How to Monitor Your Internal Controls If Your Company Is No Longer Subject to SOX 404(b)

Many public companies that have experienced a drop in public float in the wake of the COVID-19 pandemic and falling oil prices may find that they are no longer subject to Section 404 (b) of the Sarbanes-Oxley (SOX) Act. This provision requires a public company’s auditor to attest to, and report on, management’s assessment of its internal controls over financial reporting (ICFR). 

With the June 30th “measurement date” for calendar year fiscal filers just around the corner, your organization may exit large accelerated or accelerated filer status if the aggregate worldwide market value was less than $60 million as of the measurement date. If the organization does not anticipate the market cap exceeding the $75 million for the voting and non-voting common equity held by its non-affiliates, it will not be subject to Section 404(b) requirements.

Furthermore, updated SEC guidance for Smaller Reporting Companies allows public companies with public float of less than $250 million or less than $100 million in revenue and less than $700 million in public float to perform only SOX 404(a) compliance.

The SEC has performed analyses of the cost of compliance with 404(b), with an estimated price tag of $500,000-$900,000 annually for the cost of internal labor, outside vendors and non-labor expenses related to the compliance program, as well as an average $100,000 increase in audit fee. In the current climate, when many organizations are evaluating cost savings measures, there are options to scale back the costs on the compliance program while still being well-positioned to re-scale to the requirements of 404(b) in a seamless fashion.

The requirements for a SOX 404(a) program are significantly more flexible.  They state that management shall establish and maintain an internal control structure and procedures for financial reporting and assess effectiveness of ICFR as of the end of the company’s most recent fiscal year.

Here are some of the considerations management should take into account when adopting a SOX “lite” approach under Section 404 (a):

1. Define the appropriate sampling strategy. Without a controls-based opinion from the external audit, management can define its own sampling strategy. The sampling strategy may be up to 50% of the existing strategy for low or moderate risk controls that have no issues in the past, and potentially up to 75% of the minimum sample size for high risk controls with no issues in the past, and full sample sizes for controls with known issues.
2. Focus on manual controls. IT systems are often scoped in based on the reliance of the data or a report, not just the on system’s transaction processing functionality. However, the IT-dependent manual controls requires the control owner to validate the data for accuracy and completeness as part of the execution of the control. This means the manual reconciliation of the data provides sufficient coverage on the accuracy and completeness of the data.  Management should evaluate whether a system and the IT general controls are necessary for testing.  For example, in the oil and gas industry, Asset Retirement Obligations (ARO) data is typically manually validated during the execution of the controls. In these cases it may be less critical to evaluate the ITGCs around the ARO system.
3. Adopt homogenous process testing. When processes are the same across multiple business units, consider adopting a homogenous testing approach across all units rather than requiring minimum sampling sizes for each process in each unit. For example, if Purchase to Pay is performed by five different business units, and all five units execute the same controls, apply a proportional sample by volume to the minimum sample size to obtain coverage over all five business units through one control test. Or if all systems follow the same change management process, apply a proportional sampling strategy based on the population of changes per system to the sample size to conclude.
4. Focus on detective controls. Management and internal audit may want to focus on the detective controls and increase the diligence and testing procedures over the detective controls in a cycle instead of evaluating all preventive and detective controls.
5. Consider “what did go wrong”. Detective review controls are an attempt to prevent and detect errors by looking at ‘what could go wrong’ rather than ‘what did go wrong.’ Management may want to create different detective review controls that identify ‘what did go wrong’ to provide comfort around the operation of the prevent controls with limited testing of these controls.
6. Baseline automated controls. Some controls are key automated functions of the system, but the configurations do not change and management has strong change management and administrator access controls. Consider whether internal audit can baseline those configurations and reduce testing from annually to once every three years.
7. Low risk controls. Management may use control self-assessments (CSAs) for low risk controls in areas that have historically not had significant issues to use existing capacity within the organization.
8. Rationalize the control set. Controls grow and expand over the course of time and as the operations of the business change, but they are not always retired timely. Perhaps a control was added to address a specific situation or address a concern from the external auditor. Management may want to take a deep dive into the controls and ensuring that the right key controls are identified and evaluated based on the current environment and operations.

Weaver is here to assist you in determining the compliance requirements for your business and how to streamline your current activities. Contact us with questions or concerns about how your organization can reposition its program to reduce cost while maintaining compliance with SEC requirements.

© 2020