First-time S-1 filers are scoping SOX too narrowly. The PCAOB has noticed.

The PCAOB inspection reports for the 2024 cycle, published over the last several quarters, are unusually consistent. The themes are not new — they almost never are — but the frequency with which auditors of first-year and second-year filers are being cited for the same handful of issues is worth a paragraph in your committee read-ahead.

I work primarily with controllers, CFOs, and audit committee chairs of institutions in the transition from private to public. The pattern I am about to describe — narrow scoping, sparse IPE inventory, ITGC gaps that surprise no one with experience — is well known to anyone who has run a first-year SOX program. It is, nonetheless, recurring. This piece is the version of the scoping conversation I have with a first-year client in our second meeting.

The PCAOB inspection reports rarely name the issuer. They name the deficiency the auditor failed to detect, identify, or evaluate. Across the most recent inspections of mid-tier firms, four issues account for a disproportionate share of the comments on first-year and second-year filers:

What the inspection reports cite

Inadequate identification of relevant assertions. The auditor’s risk assessment did not identify all relevant assertions for material accounts, and the controls tested did not address the assertions the engagement team did identify.
Insufficient testing of management review controls (MRCs). The auditor’s testing of management’s review controls did not include sufficient evidence of the precision of the review — the criteria the reviewer applied, the threshold for follow-up, and the disposition of items that hit the threshold.
IPE deficiencies. Information produced by the entity that the auditor used in their procedures was not adequately tested for completeness and accuracy.
ITGC reliance without adequate testing. The auditor relied on automated controls without sufficient testing of the IT general controls that supported them, particularly in the areas of change management and logical access for the financial reporting systems.

Three of those four trace back, in my experience, to scoping decisions the institution made — sometimes by inheritance from the underwriter’s diligence, sometimes by deferring to the prior-year private-company audit, sometimes by reading the AS 2201 risk-assessment standard more narrowly than the auditor is going to.

The scoping bias of a first-year program

A first-year SOX scope tends to inherit two anchor decisions. The first is the auditor’s pre-IPO materiality, which was set for an integrated audit of financial statements that were probably under a less stringent control standard. The second is the inventory of significant accounts and disclosures from the prospectus, which is shaped by what the underwriter needed to highlight to investors — not necessarily by what carries the most risk of material misstatement now that the institution is public.

A scope built off the prospectus is a scope built for an investor audience. The auditor’s scope is built for AS 2201. Those audiences want different things.

Where this most often shows up is in disclosure-heavy areas: revenue, particularly under ASC 606 for institutions with complex performance obligations; share-based compensation for newly-public companies whose option grants suddenly matter; income taxes when the company has just gone through an organizational restructuring; and the increasingly-common segment disclosures that the SEC has been pressing public companies to expand. Each of these can have an “in scope” controls inventory that is small enough to be efficient and incomplete enough that the auditor will write a comment.

The four areas auditors are pushing back on

Relevant assertions

The assertions framework — existence, completeness, valuation, rights and obligations, presentation — should drive control identification, not the other way around. The institution that picks the controls first and then maps them to assertions is going to miss assertions. The pattern is most common around completeness of revenue, valuation of allowances, and presentation of related-party transactions.

Management review controls

An MRC is only as good as the documentation of its precision. “The controller reviews the close package monthly” is not a control; it is a statement that the controller exists. The control is: the controller compares the trial balance to the prior-period balance with a five-percent threshold, investigates every variance over that threshold, documents the inquiry and resolution, and signs off in a system that timestamps the review. That sentence — and the supporting evidence — is what the auditor needs.

IPE

Information produced by the entity — every report, query, spreadsheet, or extract that an analyst or reviewer relied on to operate a control or that the auditor used in their procedures — has to be on a list. The list has to include the source system, the parameters used, the date of generation, and the completeness-and-accuracy test that was performed on the IPE itself. The IPE inventory is the deliverable that ages the worst between scoping and year-end fieldwork.

ITGC reliance

ITGCs support the application controls the auditor wants to rely on. If the change-management control is not tested or has exceptions, the application control cannot be relied on. First-year programs often scope IT controls based on the inventory of in-scope systems from the financial statement, miss the systems that feed the in-scope systems, and have to expand the scope mid-cycle.

IPE — the perennial

I have lost count of how many MWs and SDs have been driven by IPE. A reviewer relied on a report. The report’s underlying query had a date filter that excluded a population the reviewer needed to see. The auditor noticed; the institution did not. The deficiency lands in the wrong column of the deficiency aggregation table.

IPE inventory · minimum content

Source system · query or report name · parameters used · run frequency · who generates it · who reviews it · completeness-and-accuracy test performed · evidence of test · last revalidation date. Anything less than this list will be a comment from your auditor.

A scoping checklist

What I give to a first-year client in the second meeting:

Anchor scope on AS 2201, not on the prospectus inventory or the prior-year private audit.
Apply quantitative materiality consistent with the auditor’s calculation — and confirm in writing.
Build the significant-account inventory from the financial statement; cross-walk to disclosures.
For each significant account, document the relevant assertions before identifying controls.
Identify MRCs separately; document precision for each in the control narrative.
Inventory IPE during walkthroughs, not after design testing.
Map IT-dependent controls to the ITGCs that support them, and confirm the ITGCs are in scope.
Walk the scope through the auditor before testing begins.

The last item is the one most first-year programs skip because the relationship with the auditor is still forming. It costs nothing and saves a quarter of remediation.

What changes for year two

Year two is when the institution’s control environment is supposed to converge on a steady-state program. The most common failure in year two is the opposite of year one: scope creep. The institution adds controls to address every prior-year deficiency and never removes the ones that did not earn their keep. By year three, the test population has doubled and the cost per audit has roughly tracked.

The discipline of year two is in subtraction. Retire controls that are redundant. Combine MRCs that test the same assertion. Reduce sample sizes where the prior-year evidence supports it. The auditor will appreciate the conversation if the documentation supports the change. Without the documentation, the conversation is a finding.