Be ready for what to expect for SOX in 2020 and beyond with this article by Rob Frattasio, Partner and National Process Risk and Controls Leader at RSM US LLP, originally presented at the AuditBoard User Conference. Read on and watch the full webinar recording to learn new and upcoming focus areas in SOX being driven by the SEC and PCAOB.

Knowledge is power, and understanding the relevant SOX guidance puts you in a strong position to have more effective conversations with all the relevant stakeholders, including your auditors. 

When was the last time you sat across from your auditor and were able to back up your argument by citing a specific paragraph of AS 2201? When you know the guidance for you, for your external auditors, and where that guidance differs from their methodology, you’ll be able to argue for your organization’s best interests. 

Knowledge of the relevant guidance can also help you make more persuasive recommendations to your controller or CFO. You’ll be able to lay out a plan based on SEC guidance for the company and the PCAOB’s standards for the auditors. Oftentimes, they’ll be persuaded to follow the path you recommend when you craft a solid argument based on the guidance.

This article, based on the webinar recording below, will get you up to speed on what the SEC, PCAOB, and your audit firms have been focused on in recent years, what they’re looking at today, and what’s up next based on what’s been coming from the SEC and PCAOB. Read on or watch the full webinar recording to learn the latest in internal control auditor requirements, understand current trends and how to incorporate related changes into your compliance program, and identify methods for staying ahead of the curve with SOX compliance

Important Sources of SEC Guidance

A great place to start is to learn the SEC guidance for registrants and the guidance for your auditor. 

Know the SEC guidance for your organization

  • The SEC’s Guidance Regarding Management’s Report on Internal Controls over Financial Reporting (Release No. 33-8811) is the source for authoritative guidance for your company internally. It’s been around for 12 years, and it’s only 20 pages. Read it closely, get to know it well, and keep a link to it in your browser favorites bar for handy consultation.
  • If 20 pages is too much, you may want to focus on the four-page long Sarbanes-Oxley Section 404 Guide for Small Business. This is useful to show a stakeholder at a high level that the organization has guidance of its own, and the auditor’s word isn’t the sole authority. That said, if you’re a larger company, you’ll want to reference the Guidance Regarding Management’s Report on ICFR above if you want to make a compelling argument to your auditor. 

Know the PCAOB guidance for your auditor

  • Study the PCAOB guidance for your auditor. Audit Standard 2201 (AS 2201, formerly known as AS5) and related amendments are the core guidance on an ICFR audit. Like the SEC guidance, this is one to read and reference often, especially with your external auditor. 
  • Beyond AS 2201, it’s helpful to know your auditor’s guidance on risk assessment (AS 2110), fraud, related parties, and going concern (Section 2400), and how they can use internal audit’s work and rely on SOC reports (Section 2600).  

Once you have a handle on the relevant guidance, ask your auditors for their own methodology. You may be able to identify where their methodology deviates from AS 2201, and you can discuss these items to ensure that their audit focuses on the key areas.

Continued SOX Focus Areas 

There have been some areas of increased SOX focus, many of which developed from PCAOB Staff Alert 11 in 2013, which highlighted the auditors’ lack of focus on some important items. This isn’t a comprehensive list, but these are a few focus areas that you should be aware of. 

1. Control Design and Transaction Flow

The PCAOB has been focused on assessing whether the auditor has a complete and thorough understanding of the transaction cycle. For instance, over the past two years, you’ve likely been pushed to create flowcharts if you didn’t already have them because most firms’ methodologies now require a detailed description of the control steps to help assess design. Another design item that we’re starting to see a focus on is the consistency of control execution across people, processes, and systems. Be ready to discuss the consistency of applicable policies and precision applied when discussing this topic. 

2. SOC Reports in the Spotlight

In recent years we’ve seen increased focus on sub-service providers. Be on the lookout for those and understand whether they are covered by the SOC report or not. Also, in some cases, companies are adopting the service provider’s controls from their SOC report — and any deficiencies — as if they were their own. However, if you examine the SOC reports more closely, you may find that there are many controls and associated issues that do not apply to your control environment. Putting in the extra work to eliminate these out-of-scope controls can help keep everybody focused on the ones that actually matter.  

3. Information Used in the Controls (IUCs)

Everyone has been focused on the validation of the completeness and accuracy of key reports — you’d never think you’d hear the words “complete and accurate” so many times! The bottom line is that the control operator needs to be able to demonstrate that they have a basis for relying on information within key reports associated with the control. Also consider that the audit firms don’t have a consistent methodology about how often to test key reports, so you’ll need to stay on top of it as the methodology changes. 

4. Management Review Controls (MRCs)

One new element affecting MRCs is a new Audit Standard that came out in August 2019 that gives guidance on auditing estimates, which has ramped up evidence requirements for anything requiring complex judgement or estimates. A lot of our MRCs have an element of subjectivity, so there’s been a push for a break out of separate and distinct aspects of controls around complex areas, such as Goodwill, Tax Provision, and significant accruals. 

5. System Access

We’ve increasingly seen that if there is a deficiency related to access, it will quickly get elevated to significant deficiency, if not worse. Access at all levels is under the microscope, from application and database to infrastructure. Privileged access as well as third-party access are also areas of increasing focus. There also has been increased focus related to appropriate segregation of duties across the business, finance, and IT users.

6. Population Completeness

In recent years we’ve had to prove out population completeness for tests of operating effectiveness. Some of the more challenging populations to prove out are related to IT general controls (e.g., change management). We’ve also seen a focus on proving the population of transactions covered by a control. 

7. Application Controls

The nature and extent of the assessment of application controls has been evolving. The negative test and related screenshots we’ve relied on in the past may no longer be sufficient, and we expect that the focus will continue to increase as more processes and controls are automated. 

8. Risk Assessment

An SEC speech on risk assessment in December 2017 drove two major changes. One is the formality that should go into making sure your risk assessment is kept fresh. You should update as needed throughout the year when there are significant changes in your risk profile and also formally document at least one additional time within Q4. The second change is that if you have a design deficiency, you’ll need to consider whether your risk assessment process was also deficient because it didn’t identify the need to have this control in place. 

9. Revenue Recognition Controls

Auditors are paying particular attention to transaction level controls, which help ensure the price and/or quantities for revenue are reliable. Monitoring controls in revenue such as margin analysis are scrutinized heavily in terms of precision, coverage, and so on, driving a move to transaction level controls. 

What Was New in 2018/2019?

1. ASC 842 – Lease Accounting Standard

Most companies implemented a set of controls related to the implementation of this new Standard in 2018. In 2019 and going forward, you likely have new processes, systems, and controls over identifying leases as well as embedded leases and contracts in order to account and disclose accurately and completely in accordance with GAAP. 

2. Cyber-related Fraud Risks and Controls

The SEC issued a report in October 2018 that recommended companies and their auditors to focus on cyber-related fraud risks and the internal accounting controls needed to mitigate them after a number of companies lost millions of dollars to phishing scams and other cyber crimes. The focus in this report was on the safeguarding of assets and anti-fraud controls, mostly targeted at cash. 

3. Scrutiny of Variance Thresholds

Previously, defining a clear precision level was enough to understand the coverage achieved by applying a threshold. However, recently the guideline has changed, and you may also have to assess the details of the population of transactions subject to the control to satisfy the requirement. For instance, it may not be good enough to simply say everything over $200,000 is covered by a control — you’ll also need to look at what’s not being covered by that $200,000 threshold. If everything over $200,000 covers only 25% of the population, you’re not getting much value out of that control. However, if it covers 75% of the population, you may be able to conclude that an appropriate threshold is set to identify any variances that may add up to a material misstatement — any variances outside of this threshold, even if aggregated, may not lead to a material misstatement. 

4. IT Control Deficiency Interdependencies

We’ve seen a rise in designations of ineffective ITGCs, and the impact of that is wide reaching when you think about it. With ineffective ITGCs, it is possible that reports produced by the affected system are not reliable. The manual controls relying on these reports and application controls are undermined. The completeness of population reports generated from the system may not be reliable. These outcomes result in management having to retest their reports and the auditor requiring more samples in their substantive audit — which means that their fees go up. To avoid this, it’s crucial that you engage your IT department early on make them understand the importance of ITGC in audit and the consequences of an ineffective ITGC environment. Also, recently the audit firms have tended to conclude earlier that the client’s ITGC environment is “ineffective,” if applicable, to avoid the trouble of defending how they relied on reports from systems with ITGC failures. 

5. Importance of Backup Controls

Backup controls are gaining attention as a result of the rise in attacks where companies are locked out of their systems or data and held for ransom. This affects financial reporting because without sufficient backups, the company’s risk of delay and/or error in issuing financial statements is increased. We’re also seeing disaster recovery controls pulled into scope in some cases because of ransomware attacks — if you don’t have access to your systems, how are you going to be able to issue accurate and complete financial statements on time?

6. Assessment of Control Owner Competence

This assessment should not be taken lightly because the auditors are looking harder at this. It’s no longer sufficient to say that the operator has 10 years of experience along with a CPA certification. To properly assess the design of a control you need to assess whether the control operator has the necessary authority and competence. For example, consider the people who review the user access reports — do they really understand all the user roles on those reports? It can be awkward to tell someone they’re not competent enough to perform a control, but don’t avoid this one. You don’t want your auditor to identify a problem late in the year. Worse yet, you don’t want a control to fail because it was being performed by someone who did not know how to properly perform it.

What’s Next?

Spotlight on Critical Audit Matters (CAMs)

Auditors are required to disclose CAMs beginning in 2019 for large accelerated filers, and 2020 for all others. Deficiencies, especially a material weakness, in areas requiring judgment or challenging audit procedures may contribute to the determination of a CAM. If a significant deficiency was among the principal considerations in determining a CAM, those control-related issues may be disclosed as part of the CAM. The term “significant deficiency” won’t be used — but savvy readers will know what that means. To get in front of this, talk to your auditor to identify any items that will lead to CAMs. Then, go back to make sure the controls that link to those CAMs are more robust, well-documented, and that your tests are holding management accountable in that area. 

Focus on Accounting Estimates

A new standard on auditing accounting estimates will be effective for year ends after 12/15/2020. Auditors will have to dive deeper (yes, even deeper) into the process used to develop estimates and judgments. They will be specifically required to understand and address how the numbers could be manipulated through management bias in the estimates for significant accounts and disclosures. Get ahead of this by talking to your auditor to find out which ones they are concerned about, then re-assessing management review controls over significant judgments. Be sure to focus on the accuracy and completeness of the information relied upon, and whether that information is precise and detailed enough to support an appropriate conclusion. 

Continued Foray into Cyber Risk and Controls

Cyber-related risks should be clearly considered in your risk assessment, and occurrences of actual cyber incidents should be analyzed, documented, and considered during the ICFR risk assessment. It will be important to keep informed of any development in this area and make sure your company has reasonable cyber controls to minimize adverse impact to financial reporting.

Shifting PCAOB Focus?

The PCAOB has signaled an intention to evolve away from the current model of detailed inspections of a sample of audit engagements. They’re potentially moving towards a heavier focus on the firm’s overall methodology, system of quality controls, and level of training — and this transformation may change your auditor’s focus. Stay tuned on this one.  

How to Keep Up to Date with SEC and PCAOB

If your circumstances change and you haven’t kept up with the evolving expectations, you might find yourself with a material weakness — or at best a year of excessive work, pain, and cost. Here are a few best practices to stay ahead of the curve. 

Understand the Source and Timing of Change

Follow SEC announcements online throughout the year, but also know the cycle. The PCAOB inspects the firms each spring. Over the summer, the firms debrief, change their methodologies, and implement new training for their teams accordingly. They hit the ground running in the fall with new probing questions and new expectations. If you understand this cycle, you’ll know when to schedule an annual meeting with your audit partner to discuss what the firm learned from the inspections while it’s still fresh. Then, you’ll know what’s coming at you in the fall.

Look for Trends, Listen for Messages

Track PCAOB reports, which drive constant change to audit methodologies, and track SEC speeches and studies, which create new focus areas. Look at where the auditors have spent their time, and where they haven’t. CAMs and cyber-related risks have been in in the appendices to their Audit Committee presentations for two years. When you see them putting these issues in their thought leadership, you know something new is coming. 

Build a Network

Connect with others who share the same audit firm, or even better, the same audit partner. Find peers in the same industry with a similar size and complexity, and the same ERP system. Swap stories and learn from each other to put yourself in the position to tell your auditor that, for example, your counterpart at a company audited by the same firm didn’t have to pull Cyber into scope. There’s never been a better time to have a network to help stay informed.

If you keep up with the guidance and evolving audit trends you will be able to focus your assessment of controls in key areas, which will let your CFO and controller see more value in your audit while also helping to keep your auditor’s fees in check. You’ll create a more efficient and effective control environment focused on the things that matter. By staying on top of the changes and basing your actions on the guidance, you’ll stay ahead of new developments — and everybody wins.

Want to hear more? Watch the full on-demand recording to hear Rob Frattasio go deeper into new and upcoming focus areas in SOX being driven by the SEC and PCAOB.



Rob Frattasio, CPA, is Partner and National Process Risk and Controls Leader at RSM US LLP. He specializes in Sarbanes-Oxley compliance consulting for organizations ranging from pre-public companies to large multinational corporations. He may be reached at