Sarbanes-Oxley 404(b) Compliance: Determining the Control Environment

Operating as a public company means an organization may be required to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Depending on the organization’s filing status[1], it will either need to comply immediately, or have a period of time to prepare for compliance. As is true with most things, preparation is key. Emerging growth companies (those with annual gross revenues of less than $1.07 billion during their most recent fiscal year) are the most susceptible to being unprepared for compliance, as they can move into an accelerated filing status, or large accelerated filing status, during the course of a fiscal year and be required to comply with all aspects of Section 404(b). It is crucial that an organization assesses its control environment and determines the key controls that must be tested before a change of filing status occurs. This will ensure that it’s able to effectively review its internal controls and provide a management assessment over the design and operating effectiveness of the internal controls over financial reporting.

Utilizing a Top-Down Approach

In 2007, the Public Company Accounting Oversight Board adopted Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (“Auditing Standard No. 5”). This superseded Auditing Standard No. 2, implemented in 2004 to provide guidance to public companies on how to effectively comply with Section 404, by re-evaluating how a company determines its control environment and providing direction for the implementation of a top-down approach for identifying key internal controls.

Auditing Standard No. 5 states:

“The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor’s attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company’s processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.”[2]

The purpose of utilizing the top-down approach is to narrow the scope of internal controls testing to internal controls crucial to the mitigation of risks within the highest-risk process areas. Not only does this expedite the testing effort, but it can also reduce the overall cost associated with compliance testing that is incurred by organizations.

Identifying Entity-Level Controls

Entity-level controls are internal controls crucial to management’s conclusion about whether the company has effective internal control over financial reporting. Entity-level controls vary in nature and precision and include: controls related to the control environment, controls over management override, and controls to monitor the results of operations. The “Internal Control – Integrated Framework” guidance published by the Committee of Sponsoring Organizations of the Treadway Commission places entity-level controls into five integrated components[3]:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities

Within these five components are 17 principles that controls encompass. An effective and integrated entity-level control environment covers all five components and 17 principles.

Identifying Significant Accounts, Disclosures, and Financial Statement Assertions

In order to determine the remainder of the control environment, the organization analyzes its financial statements and identifies significant accounts, disclosures, and their relevant assertions. Auditing Standard No. 5 defines relevant assertions as “those financial statement assertions that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated.” The five relevant assertions are:

1. Existence or occurrence
2. Completeness
3. Valuation or allocation
4. Rights and obligations
5. Presentation and disclosure

Significant accounts and disclosures are determined based on a materiality threshold determined internally and through discussions with the external auditor. While management and the external auditors do not need to agree on materiality, it is encouraged that they determine a threshold everyone is comfortable with. When the external auditors are in agreement with in scope processes, they may be able to place reliance on the work of the organization and not perform additional testing procedures. Not only will this save time, but it can decrease audit costs. Materiality will vary based on the organization, but is a vital consideration in the identification of significant process areas to be tested.

Once all significant accounts are identified, the associated risks inherent to the various processes must be documented. Following, the organization’s processes are reviewed and control points are documented and mapped to the risks that they mitigate. In identifying the applicable risks and controls, the organization will create an entity-wide control environment that must be evaluated.

Determining Key Controls

Once the complete control environment is determined, the organization must identify the key internal controls inherent to each process area under review. A key control is one that is required to provide reasonable assurance that material errors will be prevented or detected timely. It is commonly misunderstood that all controls within an organization’s control environment must be tested in order to gain reasonable assurance over the design and effectiveness of internal controls over financial reporting. In reality, some controls may further strengthen the internal controls within a process, but do not represent critical points of control failure that could allow material errors to occur without prevention or timely detection. These “non-key” controls may be excluded from the population of controls to be fully evaluated for operational effectiveness. However, organizations should still consider all controls (key and non-key) and test their design effectiveness. This ensures the entire environment is designed to effectively mitigate all risks.

It is the responsibility of management, with input from the external auditors, to determine which controls are key. This ensures that all assertions are being appropriately considered, and that all risks are effectively mitigated. As the organization grows or changes, it is important to re-evaluate the control environment. New controls may be introduced in subsequent years and controls that were once considered key may be removed or replaced, or may become non-key.

While the organization will continue to change, laying a strong foundation and determining a comprehensive control environment will ensure any company is successful in mitigating risk and maintaining compliance.

[1] For more information on the different filing statuses and their compliance requirements, refer to “Sarbanes-Oxley 404(b) Compliance: A Refresher on the Initial Questions You Should Be Asking”. Full text of the document available here: https://www.schgroup.com/resource/blog-post/sarbanes-oxley-404b-compliance-a-refresher-of-the-initial-questions-you-should-be-asking/

[2] PCAOB Auditing Standard No. 5, copyright 2007. Full text of the document available here: https://pcaobus.org/Rulemaking/Docket%20021/2007-06-12_Release_No_2007-005A.pdf

[3] COSO Internal Control – Integrated Framework, copyright 2013. Links to material are provided at: https://www.coso.org/Pages/ic.aspx; The executive summary is available at: https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf