United States

Sarbanes-Oxley: What's trending in 2020

How to manage key Sarbanes-Oxley issues in the new year


Completeness and accuracy. Management review controls. Precision level. Systems and organization controls reports. These are terms we have become all too familiar with over the last several years—and are topics that are certainly not going away. But what else should your organization be prepared to address in 2020? Below we discuss trends and changes we expect to see in the SOX 404 landscape in the upcoming months.

Critical audit matters

A critical audit matter (CAM) is defined as any matter arising from an audit of financial statements that was communicated or required to be communicated to the audit committee and that:

  • Relates to accounts or disclosures that are material to the financial statements
  • Involved especially challenging, subjective or complex auditor judgment

Auditors are required to disclose CAMs in their audit opinions for fiscal years ending on or after June 30, 2019, for large accelerated filers and for fiscal years ending on or after Dec. 15, 2020, for all other public companies.

We expect that control deficiencies, especially material weaknesses, in areas requiring judgment or challenging audit procedures may contribute to the determination of a CAM. Additionally, if a significant deficiency was a main factor in the determination of a CAM, those control-related issues are likely to be disclosed as part of the CAM, but the term “significant deficiency” will not be used.

If your organization is not a large accelerated filer, you can get ahead of this now by discussing with your auditors what they expect to consider a CAM. Use your risk assessment process to evaluate the controls linked to a CAM and implement changes early in the year if needed.

If your organization is a large accelerated filer, make sure any controls linked to the 2019 CAMs are also getting a fresh look in this year’s risk assessment process.

Focus on accounting estimates

Public Company Accounting Oversight Board (PCAOB) Auditing Standard 2501, Auditing Accounting Estimates, Including Fair Value Measurements, is effective for audits of public companies for fiscal years ending on or after Dec. 15, 2020. The new standard replaces three existing standards related to accounting estimates and is designed to require auditors to dig even deeper into the process used to develop estimates. Auditors will be specifically required to understand and address how numbers could be manipulated through management bias. Auditors also will be explicitly required to have a reasonable basis for the assumptions and method they use when developing an independent expectation of an accounting estimate.

You can prepare for this by reassessing your organization’s controls over significant judgments and estimates early this year. The revised standard lists examples of what the PCAOB considers a significant estimate, including revenue-related estimates and reserves, the allowance for loan losses, the fair value of financial instruments, valuation of assets and liabilities acquired in a business combination, goodwill and long-lived asset impairments, inventory valuation allowances, and equity-related transactions. In your control reassessment, you should specifically focus on the completeness and accuracy of the information relied upon to calculate a significant estimate and determine whether that information is detailed and precise enough to support an appropriate conclusion. You also should evaluate whether disconfirming evidence is evaluated by the control operator as part of their performance of the control.

Cyber risk and controls

Your organization likely relied on systems more in 2019 than ever before, and that reliance is only expected to increase in 2020. Although cybersecurity is not yet in scope for ICFR, you should expect that your auditors will ask questions to gain an understanding of your cyber-risk profile and how those risks relate to financial reporting. You already may have seen that for 2019, and it will continue in 2020. Since the victims of cybersecurity issues, such as phishing scams, have suffered significant financial loss, the most relevant risk that companies and auditors have identified is safeguarding of assets (SOA). Controls intended to mitigate SOA risk will continue to receive heightened scrutiny. Disbursements controls, especially related to wires and automated clearing house services (ACHs), should be reviewed early in the year to ensure they are appropriately designed. Take advantage of your periodic risk assessment refresh during the year to specifically look at those controls. Research the latest news related to phishing scams and consider whether your controls are designed to prevent significant loss from one of these scams.

Your organization also may have begun utilizing robotic process automation (RPA)—perhaps to perform routine monthly close functions, or even to assist with routine SOX testing. But what if a hacker gained access to the bots performing these functions? What could they do to manipulate financial reporting or audit procedures? You should consider the risk and related controls associated with access as they relate to RPA.

Shifting PCAOB focus

The PCAOB has begun to broaden its focus to include reviewing firm-wide methodologies, quality controls and training processes. On Dec. 17, 2019, the PCAOB released a concept paper on future potential revisions to its quality control standards. This could cause your audit firm to revisit its audit methodologies or quality control procedures, which in turn could affect how your audit is conducted. We’ve seen changes in auditor methodologies stemming from internal inspections, peer review results, PCAOB inspections, etc., but this shift in PCAOB focus could have even broader implications over the next several years.

How do I keep up?

You may be wondering how your organization can be expected to keep up with a constantly moving target. The keys here are to understand the source and timing of changes, be on the lookout for trends, and utilize and continue to build your network. Follow Securities and Exchange Commission announcements online and discuss the results of PCAOB and internal inspections with your auditors. Connect with your peers who work at similarly sized companies in the industry who also may have the same enterprise resource planning system. A trusted advisor like RSM can help keep you ahead of the curve.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.

Learn more