auditor is required obtain reasonable assurance of the effectiveness of ICFR regarding reliability of financial reporting and the preparation of financial statements for external purposes.
Auditors are required to perform control risk assessment, assess design of controls, and perform control operating effectiveness testing. This additional audit drastically increases the required detail and formality of management’s process and internal control documentation, including evidence of performance and testing documentation.
Knowing the acceptable approaches for SOX 404 compliance is key to helping management implement an effective but cost-efficient program. For example, companies not yet subject to SOX 404(b) requirements may be doing more than is required. The SEC guidance provides a lot of flexibility in the assessment of control effectiveness, from self-assessment to fully outsourced, direct testing. However, this flexibility can result in more work later for 404 (a) companies that are only meeting the minimum requirements if they don’t have a plan to transition to the more stringent requirements of SOX 404(b). While this seems like a good way to cut costs in the short term, it can lead to a significant amount of cost and effort in the transition year.
Waiting to do independent testing until SOX 404(b) requirements are applicable can result in a false sense of security leading to surprise deficiencies and significant remediation effort when controls are subject to more scrutiny.
One way to ease the burden and cost of transitioning from 404(a) to 404(b) is to not wait to begin implementing the additional documentation requirements until the organization is subject to 404(b).
Companies can gradually augment their SOX 404 compliance activities to include more complete documentation, more persuasive evidence of performance, and more detailed testing to avoid a huge spike in cost and effort in the year of transition. This approach requires buy-in from senior management and may not always be practical if the company grows very quickly.
Companies have the option to choose different SOX 404 delivery models. Depending on the organization's circumstances, it can use internal resources, external service providers or a combination of both.
For larger, more complex organizations where SOX 404 and other compliance work demands full-time personnel, insourcing or staff augmentation may make more sense. For smaller organizations, staffing every area of expertise in-house may not be practical.
Regardless of the situation, it’s important to reevaluate the delivery model periodically to determine the most effective and cost-efficient model to use.
The SOX 404 compliance program generally includes the following major activities:
Because it establishes the basis for the entire SOX 404 compliance program, it’s critical to prepare or update each year’s risk assessment and scoping to ensure that it incorporates known or expected changes in the Company’s risk profile.
Opportunity areas to consider include:
The internal control design assessment phase provides significant opportunities to reduce SOX 404 compliance costs and burden on employees. Opportunity areas to consider include the following:
The relevant guidance doesn’t define the form and level of detail required for management's business process documentation or control design assessment documentation. For process documentation, consider starting with or transitioning to flowcharts, which are easier to maintain once created and typically provide the right level of detail compared to narratives, which may include extraneous details if not carefully drafted.
Management is required to assess the design of ICFR, but there’s no requirement to perform and document transaction walkthroughs as described in AS 2201.37. Consider whether walkthroughs are necessary and required or relied-upon by auditors or just something that’s been done in the past.
If design has been previously assessed, it may be possible to confirm whether there are significant changes versus doing full walkthroughs. If separate internal and auditor walkthroughs have been performed in the past, evaluate the cost of performing combined versus separate walkthroughs.
Additionally, companies should revisit the required level of documentation of walkthroughs by external auditors. Would a short form walkthrough be sufficient rather than the auditor’s detailed test of design document?
As part of assessing the design of controls, it’s important to consider whether there are opportunities to reduce control through rationalizing and optimizing controls.
Rationalization involves reviewing existing the control set and risk mapping to identify redundant controls or those that are no longer key due to changes in the company's business or risk profile. During this process, it’s important to consider the proper balance between transaction level—prevent—versus monitoring controls—detect.
Optimization involves evaluating controls to ensure they provide the highest benefit to cost ratio. Organizations should periodically evaluate manual controls and confirm whether they’re still necessary and that all attributes are relevant to in-scope risks and explore whether they be automated. Leveraging existing controls to address new financial statement risks or in response to auditor concerns can also help optimize SOX 404 controls.
When evaluating internal control operating effectiveness testing for efficiency, organizations should look at the nature, timing, and extent of testing. SEC Interpretative Release 33-8810 allows management to exercise significant judgment and provides organizations flexibility in assessing ICFR. Decisions on nature, timing, and extent of testing should be based on assessed ICFR risk. Opportunity areas to consider include the following:
Organizations should evaluate testing plans to ensure the testing approach is commensurate with the related risk of the control. For lower risk controls, consider using management control self-assessments or facilitated self-assessments.
Companies can also downgrade the testing nature from reperformance to inspection or inquiry where appropriate and limit reperformance to higher-risk controls, such as those controls that serve as important compensating controls or those that address multiple ICFR risks.
Organizations should revisit the timing of testing each year. Some decisions to consider when evaluating timing can include:
For organizations subject to integrated audit requirements, this will require coordination and agreement with the external auditors.
Like the nature of testing, the extent of testing should be commensurate with the related control risk. An organization doesn’t need to use the same sample sizes for all key controls. Consider reducing sample sizes for lower risk controls that are considered that will not be relied upon by the auditors. Full sample sizes can be reserved for high-risk controls or rely controls.
In addition to modifying the nature, timing, and extent of testing, other opportunities to increase efficiency or reduce burden on personnel include:
To learn how create and implement SOX 404 compliance strategies specific to your company, contact your Moss Adams professional.