Process Narratives... 1898



  • Our company has only recently begun drafting the descriptive narratives for each of our various processes (payroll, shipping, accounts receivable, etc). We’re finding that we do not know how much detail would be considered too much. The conventional wisdom is that ‘the more the merrier,’ but we do not want to waste our time or efforts. We’re also finding that our current ISO procedures are not nearly up to SOX standards so they will not be much help.
    If someone knows of a reference that would help us along the way, I’d really appreciate the assistance. Does anyone know of any templates or lists of best practices that we could use to begin our various process descriptions?
    Thanks.



  • Hi Albie - This is more of an ‘art than science’. If you can touch base with audit that might provide guidance (esp. external auditors handling SOX for your company). You might use the search button at the top of the page and enter documentation as a keyword to find any history here.
    In general documentation should be:

    1. Complete - fully describe the process
    2. High-Level - You want to see the forest for the trees (e.g., avoid too much detail)
    3. Easy-to-understand - Avoid complex or special terminology where possible (KISS principle)
    4. Static - So that it doesn’t become out-of-date (e.g., reflect positions not people’s names)
    5. Standard - Develop overall standards, so that if multiple folks are authoring it has the same look-and-feel as if one person wrote it.
      This seemed to be one of the better articles related to documentation
      Please add www - paste to browser
      s-ox.com/Feature/detail.cfm?articleID=884
      General Search
      Please add www - paste to browser
      Note - Many of these links are vendor based solutions
      google.com/search?q=sox documentation requirements
      A few additional articles
      Please add www - paste to browser
      osta.org/oss/sessions/Eric_Vorst.pdf
      dbazine.com/ofinterest/oi-articles/mcquade2
      auditserve.com/articles/email57.htm
      No www needed - paste to browser
      en.wikipedia.org/wiki/Information_technology_controls


  • Harry - As always, you’ve provided a plethora of information at the right price. Thanks. I was particularly interested in your advice to ask our external auditor for process guidance. Who better guide us than the folks who will be auditing us?? Great advice.
    However, it’s interesting that you say that we shouldn’t go into too much detail. The few former auditors that we have working for our company tell us that we can never have enough detail in our descriptions of processes…



  • it’s interesting that you say that we shouldn’t go into too much detail.
    Hi - There I might be thinking as an IT professional, where we tend to go into file names, program names, bit-and-bytes, etc … You know how we are sometimes 😉 🙂
    You definitely want to cover the topical area well, yet not make it highly detailed whereby, minor system changes would invoke SOX related documentation changes. I think as you write documentation for anything, you want to convey understanding to your audience and have an optimal balance where you cover the subject well – but not be too elaborate or folks won’t read it, they’ll go to sleep, or get lost in the details.
    I’d definitely favor having too much documentation than too little. Still, if you can avoid being verbose and cover the topic well, that’s my kind of documentation.



  • Hi,
    To add to the feedback, I would encourage you to develop a high level risk assessment first, before developing SOX process documentation. By assessing risk for each of the significant cycles, ranking the processes/sub-processes based on SOX relevance and relationship to Internal Controls over Financial Reporting (ICFR), you might have significant opportunity to reduce your documentation efforts.
    The results of the risk assessment can be used to help you to categorize the cycles/processes/sub-processes by importance (as it relates to ICFR) and those that have little/indirect relationship to financial reporting, should not be documented or documented in minimal detail at most. You can categorize as Tier 1, Tier 2, and Tier 3.
    For example, Tier 1 would be critical to financial reporting and would be documented by developing a process narrative. Tier 2 might be documented by simply preparing a high level process flow and identifying key controls that would be tested in the assessment of the tests of operating effectiveness. Tier 3 would not be documented or summarized. At most, you might consider the controls in the aggregate if they have a bearing on financial reporting.
    The recent PCAOB guidance and proposed AS No. 5 evidences the move away from documenting all controls at the process level. Rather, it is suggested that a company should follow the top-down approach and may support the SOX compliance efforts and level of details adopted by preparing a risk assessment. This approach is more efficient, less costly, and if done correctly, reduces more risk in financial reporting since a consideration of risk is dirctly linked to the ICFR and the financial statement assertions.
    Good luck,
    Milan



  • Proposed AS5 seems very significant to me and I am surprised not to be hearing more buzz about it. My company’s fiscal year end is 09/30 so I am in Q1 and looking for direction on how to approach our current fiscal year’s SOX compliance.
    What are you hearing about how proposed AS5 will impact SOX compliance efforts?



  • Hi Darwin and welcome 🙂
    As we say in southern Virginia, you can’t count your chickens until they hatch 😉 However, if all goes well maybe AS-5 can provide some of the sought-after relief on some of the more vague and nebulus requirements related to SOX 404. Here’s hoping they do a good job and that it doesn’t get quagmired.
    Several good articles found in general search
    Please add www and paste to browser
    google.com/search?hl=en-and-lr=-and-q=Sarbanes-Oxley AS5
    Please paste to browser as www is not needed on this good blog commentary
    mydailyfatwa.blogspot.com/2006/10/bloomberg-says-paulson-in-drive-to.html
    … Public Company Accounting Oversight Board is in the process of drafting a new Audit Standard 5, which will take much of the pain out of Section 404 of the Sarbanes-Oxley Act. This new AS5 may well be out by December. That, combined with new SEC deregistration rules (which likely will be released at or before the new AS5 is) will make it difficult for foreign issuers to complain about the costs of Sarbanes-Oxley. The costs of implementing Section 404 (the provision on internal controls) will drop, and, if you don’t like it, it will also be much easier to get out of the American market.



  • Hi,
    The new auditing standard, AS. No. 5 will have immediate impact on any company that has already complied with SOX and those that are in their first year.
    I listened to the PCAOB Forum (the transcript or streamed audio might be available online though I am unsure), read through the materials posted on the PCAOB website and SEC website, and from these, prepared a comparison table to determine the changes and implications due to the elimination of AS No. 2, related Q-and-As and adoption of proposed AS No 5.
    In my opinion, I think that any professional practitioner can take immediate action to reassess compliance efforts and consider adopting a risk-based, top-down approach. The May 2005 guidance from the PCAOB initially proposed the top-down approach and from the recent changes, clearly reaffirms this strategy recommended by the PCAOB to plan, perform, and assess controls for compliance with SOX.
    Some suggestions:

    • Read the info from the 2 websites noted above and develop an understanding of the significant changes as applicable to your company.
    • For each focus area, assess your current compliance initiatives and determine if you can benefit from the various proposal items with regard to reduced documentation, by limiting testing to key controls only, eliminating unnecessary documentation over non-significant areas, and efforts to document managements assessment of the ICFR. Note that the PCAOB explicitly stated that the auditor will no longer be required to render two opinions. Thus, it will not be necessary to prepare the related documentation for the opinion, now eliminated.
    • Consider performing a risk assessment to aid you to further reduce your compliance efforts. It is not necessary to document and test all controls, particularly at the process level. Instead, realign your compliance strategies to place more emphasis on tone at the top, leveraging any efforts to address internal control issues from previous years, and place greatest resources on the controls having direct impact on financial reporting.
    • Meet with your auditor in the next month after they have had opportunity to digest the recent changes and discuss your proposed compliance initiatives and get feedback from the auditor if your new strategies will support their annual assessment and testing action plans.
    • If you have time, you can wait for a ‘standard’ to be adopted by similar practices being taken at other companies. However, I would encourage taking a more proactive role.
      In the end, if the spirit of the new guidance is adopted, the process of getting there is unimportant. What is important is that the stakeholders, auditor, and others can reasonably rely on your financial reports.
      Just my USD0.02.
      Milan


  • I have been on holiday the past week and will be next week as well. I plan on reading through all of the guidance next week so that I can start thinking about how I think that it applies to my company.
    Since I have only read the headlines, I can’t give any specific guidance at this point in time, but I can say that I have not seen any reported material weaknesses due to inadequate process documentation. This means that your process narratives should be written based on your comfort level. You do want to provide whomever will be writing these with a standard template to complete.
    Our standard template includes a summary overview of the process, a list of who is involved in the process (we list name and title in a table and then only reference titles in the narrative - this makes it easier to update in the future when staffing changes occur), a detailed process narrative, a table of IT systems related to the process, a SOD table to show that we do have proper SOD. I will note that the detail narratives range from very wordy to near bullet-point, based on who developed them.
    Bottom line - whatever level you document processes at will be OK. Just make certain that you have a standard list of what needs to be addressed in each narrative.



  • Thanks again for your assistance, guys 🙂
    Does anyone know anything about the product put out by Thomson Publishing called ‘Internal Control and Fraud Protection on Checkpoint’? I’ve heard that this product might be useful in drafting narratives and/or modifying controls. It’s designed for auditors, so I’m wondering whether anyone (non-auditors) has first-hand experience with it.


Log in to reply