New Guidance and reduced testing part 2 2098



  • Met with our auditors today and they told us that despite all the direct and indirect entity level controls that they would need to see a self assessment proces in place in all non-scope entities.
    Has anyone else experienced this? Perhaps Wrightlot?



  • Ours (KPMG) is not requiring that.



  • Met with our auditors today and they told us that despite all the direct and indirect entity level controls that they would need to see a self assessment proces in place in all non-scope entities.
    Has anyone else experienced this? Perhaps Wrightlot?
    They exceed their brief 8O
    They NEED to see no such thing. Perhaps you could resolve this by asking them to help you out by pointing out the section of the Auditing Standard that requires them to do this. 😉



  • Kymike.
    Our auditors are KPMG.
    I think that the majority of the problems that we are having with them are due to the fact that they are dictating what needs to be done, but as they are the Irish branch of the firm, only one team member has received SOX training on AS5. Apparently the partner and remainder of the team are not scheduled to receive training until October.
    Their concerns are that if an entity is not scope, how do they know that sufficient activties are in place to verify that the location is low risk (this is in addition to detailed direct entity level controls provided to them in a presentation and 100 page report yesterday).



  • I am confused by KPMG’s stance here (there’s a surprise…). They are your auditors, aren’t they, so they should understand you business?. Therefore they should already have their own clear risk assessment of each entity, etc. What would your documentation/evidence add to their knowledge base?
    I also assume that you are undertaking all this work because it will minimise their work. After all, they are no longer required to reach a conclusion on your evaluation but theyt have to do enough work for them to reach their own conclusion. Therefore if you (or more likely your CFO and CEO.) are happy that the entities are low risk then that is sufficieint for your own certification regardless of the auditors’ views.
    Then there’s the question of risk. You’ve evaluated the entities’ impact based on value and volume compared to the finaicial statements and found them to be immaterial? You’ve looked at likelihood of error based on historic activity and internal audit reviews? Therefore other than entity level controls there is no need for further analysis (unless of course an entity handles a risky type of transaction (derivatives perhaps) or business is growing significantly but I know you know that already).
    Finally what would a self assessment process prove? Guidance has been that this is the weakest form of evidence and requires some form of audit or QA to prove that it is being followed corectly each year. Thus you effectively bring these entities back into scope.



  • Kymike.
    Our auditors are KPMG.
    I think that the majority of the problems that we are having with them are due to the fact that they are dictating what needs to be done, but as they are the Irish branch of the firm, only one team member has received SOX training on AS5. Apparently the partner and remainder of the team are not scheduled to receive training until October .
    Their concerns are that if an entity is not scope, how do they know that sufficient activties are in place to verify that the location is low risk (this is in addition to detailed direct entity level controls provided to them in a presentation and 100 page report yesterday).
    If I didn’t know that this is causing you a problem I would find it extremely funny.
    This is beyond absurd. Print off a copy of AS5 from the PCAOB website and point out the error of their ways.



  • When we provided our risk assessment to them, we entered quite a number of quotes from AS5.
    The only reason we are doing all this work right now is because we need to make sure that entities KPMG deem to be in scope are prepared for their arrival (most of the entities they want to test have not been subject to SOX testing before and therefore may not understand the level of documented evidence required).
    in our report, we remined them that historically, none of the entities they want to include have ever had a significant audit adjustment.
    All we have to hope is that they actually READ our reports. I know for a fact that there were documents I supplied to them last year that they did not read (ARRGGHHH.)



  • Documentation can come in many forms… (per the SEC SOX guidance)
    Having controls in these entities documentated to the same degree as in your normal SOX entities will only save KPMG some work (though it may save you some auditing fees). I am assuming the KPMG wants to look at controls around specific risks and not at all controls in the entities that they ahve not visited in the past. If you know what these areas are, you can prepare your team for the visits by letting them know what KPMG will be looking for related to controls. KPMG should understand that these entities are akin to the small businesses that the PCAOB and SEC mention when they note that the guidance around SOX should be scalable. Expectations should be different as to controls and control evidence in these locations than in your larger entities. Of course, I would expect that an entity of any size should have reasonable segregation of duties, regular account reconciliations that are reviewed, proper system access controls, proper controls over journal entries and the close/reporting process.



  • All the risk areas for borderline entites were discussed by KPMG and our risk assessment focused on these areas.
    All such entities have been warned that they must demonstrate documented evidence for all items documented on the reports.
    Scalability should definitely apply to these entities as some of them have only one or 2 persons in their finance departments (hence the detailed control maintained from HQ which the auditors have evidenced in the past).
    It’s really just a matter of waiting to see what they say. My concern is really that they may not read of consider our reports in full.


Log in to reply