The role of internal controls in navigating regulatory challenges and SOX compliance trends

By Laura Morgulec, Audit & Assurance Partner, Deloitte & Touche LLP; Colin Broom, Audit & Assurance Senior Manager, Deloitte & Touche LLP; and Jennifer DeVinny, Audit & Assurance Senior Manager, Deloitte & Touche LLP

Talking points

• The SEC, PCAOB, and other regulators are continually raising the bar on accounting standards to address rising risks.
• To protect a company and its investors, it is important to update internal controls to keep pace with these changing regulatory standards.
• Deloitte can advise management on its responsibilities in enhancing controls, addressing deficiencies, and managing information used in a control (IUC).

As we approach the midpoint of 2025, it’s now clear which hot topics finance and accounting teams will likely need to keep an eye on for the rest of the year. In this edition of The Pulse blog, we dive into two of the most talked about themes: internal controls and regulatory compliance. Think of them as two sides of the same coin. Strengthening your internal controls framework not only allows you to keep up with fast-moving technology like artificial intelligence (AI) and cybersecurity but can also help you navigate the ever-changing regulatory landscape.

We get it. Discussing the nuts and bolts of internal controls can feel like talking about the brakes on a new luxury sedan. Maybe not the most exciting feature, but like your brakes, internal controls are a critical safeguard, allowing you to focus on performance.

How the PCAOB and AS 2201 govern internal controls

Let’s begin by revisiting the standard that started the wheels rolling on modern internal controls: AS 2201. Implemented by the PCAOB in 2007, AS 2201 was designed to improve the efficiency and effectiveness of the audit of internal controls over financial reporting (ICFR), while also maintaining the rigorous standards necessary to protect investors.

AS 2201 integrates the audit of ICFR with the financial statement audit, enabling a comprehensive evaluation of financial reporting processes. It outlines the requirements for planning and performing the audit, including control design and effectiveness, key control testing, and assessing material misstatement risk. AS 2201 also governs the identified internal control deficiencies, which we’ll get into shortly.

Standard-setting projects

Several short-term and longer-term regulatory projects are in the works to maintain and improve the standards set by AS 2201. These efforts cover areas like quality control, noncompliance with laws, attestation standards, performance metrics, interim standards, and inventory. They also include amendments to AS 2601 (Consideration of an Entity’s Use of a Service Organization) to keep auditing standards aligned with the evolving use of service organizations.

Regulators advise auditors and their stakeholders to stay informed of these developments and incorporate resulting practices into their work. This vigilance will not only help avoid control deficiencies but may also help protect investors and the public interest.

Deficiencies and why they matter

While we’re on the topic of deficiencies, it’s worth noting that the market has seen an increase in impacts from material weaknesses in internal control frameworks. Deficiencies arise when a control doesn’t allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.

Unidentified deficiencies may result in inaccurate financial reporting or material misstatements in annual or interim financial statements. The time and resources associated with remedial efforts of deficiencies, particularly severe deficiencies resulting in significant deficiencies or material weaknesses, have proven to be significant. Non-remediated deficiencies may result in impacts to operational results and the organization’s reputation with stakeholders, including shareholders and other capital providers.

Management’s role in remediating deficiencies

Deficiencies range in severity—from a control deficiency to a significant deficiency to the most serious deficiency—a material weakness. What are the repercussions of deficiencies? They also range in severity: from management tracking for a control deficiency to reporting to the audit committee or board for a significant deficiency to reporting externally in the 10Q or 10K for a material weakness.

Internal Audit may assist in the evaluation of the severity of deficiencies. However, management owns the analysis and conclusion of deficiencies. Management must also take charge of remediating deficiencies through a required action plan.

The importance of IUC

Effective controls management requires proficiently handling IUC. What exactly is IUC? Think of it as an input needed to review and ensure the proper performance of a control. IUC typically originates from a report or spreadsheet and can be internally generated or received from a third party.

Managing IUC can be challenging for many companies because of issues such as incomplete data capture, incorrect data input, faulty algorithms or calculations, and inaccurate parameters. To avoid these pitfalls, it’s essential to understand how IUC is managed within your organization. This may involve surveying your team about IUC and its role in your SOX program, conducting training for control owners, and working closely with both internal and external auditors to ensure alignment.

What role can Deloitte play?

Deloitte recognizes that modern internal control frameworks can do more than maintain the status quo; they can also add value. Contact us to learn how internal controls can help you enhance organizational agility, navigate regulatory complexities, and better protect the interests of investors and stakeholders. We can advise you through every step of your controls journey.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2025 Deloitte Development LLC. All rights reserved.