Tax Internal Controls in an Era of Transparency and Disclosure
SOX404, ASC 740, and PCAOB may seem easily managed but pose significant risks if not closely monitored

print this article

To meet the demands of the Public Company Accounting Oversight Board, audit firms continue to increase activity related to internal controls. So, what’s the big deal? Let’s look at some numbers:

  • tax accounting was the second leading cause of 2016 financial restatements;
  • in 2016, ninety-eight percent of financial restatements were tax related;
  • an average of thirty-six hours was spent on each key control (including design, documentation, and testing); and
  • almost sixty percent of reported tax material weaknesses were attributed to insufficient tax accounting expertise, insufficient review, and lack of general procedures.

Those numbers aren’t a total surprise. For over a decade, multinational and domestic companies alike have faced the burden of complying with everchanging and evolving rules and guidelines for tax internal controls that have left confusion, frustration, and restatements in their wake.

Most recently, we have wrestled with uncertainty in the current U.S. tax environment, including its impact on global organizations and global jurisdictions. As of the passage of the Tax Cuts and Jobs Act, or TCJA (2017), we all began 2018 trying to navigate a bumpy landscape that offers more questions than answers. A rocky road is not new for tax professionals, for whom change seems to be the status quo, but the TCJA added risk to an already risky terrain.

This article discusses relevant areas that may help you improve your tax internal control environment. To do so, I think it’s important to first revisit the past.

A History Lesson

In direct response to a few well-documented and now current accounting case studies, we are left with an environment that has been forever changed by the Public Company Accounting Reform and Investor Protection Act of 2002. You may know this as simply “the Act” or “Sarbanes-Oxley” (“SOX”). For some of you, the Act may be academic. For others, it plays a near-daily role in your practice. For me, SOX was the impetus behind my being forever transformed from a practicing tax professional into a part-time auditor at one of the Big Four (or, at the time, Big Five) firms.

Section 404 of the Sarbanes-Oxley Act

When the Act was enacted in 2002, it was the most significant accounting and financial legislation issued in nearly a decade. Although the Act contains several sections, I will delve into Section 404, on management assessment of internal controls. This section aims to provide certainty and security for those who make investment decisions based on issued financial statements. It is relevant to readers of those statements, analysts and investors in capital markets, and the public at large.

When the Act was enacted, public companies now had to implement Section 404 within their tax environments and throughout their companies’ financial processes. The first year presented companies, and all of us working within and with those companies, many challenges and significant additional costs associated with implementing SOX. Now, sixteen years later, many of us are still undecided as to whether SOX and Section 404 in particular have succeeded as intended.

In the early days of Section 404, not only were companies and their staff heavily involved in designing and implementing the internal controls environment, but so were the Big Four and many mid-tier firms. These accounting firms provided significant services in this area. In retrospect, this seems a bit ironic, given the behavior of certain audit firms and several well-publicized failures that led to the creation of the Act in the first place. The emphasis on auditor independence was, and continues to be, a significant feature of SOX. Even today, there are still concerns about how independent audit firms are from the clients they serve and what lines are blurred or ignored. We will explore this area in more detail, but for now it is worth considering your own tax internal controls environment.

You may be overwhelmed by how much online research addresses this topic. But it does not take long to realize that, despite the wealth of available resources, information on how to implement and maintain an effective tax internal control environment is tougher to get your hands on.

Why the lack of information? The biggest reason, in my opinion, is that while public companies and some private companies must comply or elect to comply, every environment differs substantially in terms of internal complexity, people, expectations, and controls utilized within the process. There is no single way. This may seem surprising, since everyone deals with the same rules. However, as tax professionals we all know that while the rules apply to everyone, the application and execution of those rules can vary greatly. This is why internal control continues to be an area of great risk, especially if you fail to pay close attention to changes and adapt accordingly.

Triggers for Reviewing Your Internal Controls

  • material weakness/significant deficiency or borderline assessments
  • overly complex or inherently risky spreadsheets
  • acquisition, disposition, or other organizational change
  • change in business environment, including growth or expansion
  • auditors dissatisfied with current process
  • pressure from CFO to decrease days available for tax close
  • ERP system or tax software implementation
  • changes in department personnel structure
  • changes in department skill sets
  • overworked resources
  • pressure to add value within the organization
  • integration between compliance and tax provision

The Players

After sixteen years of SOX compliance we are all well versed in the associated risks. We are also well acquainted with the benefits of having an effective control environment, along with the significant costs of maintaining a strategic tax control environment and the potentially higher costs of not doing so. However, I am not certain everyone clearly understands the players involved and how they may affect your current process or influence how your process is audited. Here is a brief overview of the roles of the various players, which, I hope, will shed some light on how they impact your practices.

Management (CFO, CEO, treasurer). Management ultimately is responsible for the effectiveness of a company’s internal control environment and the accuracy of its financial statements. However, as we all know, if there is a deficiency (either a significant deficiency or a material weakness), blame is often shifted elsewhere.

Tax process owners (vice president of tax, tax director, tax managers). As tax process owners, we are more likely to ultimately be held accountable for maintaining the tax internal control environment. One of our main challenges is keeping pace with tax reform changes and environmental and people changes, as well as any tax structure changes that may increase risk and require action.

Internal audit team. The internal audit team reviews and oversees internal control processes. In many organizations, this team is also responsible for review and signoff prior to external audit review. The internal audit team may or may not have tax expertise within their function; if not, they may rely on the tax department to provide this knowledge. The team may also use external resources for tax information, especially if it falls outside their technical expertise.

External audit. External auditors are the ultimate scorekeepers for internal controls. It is their responsibility to test and finally audit and evaluate the effectiveness of internal controls. As history has proven, this area carries a risk of failure to properly identify weaknesses or deficiencies. This risk arises partly due to the complexity of this arena, but external auditors can also falter when they blur or ignore the boundaries that enforce their independence. This continues to be an area of weakness and needed focus.

In the early days of Section 404, not only were companies and their staff heavily involved in designing and implementing the internal controls environment, but so were the Big Four and many mid-tier firms.

Public Company Accounting Oversight Board (PCAOB). Congress created this board in response to the failures leading to the enactment of Sarbanes-Oxley. The PCAOB’s role is to hold accountable the firms that audit public companies. The PCAOB reviews audit firms annually and reports on their effectiveness both to those firms and to the public. If you monitor these reports as they are issued, they can provide valuable insights to help you evaluate your own internal controls environment.

Committee on Sponsoring Organizations (COSO). This organization has designed and updated the framework many organizations follow with respect to their tax process areas. The COSO framework has five basic components that, when implemented, may significantly improve a company’s ability to minimize organizational risk. The five are:

  • the control environment;
  • risk assessment;
  • control activities;
  • communication; and
  • monitoring.

Given all these players, from management to COSO, you might think that maintaining an effective tax internal control environment would be relatively easy and risk-free. But given the transitory nature of rules and regulations, and the new challenges they constantly present, that’s hardly the case.

The Environment

We now live in a tax environment in which our external audit firms place us under intense scrutiny. What mainly drives this pressure is the intense scrutiny the audit firms themselves receive from regulatory and oversight boards such as the PCAOB. And the pressure shows no sign of subsiding. According to former PCAOB board member Jeanette Franzel, “More strides need to be made by audit firms here, as auditing internal controls is still the area most frequently noted in inspection filings.”

The PCAOB recently released its 2017 staff inspection brief, for which it reviewed 195 firms. Eleven of those firms are U.S. firms subject to annual inspection (including each of the Big Four), and fifty-five are non-U.S. firms representing twenty-six countries or jurisdictions. The PCAOB selected clients for audit based on several factors, including but not limited to economic trends, company or industry developments, size, and change in issuers market capitalization. From an audit firm’s perspective, it is nearly impossible to tailor its client base to avoid PCAOB review.

The upshot: increased pressure on us to maintain effective controls and closely monitor the changes within our own organizations. We must be prepared to effectively mitigate or remediate any risk or control deficiency we identify and to do this before our external auditors identify that deficiency. External auditors are driven to discover issues based not only on their sense of duty and responsibility, but also on their desire to maintain their own reputations by having minimal audit deficiencies identified under the PCAOB audit.

I recommend that you read the PCAOB inspection reports and note their areas of focus, which may not only provide insight into which areas the PCAOB selects for evidencing but also signal the approach your own external audit firm may use.

We must be prepared to effectively mitigate or remediate any risk or control deficiency we identify and to do this before our external auditors identify that deficiency.

Key areas communicated by the PCAOB as areas of risk associated with the auditor’s responsibility include:

  • Recurring audit deficiencies. The PCAOB considers deficiencies noted in previous reviews of the audit firm as a reason to evaluate current performance. Obviously, the PCAOB seeks improvement or at least maintenance of past evaluation levels. It should be noted that most, if not all, audit firms regularly update their audit process to address any audit deficiency the PCAOB may have issued or identified as an area to focus on.
  • Audit of Internal Control Over Financial Reporting–AS 2201. This standard sets forth various auditor requirements. The PCAOB’s goal is to assess the auditor’s procedures performed on various audits so as to identify the audit firm’s process deficiencies, if any.
  • Assessing and responding to risk of material misstatements. The 2017 PCAOB staff inspection brief mentioned that the PCAOB will continue to focus on audit work related to testing the design and operational effectiveness of controls and the accuracy and completeness of system-generated data, reports, and disclosures.
  • New accounting standards or tax law changes. Particular attention should be paid to areas affected by new accounting standards or tax reform changes. As luck would have it, in 2018 we have both of these items to address within our tax analysis and ultimately within our financial statements. Your audit firm should have processes in place to identify changes and react to them.

As you can see, whether you need to respond to pressures arising from past audit deficiencies or from changing rules and regulations, there is a cause-and-effect relationship between the PCAOB inspection reports issued to external audit firms and the level of audit activities performed by the auditors within their process.

As noted above, monitoring the annual PCAOB inspection reports as they are issued publicly is good practice. By paying close attention to identified areas of exposure at the audit firm level, you can gain insight into likely upcoming areas of increased review at your own firm.

Internal Control Best Practices

Effective internal controls:

  • include clearly defined processes;
  • identify and describe management review controls and signoff procedures;
  • allow for effectively leveraged resources;
  • consider spreadsheet, system, and risk reporting;
  • emphasize regular communication with accounting and management;
  • require comprehensive documentation;
  • prioritize both key and less essential controls; and
  • integrate compliance and tax provision.

Tax Technology Considerations

Fortunately, several commercially available software solutions may provide significant efficiencies in creating and maintaining your tax internal controls environment. These tools continually evolve to provide even more efficient use of data. Some solutions provide out-of-the-box functionality that may address many of your tax documentation and evidencing needs almost immediately.

These software tools can address a number of needs including tax compliance, accounting for income taxes, tax research, and document management. Although they may provide a number of automated and custom solutions to address some areas of risk, they are not without some risk themselves if you are unaware of their limitations. There are no silver bullets here; you still need skilled technical resources to ensure these tools are used effectively and yield the appropriate technical result.

As a best practice when evaluating tax software, I would recommend identifying your needs and requirements before licensing or purchasing a product, to make sure it addresses your needs and is compatible with your current system and workflow.

Some Good News

You may feel that, since the enactment of the Act sixteen years ago, we have been running in mud uphill. However, a closer look at the data shows that there have been noticeable improvements in the public company financial reporting area. In a recent issue of Audit Analytics, several key indicators were reported to show a trend of reducing risk and restatement activity over the past eight years. For example, in 2016 the average number of issues leading to a restatement was 1.55, compared to 2.42 issues in 2005. This may seem like a minor movement, but it represents a significant decrease when you look at the dollars involved. The largest single company adjustment in 2016 was $1.08 billion, compared with $6.3 billion and $5.2 billion in 2004 and 2005, respectively.

As with all statistical reports, a bit of caution needs to be taken when relying on abstract information, but a careful look at this report provides illuminating detail and support. It’s easy to see that the intentions of the Act are coming to fruition in the current environment.

So, if your company has significantly improved and if you have maintained your tax internal controls environment well, then congratulations on a job well done. If you are still behind in modernizing your tax internal control process, I urge you to move ahead swiftly.

In the News

Although there have been plenty of advances in maintaining efficient and compliant tax internal controls environments, now is not the time to relax and congratulate ourselves. Actually, it is quite the contrary, as has been well documented in several recent news articles:

  • Audit Firm [name omitted] to add outside directors to its board in direct response to recent events at the firm (Bloomberg BNA [Law], April 28, 2018).
  • Audit Firm [name omitted] Scandal Stays Local—New York–based firm is dealing with the termination of three former partners who have been accused of stealing secret regulatory information in an attempt to address procedural issues within their audit practice (Wall Street Journal, March 8, 2018).
  • Consulting Services Now King at the Big Four Auditors—Consulting services now accounts for forty-four percent growth as opposed to the three-percent growth in auditing services (Wall Street Journal, April 9, 2018).


No matter which side of the looking glass you are on, it is certain you will be required to ensure the accuracy and transparency of tax information provided to all stakeholders inside your organization and out. We look to the past to guide our future with but one certainty: the business and tax environment will continue to evolve, and transparency in all areas of business is here to stay.

What are you doing to build an effective internal control environment? Start by reviewing the annual PCAOB reports. Review your internal controls and perform an annual checkup. For help identifying areas of risk within your tax processes, email me at

John P. Bennecke is managing director at True Partners Consulting LLC.

Leave a Reply

Your email address will not be published. Required fields are marked *

XHTML: You can use these tags <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>