Evaluate Key Financial Controls
The infamous SOX “Section 404” guidance requires both management and the external auditor to provide a report that includes an opinion regarding internal control over financial reporting (ICFR). This is additional to the traditional auditor’s opinion on the accuracy of financial statements. It requires management to document and comprehensively test financial controls necessary to address “material misstatement risks.”
Any controls that are assessed as not effectively designed (i.e. not capable of addressing the related risk, even if executed) or not operating effectively (i.e. not executed consistently) result in “deficiencies.” More serious deficiencies are categorized as “significant deficiencies” or “material weaknesses” and must be reported to the external auditor and audit committee. Material weaknesses require public disclosure during the quarter they are identified and, if not remediated as of year-end, an unfavorable opinion on ICFR in the issuer’s annual report.
The requirement to perform a comprehensive control assessment has resulted in several improvements in the art and science of financial management. For example, controls related to the “tone at the top,” incentives, and conflicts of interest were often not formally assessed prior to SOX. Focus on effective controls has significantly improved. Further, the quality of the SOX assessment (for example, project management, technology use, risk assessment, and quality of presentation materials) is a good proxy for “tone at the top” in the organization and the process management skills of the finance team.
In the aftermath of SOX the focus of internal auditing efforts also shifted significantly to financial controls, as opposed to operational processes. Many issuers expanded the staffing and capabilities of their internal auditing teams to absorb incremental SOX responsibilities. The New York Stock Exchange (NYSE) listing standards now require that all listed companies have an internal audit function. Tracking deficiencies to resolution also establishes good discipline for internal audit follow-up of all issue types, as required by internal auditing standards.
Improve Risk Management
Pressure is increasing on businesses to improve risk management practices. This comes from a variety of sources, including regulators, credit rating agencies, and activist shareholders. Further, the subprime mortgage crisis which became apparent in 2007 has (arguably) exposed systemic risk management concerns.
The 2007 guidance from the SEC and PCAOB regarding SOX Section 404 established a comprehensive framework for conducting a “top-down” financial reporting risk assessment. For example, management is required to identify material misstatement risks and related controls, which then must be tested. (See the Case Study for details.)
Techniques used in top-down risk assessment are applicable to other risk categories. Under the COSO Enterprise Risk Management (ERM) framework, risks fall into strategic, operational, legal/regulatory, and financial reporting categories. SOX compliance implies substantial coverage of financial reporting risks. The SOX compliance process also provides a framework that relates processes, risks, and controls, and the network of managers involved, which can be used to help establish an ERM program.
Many companies also use SOX-compliance database software, which may also be useful for retaining risk information to support an ERM program and as an internal audit workflow tool. For example, as internal audits are completed, the amount of risk and control information expands in such a database, across all risk types.
In response to increased expectations around risk, many audit committees have expanded their scope to include overall risk management. With SOX efforts addressing financial reporting risks, they can focus more attention on strategic and operational risks. Some issuers have also created board risk committees to address non-financial reporting matters.
Improve Financial Processes
The significant cost of the ICFR assessment required under SOX Section 404 represents a “tax” on inefficiency, providing additional incentives for process improvement. Redundant systems, processes, or locations generally require some type of incremental assessment, increasing the scope and cost of compliance. The Financial Executives International (FEI) survey of SOX 404 compliance costs in 20074 indicated that, for companies with average revenue of $4.7 billion, the costs in decentralized companies averaged $1.9 million, 46% higher than the $1.3 million in centralized companies. The difference is likely to be a fraction of the savings available from addressing the underlying process inefficiency.
In addition, manual control procedures involve substantially higher testing costs. For example, a manual control that operates daily may require a sample size of 30 to be evaluated by an expert. However, the same control if automated requires a sample size of just one and does not have to be evaluated each year if certain criteria are met. Leading companies track the number of manual versus automated controls and seek automation opportunities. Reducing the number of manual journal entries is another means of improving the reliability of financial statements and reducing closing-cycle time, while reducing both compliance and personnel costs.
Section 404 is one of the more contentious elements of SOX, due to the significant cost of compliance. According to a survey by FEI that included issuers with an average revenue of $4.7 billion, compliance costs were $1.7 million during 2007, or 0.36% of revenue. The total cost includes internal and external labor and auditor attestation fees.5
Compliance costs have continued to decline since 2004, when Section 404 became applicable for most issuers. The 2007 SEC and PCAOB guidance has provided management with additional flexibility in addressing risk and determining the timing, nature, and extent of testing procedures, further reducing costs.