Almost two decades after the enactment of Section 404 of the Sarbanes-Oxley Act (SOX), income tax-related material weaknesses continue to be a major issue for companies. With the costly ramifications of a weakness, the obvious question is, “How does a company prevent such an occurrence?” The simple answer is by implementing effective internal controls.
While all public companies are required to be SOX compliant, many companies have not refreshed income tax controls since initial implementation, which is a cause for concern. Several new items of guidance and alerts on internal controls have been issued by the Public Company Accounting Oversight Board, or PCAOB. This new guidance has significantly changed the standards required to be SOX compliant. With an ever-changing tax compliance landscape, optimizing internal controls that can scale with your business can help to navigate challenges, mitigate risk, and maintain compliance with SOX.
Common Reasons Tax Controls Fail to Be SOX Compliant
Income tax is often seen as a separate specialized area of a company’s financial statements. The preparation activities and control responsibility for income tax often lies outside the core accounting team with professionals who have deep technical tax knowledge, but less experience or visibility into auditing and internal controls procedures. Further, companies with strained or limited in-house tax resources may not prioritize income tax accounting and reporting until it is too late. In such an environment, setting time aside to refresh an area that isn’t seen as ‘broken’ is difficult.
It is also a good idea to understand why the background and experiences of the personnel performing the controls or calculations are different. In general, tax accountants have rarely worked with internal controls or had the background of audit (for those in public practice), and the idea of internal controls is usually not imbedded in their experience.
It is no secret that CPAs have a knack for one side of the house or the other. Some look at it as “just calculations,” when they should also be focused on:
- How the numbers were generated (are the inputs complete and accurate); and
- Proper review and reperformance of the calculations that should be occurring.
Some of this is due to the interconnection of systems and applications for calculation (and updated tax code requirements)—more automated controls—or controls that would fall in the IT environment of the design and effectiveness. IT related tax controls are not a normal conversation that occurs but should definitely be added to the list of controls tested.
Common Flaws in Income Tax Controls
When tax controls fail, it occurs in one of two key areas: Either the controls are not effectively designed, or they are not operating effectively. Income tax controls are often heavily focused on management review procedures. While management review controls can be very efficient, it is critical that they are designed, documented, and executed effectively. These are four common pitfalls in the design of tax controls:
- Missing control(s) – The income tax provision is made up of numerous calculations impacting all areas of the financial statements. Many of these calculations require significant judgement and technical knowledge. Sufficient control procedures to cover all material areas of the provision and all areas of significant judgement should be in place. However, it is unlikely that one overarching management review control can cover all the areas of an income tax provision.
- Lack of adequately defined procedures – With so many unique calculations and judgement items within the income tax provision, companies may attempt to write one vague control that doesn’t clearly identify the nature of the review procedures performed on each key component of the income tax provision. Simply stating “management reviews the calculations” doesn’t provide sufficient detail about the procedures a reviewer performs to gain comfort with the calculation.
- Undefined investigation criteria or precision – The controls don’t clearly indicate what events or characteristics (e.g., dollar amount, percentage) will trigger further investigation into items within the income tax provision. For consistency in monitoring, it’s important to clearly define what factors will cause the reviewer to explore into the cause of the outlier identified.
- Lack of supporting evidence – While effective procedures may be designed and performed, in some instances, the actual activities performed and reviewed are not captured, documented, and retained. For example, initials on a workpaper are not an indication of the actual activities that were performed or adequate evidence of management review. Controls may lack specificity on what evidence is available to support that the control was performed and reviewed by management, which includes validation of the completeness and accuracy of the information produced by entity (i.e., reports used with parameters retained, validation of spreadsheets).
Time to Refresh
If this sounds familiar, it’s probably time to take a closer look at your internal controls procedures. Improper design and execution of internal controls can result in material weaknesses, even if management review procedures are in place. Since many companies’ tax departments do not have the bandwidth to focus on the income tax provision, co-sourcing services and partnering with income tax professionals to address these issues can fix those flaws, leaving you with the proper processes and procedures in place. As Benjamin Franklin aptly stated, “An ounce of prevention is worth a pound of cure.”