Summer 2024 is officially wrapping up, which means we are more than half-way through the calendar year. No matter the size of your business, as a public company, you have a responsibility under the Sarbanes Oxley Act of 2002 (SOX) to provide management’s assessment of internal controls over financial reporting (ICFR). Other factors may trigger an additional requirement for your external auditors to issue an opinion on your ICFR. 

A flurry of PCAOB activity

The Public Company Accounting Oversight Board (the PCOAB) has not let the Summer slow them down, and they are charging ahead with their previously published agenda around strategic goals, standards, inspections and enforcement.

Throughout 2024, the PCAOB has been incredibly prolific with numerous auditor updates. The PCAOB staff issued a Spotlight Report in December 2023, which focuses on Staff Priorities for 2024 Inspections. 

The 2024 Spotlight Report calls out the following areas of considerations:

• Procedures related to broker-dealers
• Recurring deficiencies in audit work
• Evaluating audit evidence in terms of sufficiency and appropriateness
• Understanding the company and its environment and how changes in the company’s ICFR might impact the risk of material misstatement
• Use of other auditors
• Evaluation of going concern
• Critical audit matters

Bearing in mind that the PCAOB’s primary role is to “audit the auditors”, the purpose of this discussion is to help navigate the intersection of the PCAOB’s inspection priorities and the external audit firms’ reactions that can and should impact your internal controls program as a public company.

Recurring deficiencies

Ever since Staff Audit Practice Alert No. 11 was published in 2013, we have seen a steadily recurring theme of “ICFR hot topics” :

• Management Review Controls (MRCs) and critical areas with significant judgment or complexity
• System-generated data and reports – aka key reports and spreadsheets, aka Information Provided by Entity (IPE)
• Segregation of duties (SOD)
• Information Technology General Controls (ITGCs)

Since the PCAOB routinely calls out deficiencies in these areas, the external audit firms are now doubling down. And, as mentioned in previous blogs, what happens to the external audit firms DIRECTLY (and indirectly) impacts public companies.

Let’s discuss.

MRCs continue to be challenging for most public companies due to the interconnectedness with the other internal control aspects mentioned above. MRCs are different from other types of ICFR as they tend to examine aggregated results rather than individual transactions. Unlike transaction-level controls, which are “yes/no,” MRCs typically involve some level of subjectivity and uncertainty (i.e., shades of grey, not black and white). Finally, MRCs require knowledgeable and experienced reviewers who have an understanding of the business at a level of detail that enables them to identify issues for follow-up (and resolve them). The precision level to which this control is reviewed must be relative to the control itself (this is not a one-size-fits-all scenario), and it must be consistently applied throughout the year.

MRC reviewers often rely on data from other sources, not data they personally create or have direct control over, which leads us to consider IPEs or system-generated data, reports or key spreadsheets. When IPE are used in the performance of a control – either as the basis for the decision or in support of the review itself – the control performer must be able to evidence (1) that the data is complete and accurate and (2) how they went about obtaining the sufficiency of that proof. The external auditor must then be able to audit the same (AS1105: Audit Evidence) when evaluating audit evidence.

Assessing both manual and system SOD is a constant challenge. As a technology-driven society and businesses, we now heavily rely upon systems and how they integrate into other systems. Management must continually evaluate user access and related tasks for conflicts and potential landmines. If it is determined that duties and access are not properly segregated within a given system and/or ITGCs cannot be relied upon, then the business (typically with the help of internal audit) must look to manual controls both upstream and downstream of that point to evaluate that risk.

What should we, as management, do? 

As the great Jerry Maguire said, “Help me…help you.”  What he really meant was, “Help [Internal Audit]… help you.” Not really, but it sounds good, right?

Make sure your ICFR environment covers the basics:

1. Work with your internal audit group to catalogue your IPE. Train your team on the proper way to document/evidence completeness and accuracy of IPE. Evaluate every report/spreadsheet that is utilized in the performance of a control to understand how many data sources are involved and where they come from. Your seemingly one critical report may actually be five different IPE. Each one will need to be evaluated. Your IPE count is likely a MUCH larger number than you originally thought.
2. Identify your key MRCs and the level of precision necessary for proper execution and follow up. Educate your team to consistently apply those levels of review. Again, your internal audit group would be a great resource here.
3. Complete a proper SOD review and fix what you find. If this is not in the comfort zone for your management team, bring in your internal audit group or a specialist who knows your world and your systems. You will be amazed at the potential pitfalls a good SOD analysis can uncover. You will also learn more about your organization’s risks than you could imagine.
4. Test early and often. The sooner you can identify and ring-fence your issues, the better chance you have for remediation.
5. Liaise with your external audit firm. The more and higher quality evidence you can turn over to your external audit firm, the better. SOX is an iterative process. The goal is to improve period over period, year over year. Ask the questions. Build the relationships. It will all help.

Automation is the answer

I would be highly remiss and failing in my efforts to help you if I did not conclude with: “bring technology to bear”. I am a partner with AXIA Partners. We are a boutique consulting firm specializing in, amongst other skills, compliance and technology. Over the last 20 years, we have been honored to work with many companies as an outsourced or co-sourced provider of ICFR services. We offer our platform, Toppan Merrill SOX Automation, to our clients. In addition to a complete set of automated compliance features, there is also system functionality that allows these high audit risk activities to essentially become “open book tests” for the control performers and control owners, including step by step instructions and guidance for proper evidence to upload, with fully visibility to your SOX key stakeholders.

Please reach out to me or the team. We would love to talk to you about your experiences in these areas. 

How Toppan Merrill can help

For decades, the experts at Toppan Merrill have supported internal audit professionals through creating efficiencies, transparency and predictability of cost within their SOX compliance programs. Visit our SOX compliance page to learn more – or connect with one of our experts at [email protected] or by calling 800.688.4400.