Trends In SOX 404 Reporting On ICFR

Author:Mr Cydney Posner
Profession:Cooley LLP

You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.

Starting in 2004, there were 454 adverse auditor attestations (or 15.9% of the total population of attestations). That number increased in 2005 to a high of 492 (although declining as a percentage to 12.6%), but then tiptoed down to a low of 141 (3.5%) in 2010. Arguably, following SOX, the introduction of auditor attestations imposed some discipline on the process, which led initially to the identification of more ICFR issues, but declined thereafter as companies began to get a better handle on the process. After that, the number steadily rose again to hit 246 (6.7%) in 2016, which the analysis attributes to more aggressive oversight from the PCAOB. In 2017, the number of adverse attestations declined to 176 (4.9%), a 28% decrease and the first decline since 2010.

What were the key issues in ICFR identified by auditors in 2017? The most common issue (65%) was a material or numerous year-end adjustments by auditors, reported in 115 adverse auditor attestations. The most common adjustment related to revenue recognition and, with the new revenue recognition standard finally now in effect, it would not be surprising to see that number increase this year. The next most common issues were lack of competence or training of accounting personnel (98), inadequate disclosure controls (49), segregation of duties/design of controls (49) and IT, software, security and access issues (48).

Management-only assessments (performed by smaller companies) seem to have followed a different path. The first year non-accelerated filers were required to make assessments was 2007. In that year, there were 1,089 adverse assessments, representing 30% of small companies. The number rose to a high of 1,727 (34.9%) in 2010curiously, a year when adverse auditor attestations were at their low point. Unlike auditor attestations, the numbers were almost identical...

To continue reading