Sarbanes-Oxley Internal Controls
Quick Answer
The Sarbanes-Oxley Act of 2002 (SOX) internal-controls requirement directs management to assess and report on the effectiveness of internal controls over financial reporting (ICFR). For broker-dealer audits, the independent public accountant evaluates the firm's internal controls and reports any material weaknesses in the FOCUS-regime audit deliverables. Auditors of BDs must be registered with the Public Company Accounting Oversight Board (PCAOB) and are subject to PCAOB inspection.
The SOX internal-controls requirement is the controls layer of the broker-dealer audit framework:
- Substantive rules (net capital, customer protection, FOCUS reporting, early-warning notification) tell the firm what to do and what numbers to report
- The SOX internal-controls requirement is a controls rule that asks whether the firm's processes and IT systems reliably produce accurate financial reporting in the first place
Substantive testing comes from FOCUS reporting; controls testing comes from SOX internal-controls. Both are required; both feed into the BD's annual audit deliverables.
Internal Control over Financial Reporting (ICFR)
The SOX internal-controls requirement directs management to assess and report on the effectiveness of ICFR. ICFR encompasses the firm's processes and IT systems that:
- Produce the underlying transactional data
- Aggregate that data into financial statements and regulatory schedules
- Apply the firm's accounting policies consistently
- Prevent errors and fraud from corrupting the reported numbers
For a broker-dealer, ICFR includes:
- Trade processing controls (every trade properly recorded with correct terms)
- Position-keeping controls (firm and customer positions accurately tracked)
- Reserve formula controls (customer reserve computation accurate and timely)
- Net capital controls (net-capital computation accurate and timely)
- Reconciliations (firm books to depository, customer books to firm books)
- Access controls (only authorized personnel can modify accounting records)
- Segregation of duties (initiator and approver for material transactions are different people)
Management Assessment vs. Auditor Evaluation
The SOX internal-controls requirement imposes obligations on both:
- Management: assesses and reports on ICFR effectiveness
- Auditor: independently evaluates the firm's controls and reports any material weaknesses
For broker-dealer audits, the auditor's evaluation feeds into the FOCUS-regime audit deliverables (the Compliance Report for customer-protection-subject firms or the Exemption Report for exempt firms).
Exam Tip: Gotchas
- The SOX internal-controls requirement is the INTERNAL-CONTROLS layer of the broker-dealer audit framework; it evaluates whether the firm's processes and IT systems reliably produce accurate financial statements. SUBSTANTIVE testing comes from FOCUS reporting; controls testing comes from SOX internal-controls.
What "Material Weakness" Means
A material weakness is a deficiency (or combination of deficiencies) in ICFR such that there is a reasonable possibility that a material misstatement of the firm's financial statements will not be prevented or detected on a timely basis.
| Severity Level | What It Means |
|---|---|
| Control deficiency | Design or operation of a control does not allow management or employees to detect / prevent misstatements; minor concern |
| Significant deficiency | More severe than a control deficiency but less severe than a material weakness; warrants attention but not necessarily disclosure |
| Material weakness | Reasonable possibility of material misstatement; requires disclosure and remediation |
A material weakness is the most severe finding and is what auditors specifically look for under the SOX internal-controls requirement. A finding of material weakness in a BD's controls flows into the auditor's report as a public-facing flag that the firm's controls are not adequate.
Examples of Material Weaknesses in BD Context
- The firm's reserve-formula computation is run on a spreadsheet without formal controls; staff can override formulas without supervisor approval
- The firm's position-keeping system does not reconcile to the depository on a daily basis
- The firm's net-capital computation depends on a single individual without backup or peer review
- The firm's trade-processing system has weak access controls allowing unauthorized adjustments
Exam Tip: Gotchas
- A "material weakness" is a deficiency such that there is a REASONABLE POSSIBILITY of a MATERIAL MISSTATEMENT going undetected. It is the most severe finding, and it requires disclosure and remediation. The exam may probe the difference between control deficiency, significant deficiency, and material weakness; material weakness is the disclosure threshold.
PCAOB Oversight
Auditors of broker-dealers must be registered with the PCAOB (Public Company Accounting Oversight Board). The PCAOB:
- Inspects the audit work of registered firms
- Enforces audit quality standards through its inspection and enforcement programs
- Issues auditing standards for both public-company audits and BD audits
How PCAOB Registration Came to BD Audits
Originally, the PCAOB's mandate was public-company audits. The Dodd-Frank Act of 2010 extended PCAOB jurisdiction to BD audits by adding BD audit registration and inspection to the PCAOB's responsibilities. Before Dodd-Frank, BD auditors operated under AICPA peer review and SEC oversight; after Dodd-Frank, BD auditors are subject to the same PCAOB inspection regime that auditors of public companies face.
Why It Matters
PCAOB inspection adds a quality-assurance layer above the auditor's own internal controls. The auditor knows that inspection of its BD audits is possible (and increasingly probable for larger auditors). This pressure helps maintain audit quality, which is what the SEC and FINRA depend on when they review the BD's FOCUS audit deliverables.
Think of it this way: Without PCAOB inspection, an auditor doing sloppy work on a small BD might never face quality-control consequences. With PCAOB inspection, the auditor knows that any of its BD audits could be selected for review, and findings of audit deficiencies create significant professional and reputational consequences. The threat of inspection raises the floor on audit quality, which raises the reliability of every FOCUS audit deliverable that flows from those audits.
Exam Tip: Gotchas
- A BD that engages a non-PCAOB-registered auditor has a FOCUS reporting violation on its annual audit, even if the audit work itself is high-quality. PCAOB registration is a procedural threshold the firm must verify before engagement.
How SOX Internal Controls Connects to FOCUS Reporting
The SOX internal-controls requirement and the FOCUS reporting rule work in tandem on the BD audit:
| Layer | Source | What It Does |
|---|---|---|
| Substantive financial reporting | FOCUS reporting (FOCUS forms, annual audit financials, net-capital and reserve schedules) | Captures the firm's actual financial condition |
| Internal controls evaluation | SOX internal-controls (PCAOB-registered auditor evaluates ICFR) | Tests whether the firm's processes reliably produce accurate financial reporting |
| Compliance / Exemption Report | FOCUS audit deliverable | Reports on whether the firm's customer-protection controls (or exemption posture) are effective |
A firm's annual audit deliverable is the integrated product of all three layers: substantive financial statements, controls evaluation, and customer-protection-specific report. The SOX internal-controls requirement is the controls layer that ensures the substantive layer is reliable.