Financial impact of deficient controls 1625



  • Hi there.
    For our corporates we /a local subsidiary/ are supposed to perform a quantification of the potential financial impact of a particular control that has been identified as either deficient in desing, or deficient in operating.
    The following is requested/instructed:

    1. gross exposure: a worst case estimate of the magnitude of amounts or transactions expososed to the deficiency with regard to annual financial statements and before considering redundant or compensating controls;
    2. expected financial statement impact: the expected exposure amount in case of booking any adjustments or potential exposure in case the deficiency would not be fixed.
      This is all we got. Great, huh?.
      Now, does anyone have an idea how am I supposed to estimate the gross exposure e.g. for a missing signature on a report for price/material variances? I mean, the one thing is providing theoretical examples, but when it comes to praxis and ongoing business, it turns out that the majority of the cases you face in your deficiencies are not stated anywhere as a representable example for computation of the financial impact…
      Is there any helpful white paper that provides a practical help on this matter? I am thankful for any hint.


  • This is an interesting question. One would think that when the processes and controls were selected as being in scope for documentation and testing that we would use a materiality limit in setting our scope. I guess that we do that, but only to identify those processes or controls (or accounts) where the worst-case scenario would be below a certain threshold.
    I do not see the value in trying to quantify the worst-case scenario for a deficient control without considering compensating controls. When evaluating deficiencies as of the end of the year (assessment date), compensating controls are considered.
    As a subsidiary, I would suggest going back to your corporate office and asking for additional guidance. If they cannot provide examples, how do they expect their subsidiaries to calculate the maximum exposure?
    I have not seen any written public guidance on this and do not expect to see any. It is akin to providing guidance on materiality. You will see very high-level legalistic language describing ‘material’ but no firm guidance (i.e., 1 cent per share; USD5MM, etc.).



  • Hi Minnie – This request might be related to gathering Risk Management assessments requirements in order to ascertain the most significant financial risks? The SOX compliancy team may be looking to severity (worse case scenario) and frequency (likelihood of occurrence). It might be worthwhile to clarify this with the requestor 🙂
    SOX Risk Management links
    google.com/search?hl=en-and-q=sox risk management
    Good past articles related to SOX Risk Management
    networkworld.com/columnists/2005/050205blum.html
    csoonline.com/analyst/report3082.html
    cisco.com/application/pdf/en/us/guest/netsol/ns625/c643/cdccont_0900aecd80380886.pdf



  • Hi guys.
    Thanks for your input.
    _at_kymike: Well, unfortunately we have not been allowed to work with materiality thresholds. Hence, all financial accounts are in scope and this is not faciliating the quantification of the potential financial impact of the deficient controls today.
    Also, I strongly disagree to assess the maximum exposure for a remediated control that has been tested and proven to be operating effecively already. However, we are expected to.
    _at_harrywaldron: I don’t think that risk management is what they are up to. That exercise should have already been done - we have just completed the first round of testing and are about to start the second one. 🙂
    I guess it remains a question of proper argumentation and personal judgement. But how significant is that…?



  • That’s a good point on the need for Risk Mgt to be completed earlier in the SOX implementation process. When I read the desirable items that needed to be captured, it seemed to tie in with what’s required more for the original Risk Mgt process, rather than where you all are at now.
    Maybe when Risk Mgt was originally done, the potential financial impacts weren’t quantified and maybe the external audit team is now requesting this information for documentation purposes? Given the dynamics and change associated with the business environment – Risk Management is always a good process to continue on an on-going basis.
    Sometimes SOX compliany requirements are tough to understand and subject to interpretation – that’s why we’re all members here 😉 If you are able to explore the intent of this further with the requestor this might help. If you need to complete these items, I’ve found that ‘brainstorming sessions’ are good to think outside the box and gather ideas.
    Good luck 🙂



  • Hey minnie
    Wanna know the gross exposure of a particular deficiency?
    Here is a tip( guess its usefull, twas for me though)
    identify the class of transaction that this deficiency would affect, say deficiency on account of payments happening despite lack of requisite signature on a voucher, try to identify all transactions that pass through voucher payments.
    Sum up the value of all such transactions for the previous year. Extrapolate the value of the same to bring it to the business outlook of the company( simple method of expense/ revenue for PY * estimated revenue of current year). There you have the gross exposure. :idea:
    was it clear?
    hope its useful :lol:



  • Firstly gross exposure should be a fundamental output from the Risk Management system; this should in turn cover all Operational Risks not just those relevant to SOX.
    Secondly, the example give about the payment process and the items without the approval signature is very misleading; what is described is not a risk but a control not working, the risk is incorrect or fraudulent payments. You cannot say that every payment that does not have an approval signature will be wrong or fraudulent, therefore what is proposed as a solution to estimating gross exposure is wrong.


Log in to reply