Since the PCAOB’s Auditing Standard (AS) 5, now reorganized as AS 2201, replaced AS 2 in 2007, auditors for publicly held companies (i.e., issuers) no longer attest to the fairness of management’s Sarbanes-Oxley Act of 2002 (SOX) section 404(a) reports. Rather, when reporting under SOX section 404(b), they attest directly to the effectiveness of internal control over financial reporting (ICFR). Nevertheless, the auditing standards confer certain responsibilities on auditors that apply even for smaller and other issuers that are exempt from the ICFR audit requirements of SOX section 404(b). This article is intended to alert auditors to the not-so-obviously applicable guidance in the auditing standards and help them avoid risks related to those responsibilities.
SOX section 404(a) was phased in based on an issuer’s size; implementation began in 2004, and by 2007 all issuers were subject to its provisions. Section 404(a) requires management to conduct an annual evaluation of the operational effectiveness of its ICFR with documentation of both the controls and the mandated testing thereof, and to report the results publicly in its annual report on Form 10-K. SOX section 404(b) required independent auditors to report on the effectiveness of a company’s ICFR; however, the SEC issued a series of releases temporarily deferring applicability of SOX Section 404(b) to non-accelerated filers until July 2010, when Congress provided a permanent exemption to section 404(b) for non-accelerated filers as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 989G(a) of Dodd-Frank amended SOX by adding section 404(c). Because of these actions, almost half of issuers were, in fact, never subject to those requirements (49% as of the most recent filings for years ended through 2015, according to Audit Analytics, an independent data research service that tracks and analyzes public company disclosures).
Non-accelerated filers are issuers with less than $75 million in public float (i.e., the value of shares held by the public). This category includes, but is not limited to, all issuers also known as “smaller reporting companies.” Also included in the 49% are emerging growth companies (EGC), a category of issuer created by the Jumpstart Our Business Startups (JOBS) Act of 2012, which are also exempt from SOX section 404(b) unless and until they lose their EGC status.
This article is intended to alert auditors to the not-so-obviously applicable guidance in the auditing standards and help them avoid risks related to those responsibilities.
Auditors’ Hidden Responsibilities
Auditors’ responsibilities regarding compliance with SOX section 404(a) are hidden in three sections of the PCAOB’s reorganized Auditing Standards (AS) 1305, 2405 and 2710:
- AS 1305 (AU section 325). Under AS 1305, auditors must report any significant deficiency or material weakness regarding ICFR to audit committees. Any material event of noncompliance by management with the ICFR evaluation and testing requirements of SOX section 404(a) would likely be deemed to result from such a significant deficiency or material weakness. This would be true even if the misstatements discovered in the draft SOX section 404(a) report intended for inclusion in the annual report were corrected before filing.
- AS 2405 (AU section 317). AS 2405 requires auditors to report known or suspected illegal acts to the audit committee and to consider their possible effects on the financial statements and audit scope. In addition to representing a reportable ICFR deficiency, any instance of noncompliance with SOX section 404(a), or any material, public misrepresentation of compliance would constitute such an illegal act.
- AS 2710 (AU section 550). AS 2710 obligates auditors to read an issuer’s entire draft annual report on Form 10-K, and to take certain actions in response to management statements therein that are believed to be materially false and misleading. Such mis-statements in section 404(a) reports ordinarily would be identified within the course of obtaining an understanding of ICFR as part of the risk assessment process performed. This would include reading the scope and results of management’s control tests conducted pursuant to SOX section 404(a) when planning a financial statement audit pursuant to AS 2110.18–.25. As provided specifically under AS 2710.05 and .06, if any suspected material misrepresentation [such as in the SOX section 404(a) report] is identified and not corrected after discussing it informally with management and, if necessary, proposing that management consult with “some other party whose advice might be useful to the client,” the auditor should “communicate the material misstatement of fact to the client and the audit committee, in writing, and consider consulting his legal counsel as to further appropriate action in the circumstances” (emphasis added).
Risks and Consequences of Issuer Noncompliance
Because the responsibilities imposed by the above PCAOB standards do not include any clear language that directly refers to an issuer’s compliance with SOX section 404(a) and the connection of these standards to management’s ICFR reports is therefore rather subtle, there may be considerable risk that an auditor will fail to recognize such connection.
Moreover, as a direct result of legislative action that permanently removed the threat of audit oversight under SOX section 404(b), there is an especially heightened risk that non-accelerated issuers or EGCs may not take their SOX section 404(a) compliance seriously. Non-accelerated issuers or EGCs might take shortcuts in their evaluation and testing process in the belief that noncompliance (or poor compliance) is unlikely to be caught. As pointed out above, because the SOX section 404(a) evaluation process for an issuer is an inherent and significant part of the monitoring component of ICFR, management’s failure to take it seriously would likely constitute a material weakness that, if omitted from its SOX section 404(a) report, would create a second misrepresentation—namely, that there were no known material weaknesses. As also pointed out above, failing to comply with the requirements of SOX section 404(a) or, perhaps even more significantly, issuing a false “boilerplate” report in Form 10-K that misrepresents management’s compliance with SOX section 404(a) would constitute a violation of federal securities law; the latter would also likely constitute securities fraud, which has potentially serious consequences.
Auditors should not be lulled into the erroneous belief that they need not be concerned with management’s mandated SOX section 404(a) report when they are not required to audit and report on an issuer’s ICFR pursuant to SOX section 404(b).
Therefore, auditors should not be lulled into the erroneous belief that they need not be concerned with management’s mandated SOX section 404(a) report when they are not required to audit and report on an issuer’s ICFR pursuant to SOX section 404(b). To the contrary, auditors should be wary of the PCAOB standards detailed above, which effectively say otherwise. Careful attention is necessary to protect auditors (and issuers) from serious consequences.