What Happened? 443



  • G’day.
    I’m lead on the SOX testing (IA) in a Canadian company which must comply with SOX for 2005. We’ve completed our documentation and ‘draft’ testing for 2004 as a quasi dry run for the real thing in 2005.
    I was wondering if anyone from the U.S. would be able to identify areas where their external auditors have identified issues. I’m not looking for specifics (unless you want to provide them.) but rather areas that I’d better concentrate on. Our ext auditors have been useless (we initiated discussions in early 2004 and they are just getting back to us) and I’d really like to know where the firms are finding issues… 11 months to our sign off…
    I’d be REALLY greatful for any info you care to share…
    Chris.



  • This post is deleted!


  • This post is deleted!


  • If you hang on another 3 or 4 weeks you’ll see all the US 31/12/05 filings becoming public.



  • Yes, that is true.
    I guess I forgot to mention that I’m impatient.



  • Take a good look at your general computer controls, especially user rights in regard of seggregation of duties. That’s quite a painful area, at least what my experience has taught me so far. And a difficult one for the external auditors to test due to their (often) lack of specific knowledge in this area, so make sure u can provide them with the transparent documentation on this issue. Good luck.



  • Take a good look at your general computer controls, especially user rights in regard of seggregation of duties. That’s quite a painful area, at least what my experience has taught me so far. And a difficult one for the external auditors to test due to their (often) lack of specific knowledge in this area, so make sure u can provide them with the transparent documentation on this issue. Good luck.



  • Give everyone a heads up to ensure everything is documented properly. For example, if a control is that a reconciliation is reviewed by an indepedent person, that review should be documented by sign-off, signature, etc. A 3rd person needs to be able to come in and verify that every step of a control was performed. ‘If it’s not documented, it’s not DONE.’



  • I agree with both of the responses. Our biggest problem with our external auditors was general computer controls - especially at our subsidiaries. you must have controls on system access and be able to document those controls - very difficult with software packages. And don’t forget to document the COSO elements of general computer controls as well - control environment, risk assessment, information and communication and monitoring - the documentation of the general computer controls themselves will address the activities component.
    The largest number of deficiencies we had related to documentation - although we documented where our controls were and what they were - we failed in many instances where people were supposed to sign off on things. For example bank reconciliations were prepared, but not signed off on by the preparer or reviewer - that’s a fail, even though the reconciliations were done and done timely. So have everyone review every control they have identified - and anywhere where you say you have someone reconcile anything or review everything, make sure they initial it or sign it and date it. Even on spreadsheets.
    One of the biggest arguments we had with our externals was in bank reconciliation timing. they want the reconciliations prepared by the 15th of the month - we said as long as we had them done by the end of the month to be able to book anything that might be found was sufficient - they disagreed strongly. You have to hold your ground - and agree to disagree on certain things.
    Although we had no material or significant deficiencies, we did have numerous deficiencies which we were afraid would add up to a significant - but fortunately it did not.
    Another area we did not focus on until the very end was controls around consolidation of the financial statements and controls around the reporting in the Notes to the Financials. You may want to do that now so you have plenty of time to test those things - what you are looking for here is completeness and accuracy - controls over what you are reporting covers everything and is accurate.
    Good luck.



  • One of the biggest arguments we had with our externals was in bank reconciliation timing. they want the reconciliations prepared by the 15th of the month - we said as long as we had them done by the end of the month to be able to book anything that might be found was sufficient - they disagreed strongly. You have to hold your ground - and agree to disagree on certain things.
    Would tend to agree that these should be done more quickly - from a best practice point of view - but that does not make it a SOX fail, it just has to fit in with your Financial Statements Close Process.
    It’s a good point though about what is required in a reconciliation. It is not just enough for it to be prepared but it does have to have been reviewed/authorised by someone independent of the preparer. Furthermore, I would also be looking for some follow-up action and/or adjustments in relation to reconciling items.



  • I know that the auditors request this evidence of reconciliation, but let’s be honest… does a signature provide sufficent evidence for having really reviewed that document??? I don’t think so… Yes, they (the auditors) will test it in order to see whether it has been done properly and that would deliver them the evidence for the real reconciliation process and its effectiveness, but it brings me to question, why do we need to sign it off anyway when even the AU No. 2 states that the signature alone is not an evidence… it makes people furious, is time consuming and totally inefficient.



  • The real evidence of the reconciliation having been carried out properly is whether the reconciling items have been resolved 😉



  • Denis is right on assuring that reconciling items are taken care of - TIMELY. For us , that means within 2 months of first appearing on the reconciliation list.
    While a signature does not ensure that the reviewer actually reviewed the document, it does pass on a level of ownership and responsibility for that document to the reviewer.
    We found that evidence of certain actions being performed was lacking. Instead of creating more bureaucracy by requiring more in-process documents to be retained evidencing review and action based on the review comments, we agreed with our auditors on the use of checklists that listed monthly close steps that need to be performed every month and sign-off on the checklist as indication that the step was considered or performed.



  • Wow, thank you for the replies.
    We are definitely looking for evidence that the control was carried out - yes a signature or initial is not proof but some times it’s all you’ve got. We’re looking hard for the result of the control… such as the correction of a reconciling item as mentioned above.
    I appreciate your input.
    Chris


Log in to reply