Section 404 of the Sarbanes-Oxley Act requires companies to review their internal control over financial reporting and report whether or not it is effective. Non-accelerated filers are required to provide management’s assessment of the effectiveness of their ICFR, while larger companies are required to accompany that assessment with an attestation from their outside auditors.
As it does every year, Audit Analytics took a look at the most recent round of negative auditor attestations & management-only assessments of ICFR. A recent blog reviews the results of the past 15 years of experience under SOX 404, and makes several interesting observations:
– Negative auditor attestations bottomed out in 2010 at 3.5% of filings. They rose fairly steadily and peaked at 6.7% in 2016. After declining to 5.2% in 2017, they rose again last year to 6.0% of filings.
– Negative management-only assessments peaked at a whopping 40.9% of filings in 2014, and have remained at or slightly below the 40% level since that time. In 2018, they declined slightly to 39.6% of filings.
The top reasons for negative audit attestations in 2018 were material or numerous year-end adjustments, shortcomings in accounting personnel, IT & security issues, inadequate segregation of duties and inadequate disclosure controls. Many of these same issues resulted in negative management-only assessments, although accounting personnel issues topped the list here. One item that made the top five reasons for negative management-only assessments that didn’t make the audit attestation list was an ineffective, understaffed, or non-existent audit committee.
-John Jenkins, TheCorporateCounsel.net October 18, 2019