It is clear that Management is not required to test all controls in all the business units for SOX 404 compliance. Only those which affect significant accounts and disclosures in the financial statements or involve significant risks are scoped. However, it is commonly believed that all failed controls have to be remediated at fiscal year end.
Management and business process owners can choose to not remediate failed low-risk exceptions because the improvement plan is not practical or cost effective in the long term. For several companies, the remediation phase is where significant effort and money is spent. This decision should be informed to the auditors to get their feedback.
Some aspects of the unremediated deficiencies should be considered, including the effect on the overall risk matrix if a failed control is compensating others, or whether individual deficiencies are aggregated to produce a greater weakness. In other words, unremediated control deficiencies should not rise to the level of a significant deficiency. Less frequent controls or control on processes (as different from entity level controls) may indicate that the remediation plan could be postponed.
Conversely, general control deficiencies that have been properly communicated to Management and the Audit Committee and remain uncorrected after some reasonable period of time are a strong indicator of a material weakness.
Get the latest in corporate governance, risk, and compliance on Twitter