Detection and Severity Classifications of Sarbanes-Oxley Section 404 Internal Control Deficiencies
Forthcoming in The Accounting Review
2 Pages Posted: 20 Feb 2009 Last revised: 4 Nov 2010
Date Written: November 2, 2010
We examine detection and severity classification of internal control deficiencies (ICD) identified under Section 404 of the Sarbanes-Oxley Act of 2002. While the cost/benefit balance of auditor testing of internal controls is highly controversial, prior research has not examined auditor vs. client detection of ICD, nor has it examined factors auditors consider in judging ICD severity. We find that auditors detect about three-fourths of unremediated ICD, usually though control testing. This finding contrasts with extant research inferring control deficiency detection effectiveness from publicly available data, underscoring the value of Section 404 auditor testing in improving financial reporting quality. Auditors judge greater severity when a misstatement has already occurred. In the absence of a misstatement, severity is contingent on client and ICD characteristics, implying a more complex and nuanced judgment process without objective evidence of control failure. We also find that clients often underestimate ICD severity, but this tendency is lower among well-controlled companies with a well-designed Section 404 process.
Keywords: Internal controls, Sarbanes-Oxley Section 404, Risk assessment, Materiality
JEL Classification: L24, M42, M48
Suggested Citation: Suggested Citation