As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Thu Oct 13, 2005 11:34 am Post subject: Account Reconciliation Testing
It seems to me that we "touch" some documents too many times during the year through our normal controls and then the testing of these controls. For example, each period a reconciliation is prepared for most general ledger accounts and is then reviewed by the preparer's supervisor. The preparation of the reconciliation is a primary control. The review by the supervisor is a secondary control. In performing SOX (peer) testing, we look at each account within scope with a sample size of 5 (for a monthly control). This would mean that we are looking to ensure that for 5 of the 12 months of the year, each account was reconciled and reviewed timely and that the reconciliation was accurate. Our internal audit group then tests a sample of the samples tested in order to gain assurance that the peer testing was perfomed accurately.
Has anyone successfully argued with their external auditor that we don't need to touch these account reconciliations this many times each year in order to gain assurance that they are being completed timely and accurately? It would seem to me that a master account schedule could be maintained and checked off each month as reconciliations are prepared and reviewed and that a sample from that schedule could then be tested to ensure that the reconciliations were being performed versus testing each reconciliation for multiple months.
Is anyone taking a different approach? We need to figure out how to reduce the time it takes to test controls in this area as this is a real resource hog for us during our annual testing.
To start-off, I think your sample size of 5 months is too much. From my experiences (both from the external and internal audit sides), a sample size of 3 for a monthly control is most commonly used. A survey published by the the IIA confirms this (theiia.org/gain/404sample_results.html).
I have also seen from my experience that companies typically do not apply any rationale behind the accounts they choose to perform "reconciliations" for. In fact, the term "reconciliation" is not even the appropriate audit term to use for this type of control. I think the term "account analysis" would be more appropriate since the purpose of this control is to identify unusual transactions from the account detail (not to tie-back GL balances to source docs, as we would expect for a "reconciliation").
Anyhow, I think the best way to reduce extra/unnecessary work would be to: 1) reduce your sample size to three, and 2) determine which accounts you really need to analyze on a monthly basis. I would suggest a top-down approach in analyzing each account and determining whether adequate front and back-end controls already exist around that account. For example, if you were debating on whether or not to analyze the prepaid expense account, and you discover that there is already both a (key) control over the initial setup of the prepaid amortization schedule (e.g., independent review) and a month-end checklist key control (specifically calling out prepaid entries), then there is probably no need for a separate month-end account analysis.
I am not certain that I am following you completely. Our staff does prepare account reconciliations or analyses each month for each account on our balance sheet. These are reviewed by a supervisor either on a monthly or quarterly basis, depending on the account risk.
From an internal controls management testing perspective, we then test each account via peer reviews to ensure that the proper reconciliation or analysis is prepared (full year sample size of 5, which you suggest reducing to three). After the peer reviews are completed, our internal audit group does a spot check to ensure that the peer reviews were properly completed. My point is that I think that the peer reviews of each account (whether 3 or 5 months) and the subsequent internal audit reviews of selected accounts and maybe 1-2 months seems to be escessive in getting comfortable that our controls are effective. I am looking for support to bypass the peer reviews and only sample 1-2 months for selected accounts (either done by peers or internal audit) to satisfy our testing requirements over these controls.
I am still curious as to how others are approaching the tests of account reconciliations as primary controls.
I agree with you both: reduce unecessary, as not added value, tests.
We need as you mention take a to down approach. Then if the entity level controls and testing are totally covered, depending on the materiality of the entity with the group (if that is the case), depending on the risk assessment and materiality of the account, you might decide whether or not have an additional independent check on the controls.
Based on all the source I am looking regularly (SEC, PCAOB...), I do not reckon to see request for a peer testing group? If monitory controls are performed, regularly and successfully, by the managements on the critical/key controls. If on top of that, there is an internal audit team that goes around for the review of management assessment of controls, and then later you will have the confirmation of all by the external auditors, why the need of this addtional intermediary staff.
To whom they report the peer testing? What are the deliverables of their work and to whom it is distributed?
Let's not make companies suffering from burocracy and lose competitetiveness because of the incredibile abnormal fixed cost (administrative related only) to be absorbed. Still without losing control of what is being done, of course!
Joined: Nov 25, 2004 Posts: 790 Location: London, UK
Posted: Mon Oct 17, 2005 4:14 am Post subject:
A couple of additional thoughts:
1. As previously stated a sample size of 3 for a monthly control is norrmally regarded as sufficient.
2. Testing of the control need only happen if it is a key control
3. I don't agree with the logic of splitting the performance of the control and the review theron. To me they are both essential for the control to have been effectively designed.
4. For a key reconcialiation (where we are really talking about a rec rather than an analysis) I would normally be looking for the following (as a minimum):
- has the reconciliation been formally prepared and signed off
- was it prepared timeously
- do the primary numbers obviously tie back to the source
- have the reconciling items been properly investigated
- are the reconciling items being appropriately corrected: is there an audit trail to the relevant journals, etc.
- are the reconciling items reasonably current
- is the rec formally reviewed/approved and signed off
5. Generally, where a control is key I think it is necessary to look at it each year. However, it may be possible for companies to design other controls that give assurance that key controls are being performed on a an ongoing basis - monitoring from a COSO point of view - which may involve things like process owner checklists and such like.
Notwithstanding all of the above, you have to ask the question "How do I want to see internal control embedded into my company?". The answer to this may help you decide whether you want to have visible regular testing or want to move towards a more monitoring/entity level set-up. _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
First, I have seen audits requiring 5 months for a monthly control, so do not reduce this number unless you have first discussed it with your auditors.
As for the testing of your account reconciliations, I think you can continue to get your assurance as to completeness of your reconciliation process, but reduce the review of individual reconciliations by using more of a Top-Down approach as suggested by the previous responders, but let me explain it a bit differently based on the approach I took on a recent engagement.
First, I believe it is a good idea to keep the completeness testing of your reconciliation process by creating a master list of all reconciliations required each month to be checked-in by the person maintaining the list. Checking-in needs to be done only if the reconciliation ties to the G/L balance and is signed off by the supervisor. This way, you can create a Key Controls test that selects a percentage of the reconciliations on the list and tests whether or not they were tied out and signed off by the check-in person. Note that this test does not include a review of the reconciliations, you are only testing to ensure that the reconciliation was properly checked off the list.
Next, instead of performing so many detailed reviews of reconciliations, if you use a Top-Down Risk Based Approach as recommended by the PCAOB in May 2005 (see details at their website or my website), you need only review reconciliations directly related to Key Controls. For example, if you eliminated Accounts Payable from your list of Significant Accounts during your scoping process, then none of your A/P accounts need to be tested for SOX compliance purposes.
In fact, I would not have review of reconciliations in general as a Key Control. Instead, I include review of the reconciliation for the Significant Account being tested as one of the tests related to the Key Controls over that account. This way, the reconciliation itself is not a pass/fail item. I may be performing 5 steps in the testing of that account and the reconciliation is just one of them.
There are many steps that can be taken to increase the efficiency of your compliance efforts. Unfortunately it generally requires you to take a totally different approach than the year 1 compliance approach. But in the long run it will save time and money. _________________ Lisa Vann, CEO
I am just raising this topic again as we look to streamline our approach to SOX testing (monitoring of controls).
I will add that our sample size for monthly controls is now 3, but it still seems that we are spending too much time "monitoring" our account reconciliation process where we have rarely found ineffective controls, and those being late preparation or review.
Any new thoughts on how to approach monitoring of account reconciliation controls?
Joined: Nov 25, 2004 Posts: 790 Location: London, UK
Posted: Wed Apr 10, 2013 9:34 am Post subject:
Been a while since I contributed to this forum
Anyway, in terms of monitoring I have seen several examples now of this working successfully - and one or two of it not!
The bad way is where rigour is taken away from the testing of controls in the name of "monitoring" but without properly embedded controls performed rigorously this just ends up being a bomb waiting to explode!
A more successful approach is one where the rigorous execution of controls is embedded in day to day processes.
In my post a couple above I refer to the sort of things I would expect to see at bullet point 4. If these tasks are properly embedded in the manager review process (which I have achieved through the implementation of checklists and comment boxes on reconciliation templates) then the control is effectively being "tested" every time it is performed. This gives you the foundation for your monitoring.
We have successfully implemented monitoring activities in things like month-end meetings, close checklists, etc that directly reference the key control activities, ensure they have been performed and consider KPIs/KRIs arising.
Hope this helps. _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.