New Guidance and Reduced Testing 2088



  • I’m surprised by your answer EMM given that we have the same auditors. (Or perhaps I am not…) I agree however that there has been a lot more effort regarding scoping than in previous years.
    I also agree with Denis that there was nothing to stop you undertaking a risk based appraoch to SOX compliance before, the revised guidance just emphsises it more.
    Here are some thoughts/experiences I’ve found as a result of the new guidance:

    1. The PCAOB guidance steers auditors to place reliance on management’s work. Our auditors are citing international audit standards claiming that this is not possible, partciularly for IT and have significantly increased the amount of work around IT.
    2. For non-IT, however, our auditors have worked closely with us and we have developed an approach where they attend our walkthrough and test of design meetings but then rely on our documentation, project management skills, etc. This has significantly reduced the amount of effort on the part of the auditor for SOX work.
    3. Risk assessment. We have made this more robust to enable us to firstly descope more processes but also to ensure we consider the financial assertion risks as highlighted in the revised guidance which can help in reducing the number of controls for testing. In addition we are now focusing on materiality and not scoping down to significant deficiency level.
    4. Testing. We reviewed the sample sizes and agreed these could be parred down. Low risk processes only require walkthrough eg sample size of one. Medium and high risk sample sizes depend on the finance assertion risk eg a medium process with high assertion risk would have the same sample size as for medium risk last year but for medium assertion risk the sample size might be half that.
    5. Direct entity level controls. Laudable but if controls already operated effectively then new controls were not introduced just because of SOX, there had to be merit in the control itself.
    6. Cost. Now that the auditor need not certify our appraoch our immediate reaction was to cut back on testing and rely very heavily on self certification. We have now gone the other way and ensured that we test according to the auditors’ standards so that they can rely on us as much as possible. In addition we have looked to identify opportunities where we can expand our testing to cover the financial audit as well so that the auditors can rely on our work without compromising their independence.
      Benefits to management as I see it are:
    7. More joined up thinking between the auditor and management
    8. Reduced testing because last year we had to ensure we met the aditors requirements but now that they’ve relaxed those and no longer test our approach, we can relax and our approach.
    9. Cost savings.
      One last point, I found last week that our auditors have abandoned the medium risk classification. They only have high or low risk processes. I’ve yet to establish how that will impact our compliance effort.


  • Yes it is wrightlot.
    I think the difference is simply that we have a very risk averse partner and director on the engagement team. in addition, the old methodology applied to scoping would have picked up only 2/3 entities as full scope with others as being limited. This is becuase we have 2 entities that dominate our financial results with others being small ebusinesses acquired over the years.
    FYI - we received the following responses to the points that you made above:

    1. They do not intend to place any reliance on any of management’s work becuase this is the first year of attestation (we reported independantly last year due to FPI accelerated filer exemptions). In addtion, they have stated that becuase the audit is integrated (sorry if I am wrong here- I think it was always supposed to be integrated?) that they have to look at entities that require statutory audits.
    2. I have tried to contact our auditors for a kick off meeting since March. They met us for the first time 2 weeks ago and refuse to provide dates or estimated dates for testing (we have informed them that Phase 1 is already underway) until we provide ours.
      3.Scoping reports are definitely detailed and take a long time to prepare. We have been asked to consider significant deficiencies because of te risk that they may lead to a material weakness when accumulated. We have also been asked not to reduce our key controls to those giving risk to a material misstatement for the same reason.
    3. sample sizes will reduce. we have been told that there is no longer such a thing as medium risk - only low or high risk. They acknowledged that they have a need to reduce their sample sizes as they have been higher than other audit firms over the last 3 years of adoption.
    4. Direct entity level controls. We were criticised for only having indirect entity level controls but most of these have existed in the format of our month end financial reporting process and controls.
    5. Cost - we anticipate this to increase to an amount higher than originally budgeted given the non-reliance on management assessments and the additional scoping that was not anticipated at Q1 (we had expected scoping to reduce)
      Benefits: a risk based approach is more realistic than quantifying locations to be included in scope. Due to the addtional work required and late notification of our auditors intentions, I cannot see any other benefits at present.


  • Couldn’t resist replying. I find it ‘interesting’ when different partners from the same big four with access to the same technical support can come up with so diverse opinions.

    1. Yes they were always supposed to be integrated although I think for US companies there was a period when SOX and Stat Audit were distinct from each other. Where you appear to be at a disadvantage is that you have no prior year to compare to whereas we were able to see the true cost of SOX by comparing before and after and target that for cost reductions. In truth, if they are doing a properly integrated audit, then there should be no additional testing for high level year-end controls and there should be very little difference between the key systems feeding into your accounts and those you think are in scope for SOX.
      I think their argument that this is your first year is an irrelevance. We had no such discussion with our auditor and now that the guidance encourages such reliance wherever possible the cynic in me can’t help but wonder whether they are just looking at the fee income.
      Our first year meant we had to sit down with our auditors and discuss how we worked together. This year has reinforced that and perhaps that first year provided greater reassurance but reliance was still place on our work. This does however depend on your testing methodology. Self certification will work for you as a cheap solution but they cannot rely on it. Specific sample testing is more work for you but they can rely on that. When they are charging over GBP1k VAT per man day I often look to see if aggregate savings can be made.
    2. Who is paying the fees?.
    3. Scoping is tough but I have put together a structured and defendable process using risk measures based on value, volume, inherent risk, likelihood, etc that means the final score ratings are robust and avoids all this document writing.
      Their steer around material weakness is plain wrong. You should risk assess against materiality not any other measure. As you test if you find gaps, errors, etc you start to aggregate the effect of these arrors to see if they are material together. I would argue that the revised guidance is clearly steering auditors to focus at the material weakness level and not the significant deficiency level.
    4. Direct entity level controls seem to be the rallying cry of this big four. Having indirect entity level controls is not wrong it just means that for specific controls your probably have to go down to transaction level. Transaction level testing requires more effort because your sample size is probably greater. I still do not believe having direct entity level controls for the sake of SOX is the right approach - as an idealist maybe yes but as a pragmatist and budget holder then no.
      Let me know if you’d ever like to touch base with me and discuss this in more detail. I’d be happy to compare notes and give examples of what our approach or just to confirm whether you actually are being treated differently by our common foe.


  • I’m inclined to agree with you on every point wrightlot.
    I’m loathe to give out personal details due to confidentiality etc, but will definitely try to contact you at some stage from the forum.



  • What we were told was that when examining each account in each location, you have to consider misstatements at a lower level than materiality. Therefore, you need to verify 0.25% of profit before tax as the misstatement risk threshold. %0A http://iacmusic.com/Uploads/Motorpsychos_-_bullshit.gif



  • I think the difference is simply that we have a very risk averse partner and director on the engagement team. in addition, the old methodology applied to scoping would have picked up only 2/3 entities as full scope with others as being limited. This is becuase we have 2 entities that dominate our financial results with others being small ebusinesses acquired over the years.
    That should be his problem and not yours.
    FYI - we received the following responses to the points that you made above:

    1. They do not intend to place any reliance on any of management’s work becuase this is the first year of attestation (we reported independantly last year due to FPI accelerated filer exemptions). In addtion, they have stated that becuase the audit is integrated (sorry if I am wrong here- I think it was always supposed to be integrated?) that they have to look at entities that require statutory audits.
      That’s not a valid reason for not placing reliance. Either they are not satisifed with the independence and quality of the work or they are not.
      As for statutory audits, they NEED to look at entities only for statutory purposes. It is quite conceivable that an entity that requires a statutory audit is out of scope for SOX - we have many. The only entity that needs to be in scope for SOX is the one listed in the US.
    2. I have tried to contact our auditors for a kick off meeting since March. They met us for the first time 2 weeks ago and refuse to provide dates or estimated dates for testing (we have informed them that Phase 1 is already underway) until we provide ours.
      That’s just plain ignorant
      3.Scoping reports are definitely detailed and take a long time to prepare. We have been asked to consider significant deficiencies because of te risk that they may lead to a material weakness when accumulated. We have also been asked not to reduce our key controls to those giving risk to a material misstatement for the same reason.
      Management is obliged to determine out the level of review/testing that supports their assessment - not the auditor. If they are not going to rely on your work why would you accomodate them?
    3. sample sizes will reduce. we have been told that there is no longer such a thing as medium risk - only low or high risk. They acknowledged that they have a need to reduce their sample sizes as they have been higher than other audit firms over the last 3 years of adoption.
      As per my answer above, management assesses risk however they want within their own defined approach. And the auditors do likewise.
    4. Direct entity level controls. We were criticised for only having indirect entity level controls but most of these have existed in the format of our month end financial reporting process and controls.
      Direct entity level controls CAN be used to remove assertion-level cotnrol from scope if sufficiently precise. If you don’t have them it is only a missed efficiency, it is not a compliance process. If you do have them but they’re in your period-end processes then your auditors need to be a bit less dense - after all we pay for them to be highly skilled practitioners do we not?
    5. Cost - we anticipate this to increase to an amount higher than originally budgeted given the non-reliance on management assessments and the additional scoping that was not anticipated at Q1 (we had expected scoping to reduce)
      Challenge them on this - potentially competitively 😉


  • I totally agree with you on all of this Dennis.
    Unfortunately the powers that be on the board of Directors seem unwilling to change firms right now, and, as I am the only SOX specialist in the group, I don’t really get much support…
    Seriously thinking about leaving there…



  • I do agree that the revised guidance just emphasizes what we did last year (witch was my first)… no change in methodology.
    But, we are thinking in reduce sample size for low risk areas and use just walkthrough in some areas.
    I had a roundtable with PwC last week and they are focusing on company level controls (as mentioned by WrightLot, Direct entity level controls), witch we did not test last year

    1. Does anyone knows why IT is different???
      The PCAOB guidance steers auditors to place reliance on management’s work. Our auditors are citing international audit standards claiming that this is not possible, partciularly for IT and have significantly increased the amount of work around IT.
    2. SEC Guidance is too generic. In my opinion, management will still following PCAOB Standards and external auditors’ methodology.


  • I’m not clear on point 1 and what your auditors have told you Ricardo.
    Did they cite which audit standards they were referring to?



  • I didn’t find anything.
    This was first mentioned by WrightLot (above). I personally disagree with these point.



  • Ricardo, the statement I made was taken from my external auditor and shows the ‘fun’ I am experiencing. I also do not think that the argument is any different for IT audit than for non-IT, the same standard (APB Ethical Standard 1) applies to both areas. A cynic might argue that this, along with the arguments EMM is encountering, is an attempt by the auditors to justify maintaining their fee level post the SOX revisions.
    PLEASE NOTE that this appears to relate to those of us based in the UK and Ireland where there seem to be stricter rules about auditors’ reliance on the work of others. Therefore for us it is finding the right balance between adopting the reliance encouraged by the PCAOB and ensuring that auditing standards are not breached. I cannot speak for the rest of the world where audit standards may have a different emphasis.



  • WrightLot, I have worked in PwC for almost 8 years’. and all of their world wide methodology was based on the ISA (International Standard on Auditing) and also COSO.%0AAccordingly to all Big (Last) Four’ employee I met, the focus will be reducing the number of key controls based on risk assessment (approximately 40% reduction), and their fees will still the same… Reducing work, but not the fees’’%0ARisk assessment = professional judgment.



  • Ricardo.
    The auditor firm we are referring to is KPMG.

    I am a PwC alumni myself and worked on several SOX audits under the old AS2 rules.
    Wrightlot and I are simply comparing notes because we use the same audit firm and one would assume that those who received training in the UK offices would have received similar training in the Irish offices.



  • Thanks for the reply.
    My company has already changed to KPMG’ I hope they pass very far from Ireland…


Log in to reply