As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Here's the issue. We need to determine what our threshold for Significant Deficiency is. Actually, we've defined it but our auditors are suggesting it's too high... but not providing any rationalle for their reasoning.
Anyway, here is what we've calculated. Any comments on any of the numbers will be appreciated.
Please note, for the purposes of this post, I am not considering the "qualitative" factors that could result in a Significant Deficiency or Material Weakenss. We are, of course, considering these in our project!
Company is forecast to make 1.4billion after tax earnings. Stable company so let's assume that is a reasonable figure to work from.
Using the "rule of thumb" we've identified our materiality as 10% of after tax income thus $140 million. To take into account the potential for unidentified errors we'll reduce the 140 and take only 70% of materiality to arrive at 98 million but for ease we'll use $100 million as our materiality amount.
Therefore any error that could result in a misstatement of =>100million will automatically be considered a material weakness. This is also essentially the same as what our auditors have defined as financial statement materiality.
Now we need to determine what a significant account is and what would constitute a Significant Deficiency. Using the "Framework for Evaluating Control Exceptions and Deficiencies" (pg 15) we find that misstatements => 20% of overall annual financial statement materiality (the $100MM calculated above) are defined as "more than inconsequential" and therefore are classed as a Significant Deficiency.
20% x 100mm = $20mm
We have then taken this Significant Deficiency threshold of $20mm and used that as our scoping number. Any account (with a balance of less than $20mm or that does not have the potential to cause an error of $20mm or more is determined to be immaterial.
$1,400mm after tax earnings
$100mm materiality level / material weakness threshold
$20mm significant account / significant deficiency threshold
Our auditors are suggesting the $20mm be reduced to $5mm. They do agree with the $100mm materiality level.
Any comments??? Anyone willing to share their numbers???
All thoughts and comments appreciated.
We were told it should be in the few millions, seperate or aggregated together. External Audit will not give you a specific number as there are varied factors that come into play... It's an analytical dream area...
Seperate 1 - 2 hundred thousand, depending on the exception, risk.. low med or high, then play in the Management Response the Potential Magnitude: Impact is Low, Likelihood is Low. Magnitude of the impact is minimal. Then there is the Complementary or Redundant Controls:
Compensating Controls, then there is the Conclusion: "The control is ineffective, however compensating controls will prevent any impact to financial statements" after all that....... BUT then you get into aggregating all the exceptions (or deficient controls) and play the game again....
aggregated we play by a few million, seperate a few hundred thousand....You can also throw back to external auditiors the legal mumbo jumbo they like
"Considering the overall compensating controls (described below) and the De minimis magnitude of the potential error as described above, further mitigating controls provide additional assurance that this control deficiency results in no more than an De minimis impact to the financial statements. The following control strongly mitigates any potential error"..... enjoy
We have been using 20% of materiality to quantify "inconsequential." This was derived from "A Framework for Evaluating Control Exceptions and Deficiencies" Version 3, December 20, 2004 (see Terminology section). I thought this was pretty straightforward based on reading the framework, so I'm surprised to see this becoming an issue. What is the basis for your auditors refuting the 20%?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.