Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    The Influence of Auditor and Client Section 404 Processes on...
    research summary posted October 22, 2014 by Jennifer M Mueller-Phillips, last edited February 19, 2015, tagged 01.0 Standard Setting, 01.04 Impact of 404, 07.0 Internal Control, 07.04 Assessing Remediation of Weaknesses 
    The Influence of Auditor and Client Section 404 Processes on Remediation of Internal Control Deficiencies at All Levels of Severity
    Practical Implications:

    Overall, this study suggests that remediation of detected ICFR problems prior to the balance sheet date is one benefit of Section 404 activity to stakeholders. This study’s finding of lower remediation of auditor-discovered ICDs implies that client personnel missed the control flaw in their own Section 404(a) process, so may lack the expertise to remediate the problem. This calls into question the current policy of relying on Section 404(a) alone for non-accelerated filer (most public companies). Further, this study’s results on client processes imply that the most important factors affecting remediation are not who directly manages the process, but rather the client’s organization of the process in making an early start and coordinating the effort with IT personnel.

    For more information on this study, please contact Jean C. Bedard.


    Graham, L., and J.C. Bedard. 2013. The Influence of Auditor and Client Section 404 Processes on Remediation of Internal Control Deficiencies at All Levels of Severity. Auditing: A Journal of Practice & Theory 32(4): 45-69

    Remediation; Sarbanes-Oxley Section 404; internal control deficiencies.
    Purpose of the Study:

    This paper investigates remediation of a comprehensive census of deficiencies in internal control over financial reporting (ICFR) detected in a sample of companies under Section 404 of the Sarbanes-Oxley Act. Internal control weaknesses have often been implicated in fraud and business failure. Section 404 was designed to improve corporate controls by requiring company management and external auditors to document, test and report ICFR. Research on the costs and benefits of Section 404 remains important, due to continued pressure to reduce financial regulation. Several prior studies examine remediation of publicly disclosed material weaknesses (MWs). However, auditors and company personnel detect many internal control deficiencies (ICDs), of which relatively few are MWs. Because publicly available data do not reveal non-MW ICDs, research has not yet considered the nature and extent of remediation activity that takes place behind the scenes. We study remediation of all ICDs, whether publicly reported or not, among companies with effective, as well as ineffective controls. We further address the issue of the benefits of Section 404(b) by measuring the impact of auditor activity in the remediation process. In addition, we directly examine the impact of whether, at the time of the auditor’s assessment, the flawed control had already failed to prevent a misstatement in the accounts.

    Design/Method/ Approach:

    This study is based on a sample of almost 4,000 ICDs detected by audit firm or client personnel in 76 engagements on 44 different companies in 2004–2005 (the first two years of compliance with SOX 404(b)), obtained from engagement teams at several large auditing firms. Sample companies have a mix of effective and ineffective control reports that is similar to the population as whole during that period. 

    • Prior research using publicly available finds substantial remediation of MWs from one reporting year to the next. In contrast, the authors of this paper find relatively low remediation within the year, between time of identification and the balance sheet date. Thus, a number of control flaws of varying severity remain to affect financial reporting quality in the following year.
    • The authors find higher remediation rates when there is an earlier start to control testing and better integration of the client’s IT personnel into the Section 404 process.
    • The authors also find lower remediation rates among auditor-discovered ICDs, detection through substantive tests (often performed late in the year or after year-end), and by the presence of a previously unknown misstatement that has already resulted from a control failure. The combination of auditor detection and an associated misstatement is particularly problematic, as this implies that not only did the client miss the problem in its own testing, but also the auditor has already linked it to an account misstatement, elevating its importance. 
    Internal Control, Standard Setting
    Assessing Remediation of Weaknesses, Impact of 404