October 12, 2007
Smaller Companies Should Focus on Key Areas for AS#5 Reviews
In our work with small to mid-sized SOX 404 filers, we have long proposed that a risk based approach to scoping and planning projects is key. In the "Dark Ages" of SOX 404 (2002-2005) many external auditors were recommending form over substance and requiring clients to document everything that moved in a company.
Whew! Enter Audit Standard #5. This new shorter and more risk based approach that will be in place for auditors to use to do their attestation for registrants' ICFR directs auditors to review high risk processes and how projects are scoped.
We have long directed smaller clients to do proper scoping with a top down risk based approach. Further, Entity level controls have been a focus for smaller companies to "hang their hats" on. Additionally, in our informal surveys of clients, we have found that the most important process in this endeavor is the financia reporting process. This process is the least documented, the most supported by spreadsheets and the most rushed and therefore subject to error.
Here is an exceprt from an article from Metropolitan Corporate Counsel concerning some key areas for registrants to focus on:
"Conceptually, the financial reporting process is a broad category encompassing such sub-processes as the financial close process; significant estimates; footnotes and disclosures; equity; and intercompany and related party transactions, among others. Management can better focus on high-risk areas by beginning with the financial reporting process and documenting the risks and related controls in place. For example, documenting and testing controls over significant estimates will most certainly overlap other processes - such as Revenue and Accounts Receivable - and it will bring the areas of highest concern and complexity to the forefront of management's assessment process.
A critical mistake many organizations made in the past was in applying a "blanket" approach. Documentation was created and testing of controls was executed at the same level of detail for each process regardless of the comparable risk level. Using this approach, a process involving routine transactions such as payroll, e.g., might receive the same level of time, effort and focus in creating evidential matter as the process relating to significant estimates in financial reporting...
AS5 indicates that certain entity-level controls might be at the right level of precision to adequately prevent or detect a material misstatement of the financial statements. For example, executive management might conduct an analytical review of the monthly financials. Typically, the issue from a SOX 404 perspective is that the review (i) might not occur at an appropriate level of detail, (ii) lacks documentation of anomalies and unexpected results and (iii) the investigation and resolution is conducted through verbal communication.
Management should focus on improving entity-level controls, including increasing their precision level. Management should also emphasize maintaining proper documentation in evidencing such controls to reduce additional work at the process level in documenting and testing the controls to mitigate the risk. Management should voice its plans to increase the precision level and operation evidence of entity-level controls in the first discussion with the external auditor. This allows the auditor to give management feedback on how the evidential matter on the effectiveness of entity-level controls may impact the auditor's assessment process."
If your company has to comply with SOX 404 or NI 52-109, and wants to do it in a sensible and cost effective way, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
Whew! Enter Audit Standard #5. This new shorter and more risk based approach that will be in place for auditors to use to do their attestation for registrants' ICFR directs auditors to review high risk processes and how projects are scoped.
We have long directed smaller clients to do proper scoping with a top down risk based approach. Further, Entity level controls have been a focus for smaller companies to "hang their hats" on. Additionally, in our informal surveys of clients, we have found that the most important process in this endeavor is the financia reporting process. This process is the least documented, the most supported by spreadsheets and the most rushed and therefore subject to error.
Here is an exceprt from an article from Metropolitan Corporate Counsel concerning some key areas for registrants to focus on:
"Conceptually, the financial reporting process is a broad category encompassing such sub-processes as the financial close process; significant estimates; footnotes and disclosures; equity; and intercompany and related party transactions, among others. Management can better focus on high-risk areas by beginning with the financial reporting process and documenting the risks and related controls in place. For example, documenting and testing controls over significant estimates will most certainly overlap other processes - such as Revenue and Accounts Receivable - and it will bring the areas of highest concern and complexity to the forefront of management's assessment process.
A critical mistake many organizations made in the past was in applying a "blanket" approach. Documentation was created and testing of controls was executed at the same level of detail for each process regardless of the comparable risk level. Using this approach, a process involving routine transactions such as payroll, e.g., might receive the same level of time, effort and focus in creating evidential matter as the process relating to significant estimates in financial reporting...
AS5 indicates that certain entity-level controls might be at the right level of precision to adequately prevent or detect a material misstatement of the financial statements. For example, executive management might conduct an analytical review of the monthly financials. Typically, the issue from a SOX 404 perspective is that the review (i) might not occur at an appropriate level of detail, (ii) lacks documentation of anomalies and unexpected results and (iii) the investigation and resolution is conducted through verbal communication.
Management should focus on improving entity-level controls, including increasing their precision level. Management should also emphasize maintaining proper documentation in evidencing such controls to reduce additional work at the process level in documenting and testing the controls to mitigate the risk. Management should voice its plans to increase the precision level and operation evidence of entity-level controls in the first discussion with the external auditor. This allows the auditor to give management feedback on how the evidential matter on the effectiveness of entity-level controls may impact the auditor's assessment process."
If your company has to comply with SOX 404 or NI 52-109, and wants to do it in a sensible and cost effective way, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
