SOX Compliance Under COVID-19: Considerations for Completing Quarterly Assessments

Terry Hartzog, Managing Director Internal Audit and Financial Advisory
Kristen Kelly, Director Internal Audit and Financial Advisory

A question receiving heightened attention recently is the quarterly evaluation of deficiencies identified in companies’ Sarbanes-Oxley (SOX) programs. Many organizations are considering whether a formal quarterly control deficiency analysis needs to be performed and documented to the same extent as the annual control deficiency analysis. In this blog, we provide a brief reminder on guidance and disclosure requirements, highlight current U.S. Securities and Exchange Commission (SEC) insights and trends, and provide practical considerations that organizations can apply this quarter. 

Review Quarterly Disclosure Requirements

While there may not be a straightforward answer on the level of formality prescriptively outlined in the guidance, over the last several years we have seen a growing number of organizations preparing a more detailed analysis on a quarterly basis. Given the SEC’s emphasis on rapid disclosure, control deficiencies that rise to the level of a material weakness must be publicly disclosed in the quarter they arise.

Protiviti’s Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements delves into the quarterly-versus-annual deficiency analysis requirements, among many key issues. Under SOX Section 302, management must report significant deficiencies and material weaknesses to the audit committee and auditors. The executive certification requires representation that these disclosures have been made. Open deficiencies must also be monitored to ensure that they do not become a material weakness.

Practically, many organizations provide all control deficiencies to the audit committee, so they do not need a significance measure. The Public Company Accounting Oversight Board (PCAOB) noted in a staff interpretation that some control deficiencies could be remediated prior to year-end; thus, management would not need to conclude on their severity, as they would be closed by year-end. That at least seems to imply that a quantitative analysis would not be required quarterly.

Adding to the confusion some companies face in understanding these requirements, SEC Chief Accountant Sagar Teotia, in a June 23, 2020, public statement, stressed the importance of maintaining Disclosure Controls and Procedures (DCP) and Internal Control over Financial Reporting (ICFR) for investors in light of COVID-19. In the statement, Teotia reiterated the importance of robust internal accounting controls to high-quality, reliable financial reporting, adding that public companies are required to maintain DCP and ICFR, and management is required to evaluate the effectiveness of a public company’s DCP as of the end of each fiscal quarter, and the effectiveness of its ICFR at the end of each fiscal year. 

He also noted: “We understand preparers have adapted, or are adapting, their financial reporting processes as they respond to the changing environment. These changes may include consideration on how controls operate or can be tested and if there is any change in the risk of the control operating effectively in a telework environment. In addition, changes to the business and additional uncertainties may result in additional risks of material misstatement to the financial statements in which new or enhanced controls may need to be implemented to mitigate such risks. We remind preparers that if any change materially affects, or is reasonably likely to materially affect, an entity’s ICFR, such change must be disclosed in quarterly filings in the fiscal quarter in which it occurred.”

Prepare for Increased Scrutiny on Quarterly Conclusions

Over the past several years, in response to persistent feedback from PCAOB reviews, particularly related to external audit firms not decoupling ICFR and substantive audit tests, internal audit and internal control groups have migrated toward providing a more formal analysis each quarter. Also, quarterly analysis has gained increased formality, especially in cases where the deficiencies noted could be pervasive and relate to significant account balances or disclosures. These analyses may be completed in more of a memorandum format or in slightly lesser detail than the annual analysis; in many cases, management is completing these analyses and providing them to external auditors. And some organizations are conducting a more quantitative quarterly analysis to support their Section 302 certifications and 10-Q filings.

This trend towards more quarterly analysis has been observed across geographies, industries, and external audit firms. As always, but especially now, given the pace of change seen in 2020, there are areas that can give rise to a material weakness in any one quarter if they are not controlled and accounted for correctly. Protiviti’s experience with recent examples of areas where these issues have surfaced include the impact of the Coronavirus Aid, Relief, and Economic Security (CARES) Act on the tax provision; significant process changes related to a shift away from in-store dining and shopping; and treatment of rent deferrals for both lessors and lessees. In each example, a conclusion was included in the respective organization’s quarterly control-effectiveness analysis. The format of these quarterly analyses and conclusions vary, from a simple spreadsheet file to a detailed conclusion memorandum. These are three examples; there are others.

Consider These Areas When Completing Quarterly Assessments

The quarterly conclusion memoranda and analyses should follow the same framework as the annual conclusion process, with a full quantitative analysis and aggregation. They should also include areas that are incorporated into management’s overall conclusion on IFCR and DCP. These may not be at the same level of depth as the annual process, especially for control deficiencies, but they may include more details on significant deficiencies and material weaknesses.  The quarterly memoranda may also include details in these areas:

  • Any controls identified as ineffective, including the:
    • Root cause for the ineffective control
    • Severity of the control issue, including any actual error and resulting adjusting entries
    • Relevant component, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework
    • Location/department
    • Relevant financial statement accounts and assertions
  • Any accounting adjustments in the quarter and the controls to which these items relate, including compensating controls
  • Any significant control changes
  • Consideration of how big the issue was or could have been (i.e., gross maximum exposure)
  • The Impact to prior reporting periods
  • Any other disclosures which may be needed (e.g., to reflect the impacts of COVID-19, working remotely, or other business circumstances)
  • Management’s overall conclusion for the reporting period.

Consult With Appropriate Parties on the Conclusion

The disclosure committee plays an important role in reviewing events for potential disclosure. Clearly, any new material weaknesses or significant actions in the remediation of existing material weaknesses need to be disclosed to investors. As such, the disclosure committee members review the company’s analysis and confirm the completeness of the company’s public filing. Companies must work closely with their SEC counsel to confirm that their procedures and disclosures meet SEC requirements. 

Protiviti’s SOX Champions Network contributed to this content. For more blogs in this series, click here.

Add comment