The Sarbanes-Oxley Act of 2002 was passed by Congress to better protect investors. Section 404 of this act (SOX 404) requires companies to review their internal controls over financial reporting (ICFR) and declare whether their ICFRs are “effective” or “ineffective”. In other words, they must determine if their ICFRs are adequate enough to produce financial statements that are accurate and complete. Smaller companies, or non-accelerated filers, are not required to file an auditor attestation; they are only required to file management’s assessment of the company’s ICFR.
Audit Analytics’ annual SOX 404 report takes a closer look at trends in SOX 404 disclosures. SOX 404 Disclosures: A Thirteen Year Review considers both auditor’s attestations and management-only assessments.
The number of adverse auditor attestations (those disclosing ineffective ICFR) has shaped an interesting path over the last thirteen years. As shown in the graph below, there were 214 adverse attestations for fiscal year 2016, a small decrease from the 236 attestations in both 2014 and 2015.
Similar to the totals, the lowest annual percentage of adverse SOX 404 auditor attestations occurred for fiscal year 2010. Thereafter, these percentages experienced an upward trend to reach a peak of 6.1% in 2015. Although this value dropped to 5.9% in 2016, it is still the third highest percentage over the last eight years.
Unlike auditor attestations, the number of management- only assessments did not reflect the same increases after 2010. In fact, the totals barely changed during the years 2011-2013 and dropped for each of the following three consecutive years (2014-2016).
However, a different trend is revealed when looking at the percentage of adverse management- only assessments. In 2007 (the first year non-accelerated filers were required to make assessments), 30% of small companies disclosed ineffective ICFR. The percentages increased for the following seven consecutive years to reach a high of 40.7% in 2014. Although this number has dropped in both 2015 and 2016, it is worth noting the fact that at least one-third of non-accelerated filers disclosed ineffective ICFR every year since (and including) 2009.
So which internal controls- related issues are leading auditors to the conclusion that a company’s ICFR were not effective? According to the report, of the 214 auditor attestations in 2016, 157 attributed accounting personnel resources (or lack thereof), competency & training for inadequate internal controls. The second most common reason expressed by auditors were issues requiring year-end adjustments. Other top reasons included information technology, software, security & access issues, segregations of duties/ design of controls and inadequate disclosure controls.
Accounting personnel resources, competency & training also topped the list of internal controls reasons for ineffective ICFR in management-only assessments. Other internal control issues undermining the effectiveness of ICFR include segregations of duties/design controls, ineffective/ non-existent or understaffed audit committee, inadequate disclosure controls and material and/or numerous auditor/ year-end adjustments.
To learn more about SOX 404 disclosures or to request a copy of the full report, e-mail info@auditanalytics.com or call 508-476-7007.