How to Control SOX 404 Costs During COVID-19

Given the current challenges of the COVID-19 pandemic, your organization may be asking how to maintain and improve your internal controls during this unprecedented time.

This could be a chance to optimize or rethink your organization’s current processes and, as such, rework how your SOX program is executed. 

Below, learn how to mitigate the cost and impact of SOX on your organization while operating in the new environment caused by the pandemic. 

COVID-19 Changes

The pandemic has forced most organizations to make significant changes in how they operate and many have done some or all of the following:

  • Switch to working from home
  • Reassess audit fees
  • Reduce staff assigned to operating controls
  • Decrease support for external auditors
  • Furlough employees or reduce work schedules

These changes have ramifications for a control environment, and companies are trying to figure out how to adjust accordingly. For example, when an employee who is a control activity owner is furloughed, laid off, or put on a reduced work schedule, decisions must be made on how to maintain proper segregation of duties. Further, given the economic impact of the pandemic, companies are trying to navigate these challenges while keeping their SOX costs as low as possible.

Given the majority of your staff is likely working remote, and the potential loss of morale due to lost jobs or pay cuts, you could be asking the following:

  • How do we maintain or restart an internal controls program, or maintain segregation of duties, when the control activity owner has been furloughed, laid off, or put on a reduced work schedule?
  • How do we keep the company’s SOX costs as low as possible during this unprecedented time?

Despite these significant challenges, the Public Company Accounting Oversight Board (PCAOB) isn’t backing off of your external auditor, so a proactive approach to maintaining proper controls is essential.

Financial Systems Complexity

Many companies have inadvertently made their control environments more complicated than necessary, which can result in errors and delays and unmitigated risks to reliable financial reporting.

One common mistake is expanding the number of applications impacting financial reporting. For example, if your primary general ledger application doesn’t provide great reporting, you could introduce new technology, like data visualization tools and reports which need to be considered as part of your internal controls evaluation as they produce information used by the company. This typically ends up requiring more effort and can lead to errors. 

In addition to adding unnecessary systems, here are other common ways companies inadvertently compromise the efficiency of their control environment:

  • Maintain different financial reporting processes across business units and geographies
  • Allow the number of key control activities and operators to grow
  • Put off their annual risk assessments
  • Put off going to annual SOX training
  • Overlook the importance of attracting and retaining the necessary finance and accounting personnel to design and operate SOX controls
  • Delay integrating the companies they’ve acquired into their control environment

If your company is doing any of the above, now is an opportunity to:

  • Understand where source information is used in the financial reporting controls
  • Limit these controls to systems and applications where source information is being used in financial reporting
  • Reduce financial reporting system complexity

These opportunities could create possibilities to reduce overhead expenditure.

Take a Top-Down Approach

Reevaluate the current controls within your company. Controls can directly influence the work and effort by audit firms; implementing a top-down approach can help cut down the length of your audit process. The more detailed and precise you are when describing and documenting your entity-level controls, the greater the opportunity to minimize cost and impact.

Audit firms have a natural tendency to gravitate towards testing more process-level controls in lieu of testing entity-level controls due to a number of factors; either the audit team is unable to assess the entity-level controls, or they don’t understand how the entity-level controls operate at a level of precision necessary to prevent and detect material weaknesses.  This is particularly important to understand when an organization seeks to reduce the number of process level controls, especially when entity-level controls can provide a needed-level of precision over financial assertions.

Process-level controls operate where most of the company activity is—such as a location, division, plant, or revenue cost center—while entity-level controls happen at higher levels in the organization.  Specifically, process level controls directly relate to a specific business cycle impacting financial reporting while entity-level controls focus on reviews that may cover one or more business units. 

Reexamine and Refresh Risk Assessment

Reexamine your company’s risk assessment to reduce the number of control activities necessary to mitigate risks to material misstatements. Identify entity-level controls that address relevant risks operating at an appropriate level of precision. 

Document the design factors of your entity-level controls so your external auditor can understand and use them.

Example design factors include:

  • Competence of the person performing the control
  • Frequency and consistency with which the control is performed
  • Level of aggregation and predictability
  • Criteria for investigation and follow-up
  • Dependency on other controls

Consider completing your risk assessment on an annual basis. You might discover you can eliminate testing of controls over accounts that aren’t material by themselves, or in the aggregate, and don’t present a risk to the organization. 

External Audit Comparison

Compare your SOX population of control activities to your external auditor’s population. If the auditor is testing more controls than your company, you could help your auditor identify the entity level controls that prevent and detect material misstatements. 

Evaluating your regulatory requirements and consolidating those controls can create opportunities to reduce the impact of audits and improve efficiencies within the organization, while creating greater line of sight to the controls that truly support regulatory needs.

Your company is ultimately responsible for defining controls and generating evidence to support the effective operation of those controls; the key is making sure controls are precise and evidence demonstrates the precision.

SEC Guidance

Throughout the process, reference the Securities and Exchange Commission (SEC) Guidance to optimize the evidence generated to support your 404(a) assertion. Optimization could reveal opportunities to reduce the cost and impact of SOX. 

Integrate Audits

Organizations are integrating their controls audits by taking advantage of the overlap SOX has with the following:

  • System and Organization Controls (SOC) 1 testing
  • SOC 2 testing
  • National Institute of Standards and Technology (NIST) assessments
  • Health Insurance Portability and Accountability Act (HIPAA) testing
  • Financial Industry Regulatory Authority (FINRA) examinations
  • North American Electric Reliability Corporation (NERC) testing
  • Customer Identification Program (CIP) testing
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA) regulations

Optimize Evidence to Support Assertion

Below are ways your company can work to optimize evidence of your controls and support the assertion of your audit.

Control Self-Assessments

Consider using control self-assessments for all SOX controls that your external auditor chooses to independently test.

Control self-assessments can be an efficient, cost-effective way to provide reassurance to your executives without hiring a third-party to test your controls.

If you have a third-party testing controls to support your 404(a) assertion and your external auditor ignores this work, have a discussion about next steps. Consider whether the cost of a third-party is worth the expense if the external auditor isn’t going to rely on this work.   

Use this understanding to increase your external auditor’s reliance on your organization’s work while they test high-risk areas independently. This could provide leverage to negotiate your audit fee.

Remediate Significant Deficiencies and Material Weaknesses

Remediating significant deficiencies and material weaknesses may enable the auditor to rely on controls for the financial statement audit and simultaneously reduce the number of items selected for testing. This reduces the audit firm’s overall sample sizes and minimizes the time your company spends responding to audit requests. 

If your company receives a list of deficiencies that haven’t been assessed as significant deficiencies or material weakness, you’re in a position where your external auditor is probably testing too much. In this case, remove deficient control activities from the SOX population if the ineffective control didn’t result in a significant deficiency or material weakness by itself or in the aggregate. 

Remember your auditor isn’t required to test controls that don’t prevent or detect a material weakness by themselves or in the aggregate.  Therefore, if the control fails and it’s evaluated as a deficiency, you could have an opportunity to remove the control and point to another control—especially if the evaluation of the deficiency leads to other mitigating controls. 

Consolidate Controls

Many public issuers that identified and documented their controls 10 to 15 years ago haven’t revisited them since. There’s a good chance redrafting controls and consolidating redundant ones could improve SOX efficiencies. 

Consider rewriting controls to be more specific and precise to the activities and events the organization is performing today. Broad or generic control statements can lead to ambiguity and result in adding controls to directly and precisely mitigate the risk. 

As you remediate and think about improving controls, be specific and precise in the activities and look to consolidate controls that seem redundant. 

Next Steps

Short-Term Takeaways 

Your organization should consider implementing the following items as soon as it can:

  • Reevaluate and refresh your company’s risk assessment to reduce the number of control activities necessary to mitigate material risks to internal control over financial reporting, especially in the pandemic environment.
  • Re-design controls and processes, and take time to evaluate controls your organization relies upon on to run its daily tasks.
  • Potentially reduce the spend on third-party service providers that generate your evidence to support your 404(a) assertion.
  • Use control self-assessments for all SOX controls that your external auditor chooses to independently test.
  • Remediate significant deficiencies and material weaknesses issued by your external auditor to enable the auditor to rely on controls and integrate the two audits.

Long-Term Takeaways

The following actions could be implemented over the next 18 months:

  • Reevaluate the number and complexity of systems impacting financial reporting.
  • Assess where your financial information is coming from and if there’s a way to consolidate information sources.
  • Consider hiring or repurposing a full-time equivalent employee to execute a SOX project manager role.
  • Make controls common across processes that impact financial reporting, related systems, and business units.
  • Consolidate, if possible, the number of people operating control activities including internal technology general controls and business process controls.

We’re Here to Help

If you have any questions regarding SOX compliance, or how you can control SOX costs during the COVID-19 pandemic, please contact your Moss Adams professional.

Note on COVID-19

During this unparalleled time, we’re closely monitoring the COVID-19 situation as it evolves so we can provide up-to-date guidance and support to help you combat uncertainty. For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: