Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    Detection and Severity Classifications of Sarbanes-Oxley...
    research summary posted October 24, 2013 by Jennifer M Mueller-Phillips, tagged 01.0 Standard Setting, 01.04 Impact of 404, 07.0 Internal Control, 07.02 Assessing Material Weaknesses, 07.04 Assessing Remediation of Weaknesses 
    Detection and Severity Classifications of Sarbanes-Oxley Section 404 Internal Control Deficiencies
    Practical Implications:

    The results of this study support the value of auditor involvement at two stages of the ICFR assessment process (detection and classification), and contribute to understanding of factors associated with client and auditor performance in both stages. The study also provides direct evidence on the “yield” of detection methods used by auditors. This issue is at the heart of the debate on the value of auditor involvement in assessing and testing internal controls. Lastly, the findings of this study imply that the recent exemption of Section 404(b) for smaller U.S. public companies could result in failure to fully realize potential improvements in financial reporting quality in that sector of the market.

    For more information on this study, please contact Jean Bedard.


    Bedard, J. C. and L. Graham. 2011. Detection and Severity Classifications of Sarbanes-Oxley Section 404 Internal Control Deficiencies.  The Accounting Review 86 (3):  825-855. 

    internal controls; Sarbanes-Oxley Section 404; risk assessment; materiality
    Purpose of the Study:

    In the aftermath of large company failures (Enron and WorldCom), Congress enacted the Sarbanes-Oxley Act (SOX) and, more specifically, Section 404 to improve the reliability of information provided by public companies to the financial markets by requiring company management and auditors to test internal control over financial reporting (ICFR) and to disclose severe control flaws that are not remediated as of the balance sheet date. Prior research uses publicly available annual report data to distinguish characteristics of companies disclosing ineffective controls (i.e., at least one MW) under Section 404, or quarterly management reports under Section 302  but does not address the full extent of detected control flaws, how those problems are detected, or how auditors determine which problems are disclosed. This study extends prior research and investigates detection and severity classification of internal control deficiencies (ICD) under Section 404 to determine (1) the relative contribution of clients and auditors to ICD detection and (2) the factors are associated with the auditor’s severity classifications of detected ICD.

    Design/Method/ Approach:

    The authors obtained proprietary data from several large audit firms, under confidentiality agreements that limit the ability of the authors to results separate results by firm or firm size. The authors asked that each firm randomly select from 2004–2005 engagements of smaller accelerated filers (with revenues of about $1 billion or less) in non-regulated industries allowing them to increase generalizability to the large number of U.S. public companies. Contact personnel from participating firms helped the authors develop a spreadsheet to be completed by engagement teams, containing both company-level and control-level information. The authors first examine the overall percentage of ICD detected by clients/auditors and also model the factors associated with likelihood of client detection. In addition, because auditors are sometimes aware of the client’s preliminary classification of ICD, the authors test whether auditors override those classifications by judging ICD to be more severe. Lastly, the authors test expectations regarding factors associated with severity classification of ICD.

    • The authors find that clients detect fewer ICD than auditors, and are less likely to detect severe and pervasive ICD and therefore infer that many of the control flaws most likely to affect financial reporting would not be found in a client-driven process such as Section 302.
    • Furthermore, the analysis shows that the use of a large accounting firm consultant for Section 404(a) work is associated with improved client detection
    • The authors find that control tests provide initial evidence on a large proportion of ICD, including most MW and entity-level problems viewed as more serious by financial report users which affirms auditors’ Section 404 control testing as an important source of detecting control deficiencies.
    • The authors find that clients tend to classify ICD as less severe, but auditors frequently override those classifications.
    • Lastly, the authors find higher severity associated with:
    1. greater knowledge and independence in the client’s Section 404(a) process;
    2. more objective evidence (e.g., an existing misstatement);
    3. control flaws other than documentation problems (e.g., inappropriate design);
    4. certain types of entity-level ICD (e.g.,  Control Environment);
    5. certain types of account-specific ICD (revenue and tax), consistent with the regulatory climate of the period.
    Internal Control, Standard Setting
    Assessing Material Weaknesses, Impact of 404 on Fees and Financial Reporting Quality, Impact of 404