As you probably recall, SOX 404 requires public reporting companies to disclose the effectiveness of their internal control over financial reporting. SOX 404(a) public companies to provide an assessment of ICFR by management; SOX 404(b) requires public companies-other than non-accelerated filers and emerging growth companies-to provide an auditor attestation regarding management's assessment of the effectiveness of ICFR. A new study by Audit Analytics examining the most recent trends in SOX 404 disclosures over 17 years showed a decline in the number of adverse auditor attestations-auditor attestations indicating ineffective ICFR-and adverse management assessments, while the number of adverse management-only assessments increased.  Why that variation? Could it reflect the effect of the recent SEC carve-out from the 404(b) requirement for low-revenue companies?  

SideBar

In 2020, the SEC approved amendments to the accelerated filer and large accelerated filer definitions that excluded from the definitions companies that qualify as smaller reporting companies and reported less than $100 million in annual revenues in the most recent fiscal year for which audited financial statements were available. For the most part, the significance of the change was to carve out low-revenue companies from the requirement to file a SOX 404(b) auditor attestation report on ICFR, a requirement that applies to accelerated and large accelerated filers. The concept of exempting additional filers from the obligation to obtain a SOX 404(b) auditor attestation on ICFR was controversial because the attestation requirement is viewed as critical investor protection by its advocates, but is anathema to many supporters of deregulation. The SEC generally believed that including low-revenue issuers in the accelerated and large accelerated filer definitions may involve greater costs and relatively lower benefits, as compared to other issuers, largely because "low-revenue issuers may, on average, be less susceptible to the risk of certain types of restatements, such as those related to revenue recognition."

Data on adverse attestations and reports. According to the study by Audit Analytics, in 2020, the number of adverse ICFR auditor attestations declined to 146, the second-lowest number of adverse auditor attestations since inception of the requirement. Because the requirement applies to accelerated and large accelerated filers, ICFR audit attestations are primarily the province of larger companies. Adverse auditor attestations represented 4.6% of all 2020 auditor attestations, a decline from the 6.9% in the prior year and the lowest percentage of since 2012.  (Back in 2004, the number of adverse attestations was 441, representing 16.2% of all attestations.)  Similarly, the number of adverse management ICFR assessments decreased in 2020 to 1,329, representing 21.4% of all management assessments filed for the year.  In 2019, the number of adverse management assessments was 1,395, representing 22.4% of all management assessments.  (In 2004, the number was 450, representing 16.4% of all management reports.) The highest percentage was 23.9% in 2014.

In contrast, the number of adverse management-only ICFR assessments increased slightly in 2020 to 1,183 from 1,149 in 2019. (In 2007, the number of adverse management-only reports was 931, or 27.4% of all management-only reports.) However, as a percentage of all management-only reports, adverse management-only assessments declined in 2020 to 38.6% from 42.7% in 2019, reflecting the overall increase in the number of companies eligible to file management-only reports under SOX 404(a) following the effective date of the amendments to the SEC's accelerated filer definition.  Under the new definition, some companies that were previously categorized as accelerated filers may have become non-accelerated filers, which are not required to provide auditor attestations.  More specifically, Audit Analytics calculated that, between 2019 and 2020, "there was a decrease of 11.5% in the number of SOX 404(b) auditor attestations filed and an increase of 13.0% in the number of SOX 404(a) management-only reports filed." (About 25% of the decrease in attestations, Audit Analytics estimates, was the result of  de-registrations associated with a merger or acquisition, bankruptcy, liquidation or similar event.)  Audit Analytics suggested that, even though the number of adverse management-only reports increased, the decline in the percentage of adverse management-only reports largely reflects the increase in companies that became newly eligible for the exemption-previously accelerated filers that were more likely to have effective ICFR because they "had already expended resources to establish an effective control system" and had benefited in the not-too-distant past from an independent auditor review of their control systems.

Impact of current events. There were two recent events highlighted by Audit Analytics for their impact on SOX 404 reporting: the SPAC trend and the pandemic.  First, the increase in SPAC transactions and the SEC's April statement on SPAC warrants led to a number of adverse assessments related to debt and/or equity classification. Audit Analytics reports a significant increase in accounting issues "related to the recording of debt and warrants and debt/equity classification," with the recording of debt and warrants becoming the sixth most common issue in adverse attestations.  By comparison, these issues did not even figure in the top ten in the previous five years.  In adverse ICFR auditor attestations for 2020, the top two accounting issues cited related to debt/equity classification and the recording of debt and warrants. What's more, in both management reports and management-only reports, issues related to debt and warrants were the most common accounting issues cited, and debt/equity classification was the fifth most common issue in management reports and the fourth most common issue in management-only reports. These were far from common in the past. What triggered this change? In April 2021, the SEC issued a statement addressing whether warrants issued by a SPAC should be classified as equity or liability. As a result, companies had to reevaluate the accounting for their warrants and, if necessary, amend or restate previous financial statements, including a reassessment of ICFR.

SideBar

In April 2021, then-Acting Corp Fin Director John Coates and Acting Chief Accountant Paul Munter issued this Staff Statement on Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies ("SPACs"). The primary issue identified in the Statement was whether these warrants should be classified as equity or liability, which depends largely on the specific terms of the warrant and the entity's specific facts and circumstances. If warrants are classified as a liability, according to the Statement, they should be "measured at fair value, with changes in fair value reported each period in earnings." If the company and its auditors determined that, in light of this Statement, there was an error regarding the classification of warrants in previously filed financials, the company had to consider the materiality of the error in assessing whether it needed to restate its financials-which could involve amending one or more periodic reports-and file an 8-K. In addition, the Statement observed, the company needed to consider whether it had to upgrade its ICFR and disclosure controls and procedures and amend its prior disclosures on the evaluation of ICFR  and disclosure controls.  That analysis required consideration of the severity of the control deficiency, if any, individually or in the aggregate. The Statement cautioned that the "evaluation of the severity of any control deficiency should not be limited to the actual misstatement that occurred or whether that misstatement was material, but instead should consider the magnitude of the potential misstatement resulting from the deficiency or deficiencies, amongst other considerations. Where applicable, the auditor also will have to evaluate management's assessment." (See this PubCo post.)

Second, although the pandemic prompted many companies to make necessary control changes, somewhat surprisingly, the percentage of adverse ICFR management reports and auditor attestations actually decreased in 2020, according to Audit Analytics. The pandemic caused some companies to have difficulty remediating control weaknesses and required some companies to quickly implement changes to the control environment just to "continue operating, including the need to reduce personnel to comply with pandemic restrictions or conserve cash." Audit Analytics notes that, when a workforce is reduced, companies can face issues related to segregation of duties and maintaining appropriate accounting personnel. In addition, the shift to remote work increased reliance on technology, which Audit Analytics termed "an area of controls ripe for deficiencies." Nevertheless, the study found "little effect. in terms of the most common issues disclosed in adverse SOX 404 assessments. For example, the top two internal control issues cited in adverse ICFR management reports in 2020-issues related to accounting personnel and segregation of duties-have been the top two issues for the previous five years. This illustrates that issues related to personnel are always common for smaller companies, regardless of circumstances arising from an event, such as the pandemic, that could significantly exacerbate existing deficiencies."

SideBar

A 2020 report from the PCAOB summarized some of the common themes the PCAOB heard in connection with its outreach to audit committee chairs focused on the unprecedented challenges created by COVID-19.  The most prevalent theme was the impact of the shift to remote work. Chairs were initially concerned about the rapidity of the transition to remote, but ultimately indicated that they were surprised by how smoothly the transition had gone under the circumstances.  Some of the chairs indicated that the transition may have been eased by storage of much company data in the cloud.  The chairs had been particularly concerned about ICFR, but concluded that it "was managed, maintained, or adjusted as necessary." Cyber-related risks-such as increased phishing attempts and email security-were cited a number of times by chairs as a challenge that was more acute as a result of the move to remote work. The PCAOB observed that the issue of cybersecurity typically arises in the context of identifying and assessing risks of material misstatements in the financial statements and, for integrated audits, in connection with identifying and testing the controls designed to mitigate that risk. The effectiveness of cyber-related controls was often discussed by the chairs with the auditors in connection with the audit. 

Below are questions for auditors that audit committee chairs considered helpful in understanding risks related to remote work:

  • "Will additional time be needed to get the audit work done remotely? What complexity does working remotely add to the audit?
  • Will working remotely affect productivity of audit engagement team members? If so, does the audit plan need to be updated, and do fees need to be revisited?
  • Has remote work affected the company's ICFR? If so:
    • Is the auditor including new controls in their assessment, or evaluating changes to existing ones?
    • Has the auditor identified any concerns with respect to segregation of duties?
  • If a review of the issuer's interim financial information has been completed already, are there any lessons learned that can be applied to the year-end audit?
  • Are there any technology enhancements or collaborative tools that should be considered to support longer-term remote work?
  • Has the auditor assessed potential risks of material misstatement related to cybersecurity, and how does the auditor plan to respond to those risks?"

(See this PubCo post.)

Key issues in ICFR identified in 2020.   With regard to "internal control issues," that is, internal control weaknesses arising from deficiencies in the company's control structure, in adverse auditor attestations, the most common issue was the need to make year-end adjustments, followed by the need for more highly trained accounting personnel. Both of these issues were repeat performers, having been identified by auditors as the top two issues in each of the last five years. For both management and management-only reports for 2020, the most common internal control issues were a need for more highly trained accounting personnel, followed by "segregation of duty issues associated with the design and use of personnel within an organization." These issues were the top two issues in each of the last five years.

With regard to accounting issues identified as internal control weaknesses, in adverse ICFR auditor attestations, the most common accounting issue was revenue recognition, followed by taxes. Accounting issues related to the recording of debt and warrants rose from "far outside the top five issues in the last five years to being the sixth most common issue in 2020." In adverse ICFR management and management-only reports, the most common accounting issue concerned the recording of debt/warrants/securities. While historically, this issue has not been a common accounting issue for management assessments, it has ranked high in management-only reports. Accounting issues related to the proper classification of debt instruments also jumped notably higher this year.

First-time SOX 404 reports. Almost every year, at least 10% of first-time filers of auditor attestations disclose a need to improve ICFR. The percentage was 23.9% in 2019 (the high) and 15.1% in 2020.  Although there was a decrease in 2020 in adverse ICFR auditor attestations among first-timers, adverse management reports among first-timers increased: 34.8% of first-time management reports were adverse in 2020, compared to 31.7% in 2019; and 39.8% of first-time management-only reports cited ineffective controls in 2020, compared to 34.6% in 2019.

Size matters. Typically, larger companies have had greater resources to apply to creating and supporting effective control systems. As a result, according to Audit Analytics, large accelerated filers have historically had the lowest percentages of ineffective internal controls. In 2020, only 3.8% of large accelerated filers disclosed adverse auditor attestations, down from 4.4% in 2019. In 2020, 7.1% of accelerated filers filed auditor attestations that disclosed ineffective controls, a decrease from 12.1% in 2019.

With regard to adverse ICFR management assessments, the percentages declined across all filer sizes in 2020, although typically smaller companies more commonly identify ineffective controls in management ICFR reports. According to Audit Analytics, "until 2019, the percentage of ineffective controls identified in SOX 404(a) ICFR management reports for non-accelerated and smaller reporting companies had been increasing. After a high point of 44.7% in 2018, the percentage of ineffective control assessments for smaller companies decreased to 37.6% in 2020." In 2020, because of the impact of the new carve-out for low-revenue companies from the auditor attestation requirement, "the percentage of adverse SOX 404(a) ICFR management-only reports for non-accelerated and smaller reporting companies decreased to 37.6% in 2020, down from 43.6% in 2019."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.