The changing SOX landscape

A subtle, but very significant, change is underway in the world of Sarbanes-Oxley compliance, specifically audits of Internal Control over Financial Reporting (ICFR). As a result of this change, many public companies will face additional compliance burdens and new exposures, even if they believe they have a well-established and stable system of internal control.

“Some public businesses may be completely unaware that even though they’ve had effective ICFR for years, this year may be a different animal,” says Eric Miles, a partner in Business Risk Services 
at Moss Adams LLP. “We’re seeing that controls or approaches that were fine in the past are now getting much more scrutiny from external auditors.”

If you have not yet had discussions with your external auditors about your 2013 ICFR compliance efforts, you may have a little time to get out in front these changes, he says. Many companies are already experiencing these changes in expectations and have found compliance to be very frustrating.

Smart Business spoke with Miles about why there’s activity change in ICFR compliance expectations and what you can do about it.

Why is there increased focus on ICFR compliance?

Over the last two years, the Public Company Accounting Oversight Board (PCAOB) has drastically increased its inspection focus on audits of internal control over financial reporting (ICFR) and as a result, virtually every major accounting firm has received reports indicating deficiencies in their audits of ICFR. The PCAOB was concerned about the pervasiveness of the findings, so much so that it published a special supplementary report in December 2012 detailing the most pervasive deficiencies identified in firms’ auditing of internal control over financial reporting during the 2010 inspections, and also including information on the potential root causes of the deficiencies.

The SOX ICFR compliance pendulum has swung back and forth over the years. When the SOX ICFR assessment requirement was first implemented, it yielded very rigorous and costly audits.  In response to the litany of criticism, the PCAOB issued a new audit standard in 2007 (Audit Standard No. 5) to clarify expectations and ultimately to focus SOX ICFR efforts on areas of the most importance. What we are currently seeing is the PCAOB’s reaction to the mis-implementation of that standard.  It appears that from the PCAOB’s perspective, the pendulum swung too far.  As a result the PCAOB is trying to put more rigor into audits of internal control over financial reporting.

What is the biggest internal control problem?

Although the PCAOB noted several pervasive deficiencies, the issue currently causing the most consternation with companies is the design and testing of ‘Management Review Controls.’ These are controls, such as account reconciliations, budget to actual, etc., that theoretically allow several key risks to be mitigated with a single control. The PCAOB noted that the auditors’ evaluation of the design and operation of these controls has typically been cursory at best, such as an examination of a document for signature and date. As a result, many firms are now asking companies to be very detailed in the explanation of these controls, explaining aspects such as what triggers management’s attention, what management does when an item for investigation is identified, and how resolution of review items is documented.  Further, firms are expecting management to maintain much more evidence of operation than in the past.

If your company has management review control problems, what can result?

There’s a real risk that organizations that heavily rely on management review controls are going to be surprised, even if their auditor has said for years the controls are fine.

With the new scrutiny, some external auditors may conclude there’s a material weakness. Ultimately that impacts the value of the organization. In any case, it takes a lot of time and effort to update documentation to get back in sync with your external auditor.

What should organizations be doing now?

The first step should be to have a proactive conversation with your auditor to understand whether their expectations have changed or are expected to change. There is a real risk that companies will substantially complete their own internal control assessment activities before fully understanding the scope of needed changes with their external auditors. As a result, companies may need to go back and update their already completed testing to comply with the auditor’s new approach. That’s far from ideal.

Once you have a better understanding of the external auditor’s needs, you need to understand what controls are considered to be ‘review controls.’ By taking an inventory of your controls, you may find that you have just a handful of management review controls, however, organizations that really embraced Audit Standard No. 5 will likely have more concerns.

For the identified controls, make sure your control descriptions include specific investigation criteria such as dollar or percent variance or other qualitative considerations, with clear precision thresholds. There needs to be evidence of control performance that can be tested through re-performance, not just through a review of signatures. If you can update your documentation in advance of external auditors coming in, it will save you trouble later.

Overall, be prepared for increased auditor activity, particularly with respect to walkthroughs and management review controls.

Eric Miles is a Partner in Business Risk Services at Moss Adams LLP. Reach him at (650) 808-0699 or [email protected].

Insights Accounting & Consulting is brought to you by Moss Adams