Contributor: Sam Halaby, Risk Data & Analytics Lead, Risk & Accounting Advisory Services
We are launching a new series in our Risk & Accounting Advisory podcast, called Risk In Review, where we cover risk topics in a five-question format. Episodes will include topics like Sarbanes-Oxley compliance, IT, Enterprise Risk Management, Financial Services Consulting and more.
We begin this episode’s conversation by defining what is risk analytics, before tackling how organizations can increase value to certain departmental functions and discover its importance in driving better decision making, monitoring internal controls, gaining insights into transaction behavior, and increasing test coverage.
We also explore costs associated with integrating risk analytics into business processes, as well as drawing alignment with available resources, tools, and skillsets to help achieve results.
Finally, this Risk In Review podcast covers a success story that explains how good risk analytics shapes a company, providing strategies for more streamlined operations and powerful, timely decision-making.
Cherry Bekaert’s Risk Advisory practice is focused on helping our clients protect value, power performance, and build resilience with mature internal controls. We do this by leveraging technology to mitigate financial, operational, and compliance risks using purpose-built risk management solutions that cost effectively diagnose, mitigate, and monitor risk.
View All Risk & Cybersecurity Podcasts
HOST: I'm Neil, firm leader of Cherry Bekaert's Risk Advisory practice. Today we will outline the differences between SOX 404(a) and 404(b) and how management might approach them differently.
HOST: Joining me today are Gareth and Payton, leaders in Cherry Bekaert's Risk Advisory SOX practice.
GARETH: At a high level, Section 404(a) requires management to report on the effectiveness of internal control over financial reporting (ICFR), whereas Section 404(b) requires an auditor attestation with respect to an issuer's ICFR.
GARETH: Section 404(a) applies to every public company, and companies must update or disclose their internal control assessments in Item 9A of Form 10-K and in their 10-Qs.
GARETH: On a macro level, and setting aside nuances Payton will discuss, large filers—where "large" refers to revenue and/or market capitalization—must have an auditor attestation under Section 404(b) in their second year as a public company.
PAYTON: Several benchmarks, including revenue and market cap rules, determine whether a company is under Section 404(a) or 404(b). Additional complexities exist for emerging growth companies, which, depending on metrics, might not be required to have an ICFR attestation for up to five years after becoming public.
PAYTON: In March 2020 the SEC adopted amendments to filing status rules and SOX requirements. Cherry Bekaert published guidance last year in a white paper titled "Filing Status and ICFR Compliance Considerations for SPAC and IPO Transactions," available at cb.com under Guidance.
PAYTON: That white paper includes a table summarizing filing status and ICFR disclosure criteria, which is useful given the amendments to filing status rules. We recommend checking that resource if you are moving from one filing status to another, since filing status can significantly impact management's and the external audit's level of effort.
PAYTON: Irrespective of whether the company is under Section 404(a) or 404(b), the external auditor must still conduct procedures to understand processes, typically including walkthroughs to identify likely sources of material misstatement or missing or ineffective controls.
GARETH: One point related to SPACs is that upon the business combination, the internal controls of the SPAC acquirer may no longer exist or may have been supplanted by those of the private operating company. The previously private company may not yet have appropriate controls in place.
GARETH: The SEC has indicated it may not object to management of the combined company omitting its assessment of ICFR in the next annual Form 10-K; this is similar to relief provided in the year of an acquisition, where a newly acquired company can be scoped out of controls in the Form 10-K disclosure.
HOST: Payton, what must management do under Section 404(a)?
PAYTON: Relief from the external auditor's 404(b) audit does not relieve management of performing its own assessment of ICFR. Management has flexibility regarding the nature, timing, and extent of testing, which can differ significantly from the auditor's approach.
PAYTON: The SEC has stated that management is responsible for maintaining reasonable evidential support for its assessment. Management's day-to-day interaction with its controls, including ongoing direct involvement and supervision based on risk assessments, can provide sufficient knowledge to assess ICFR in ways an external auditor cannot.
PAYTON: In other words, the burden of evidence can be less for management under Section 404(a) than under Section 404(b), but management's approach should be based on its specific circumstances and risk appetite.
HOST: Gareth, are there situations in which an auditor might do more than a walkthrough even if Section 404(a) applies?
GARETH: Yes. An auditor not required to issue an integrated opinion under PCAOB standards may still test internal controls for operating effectiveness to obtain necessary evidence for the financial statement audit.
GARETH: This can occur if the auditor believes substantive testing alone will not provide sufficient evidence, or if it is more efficient to test controls to reduce substantive testing. We often see this with ITGCs (information technology general controls), where testing controls is an efficient way to obtain evidence for information-dependent financial statement assertions.
PAYTON: Communicating with your auditor about their audit approach early and often is important. Filing status determination is assessed annually, generally as of the company's second fiscal quarter, so companies can move from SOX 404(a) to 404(b) one year and back the next.
PAYTON: Changes in filing status can significantly affect management's and the external auditor's time commitments, level of effort, and costs. Engage your SEC counsel and service providers early to avoid surprises.
HOST: It has been 20 years since the Sarbanes-Oxley Act was passed; it remains relevant. Recent coverage anticipates tougher regulation from the PCAOB.
HOST: For questions about which approach your company should take, the level of involvement, or overall approach, reach out to your financial advisor or SEC counsel. You may also contact Cherry Bekaert with questions.
HOST: For more information on SOX compliance or internal controls, visit cb.com/risk. Please like, share, and subscribe to the Risk and Accounting Advisory podcast.
