Another Scoping query - help. 1952



  • Hi,
    I know this has been discussed before but I need to clarify what happens if an entity falls into scope at the very last minute.
    We have performed scoping exercises on a quaterly basis with the last one 3 weeks ago based on the first draft consolidation for group. Nothing unexpected cropped up so testing has been ongoing as planned.
    I have just been informed that one of our entities has had a recent recharge into deferred tax assets and therefore it now meets the 5% assets and 5% revenues thresholds.
    what happens in these situations, where the company doesn’t even have the resources to start testing because up to now, the company was not in scope?



  • Scoping is always a subjective exercise and the threshold should only be seen as a guide.
    It is worth remembering that per the PCAOB 'it is the responsibility of management, not the auditor, to determine the appropriate nature and form of internal controls for the company and to scope their evaluation procedures accordingly '.
    One could argue that a deferred tax asset would not be enough, on its own, to require you to bring a company into scope. That you have triggered an internal threshold requires you to do something - to demonstrate that you are, indeed, following your own framework - but several options would be possible.

    1. You recognise that you have exceeded the threshold but management make an - informed - decision to leave it out of scope
    2. You bring it into scope - but for the next fiscal year
    3. You bring it into scope immediately
    4. You perform a limited scope review on a few key accounts e.g. deferred tax
      Obviously you have a resource issue for Option 3 but the others would all be a valid approach with the auditors.


  • Hi,
    In addition to the implementation guidance from Denis, the following SEC Guidance (Note 1) might also be beneficial:
    Question 3 Q:
    If a registrant consummates a material purchase business combination during its fiscal year, must the internal control over financial reporting of the acquired business be included in management’s report on internal control over financial reporting for that fiscal year?
    A: As discussed above, we would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities. However, we acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment.
    In such instances, we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting. If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements.
    Notwithstanding management’s exclusion of an acquired business’s internal controls from its annual assessment, a registrant must disclose any material change to its internal control over financial reporting due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), whichever applies (*also refer to the last two sentences in the answer to question 9).
    In addition, the period in which management may omit an assessment of an acquired business’s internal control over financial reporting from its assessment of the registrant’s internal control may not extend beyond one year from the date of acquisition, nor may such assessment be omitted from more than one annual management report on internal control over financial reporting.

    • …This would also include disclosing a change to internal control over financial reporting related to a business combination for which the acquired entity that has been or will be excluded from an annual management report on internal control over financial reporting as contemplated in Question 3 above. As an alternative to ongoing disclosure for such changes in internal control over financial reporting, a registrant may choose to disclose all such changes to internal control over financial reporting in the annual report in which its assessment that encompasses the acquired business is included.
      Note 1: Source - Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports Frequently Asked Questions (revised October 6, 2004)
      Hope this further helps,
      Milan


  • Note that the guidance that Milan references is only for new acquisitions, not previously-consolidated entities where the magnitude of the balance sheet or income statement changes during the year.%0AI agree with the guidance that Denis provided. I would tend to lean towards limited scope for the entity that is now GT 5% of assets and revenues by adding in procedures around taxes and maybe revenues.



  • As in general business rules, there are no ‘absolutes’ and the guidance that was proposed was suggested to demonstrate that management has latitude regarding scoping due to a previously considered out of scope entity becoming in scope within the same year or very near the date of SOX assessment.
    The SEC states, ‘…We acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment.’
    This statement can be interpreted to also provide management with some discretion about the extent of testing for an in scope process or entity. Further, I would suggest that it might be possible for management to conduct limited tests of controls for a unit that reaches the scope materiality threshold during the year.
    In short, I suggest that you might be able to perform limited tests of controls near year end for the newly considered in scope entity and it will not be necessary to have performed quarterly tests of operating effectiveness throughout the entire year.
    However, performing limited tests of controls due to new knowledge is quite different from performing limited tests of controls or performing none at all due to resource constraints. The former seems to be the practical and more importantly. the defensible approach to discuss with the auditor.
    Before proposing the guidance, I researched this issue carefully and found that several sources noted that the SEC treats scope matters occuring throughout the year similar to that as would be treated for a new acquisition. Furthermore, one guidance specifically cites the Q-and-A noted in my original reply as support to follow the prescribed approach when an entity becomes in scope during the year.
    Milan



  • Before proposing the guidance, I researched this issue carefully and found that several sources noted that the SEC treats scope matters occuring throughout the year similar to that as would be treated for a new acquisition. Furthermore, one guidance specifically cites the Q-and-A noted in my original reply as support to follow the prescribed approach when an entity becomes in scope during the year.
    Milan
    Could you please share the Q-and-A guidance that you refer to above? I am not doubting your word on this, but rather would like to reread this (assuming that I have read it at one time) to refresh my understanding of the guidance.



  • Thanks guys. This makes me feel a little more at ease…
    We had been treating the entity as limited scope for Fixed Assets and the deferred tax element would have been tested within HQ as this function is centralised from here.
    I was just a little worried about trying to ensure that other significant accounts previously not determined as in scope would have to be reviewed as that would mean testing approximately addtional 80-100 controls.
    I think we need to argue our case with our auditors. They have enforced certain locations into scope on the basis of arguments from PCAOB guidance in relation to other entities this year, so it is really a matter of arguing the point that management are not required to follow PCAOB Audit standards in the same ridgid manner that is required for Ext auditors.
    EMM



  • Hi,
    Glad that with the combined feedback from all, the information was helpful. Good luck in your discussion with the auditors. In my opinion, all auditors are reasonable, some more than others.
    As for the reference to the guidance proposed earlier, ‘Source - Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports Frequently Asked Questions (revised October 6, 2004)’
    Milan



  • Milan,
    I am not coming to the same conclusion that you are regarding the exclusion of a consolidated entity from the scope of IC evaluation if changes in the business cause it to now become in-scope in the current year. I believe that the SEC guidance was specific to newly-acquired entities. If you refer to question 19 of the same publication, you will see the following language (emphasis added)-
    Item 308 of Regulations S-K and S-B, 17 CFR 229.308(a)(3) and 228.308(a)(3), states that management’s annual report on internal control over financial reporting must include a statement as to whether or not internal control over financial reporting is effective. While the staff will allow the exceptions outlined in Questions 1, 2, and 3 above, the disclosure requirement does not permit management to issue a report on internal control over financial reporting with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in their report that internal control over financial reporting is not effective. Further, management is precluded from concluding that the registrant’s internal control over financial reporting is effective if there are one or more material weaknesses in the internal control over financial reporting.
    Question 3 referenced in the quote above relates to acquired entities and the ability to exclude them in your IC evaluations in the current year.
    I think that the general guidance here is to perform limited procedures on the high risk controls, not all controls, for the entity that is now in-scope.



  • Mike,
    We are actually of the same opinion as I did not say that the company could or should exclude the entity from scope consideration since it became in scope during the year.
    I simply suggested that as an alternative to conducting full tests of controls, the company (after concurring with the auditor) could perform limited tests of controls. Thus, the auditor would not be precluded from assessing ICFR due to a scope limitation. Additionally, management would not need to conduct comprehensive tests of controls for the in scope entity based on the new information.
    The concept of performing limited tests of controls for the high risk areas has been promoted by the PCAOB since their guidance on 5/19/05, when it was suggested that a risk-based approach was not only acceptable, but effective to reduce performing unnecessary tests of controls.
    So respectfully, I disagree with you that we do not agree. …Talk about a paradoxical conclusion.
    Milan



  • So easy to tie yourself in knots over this stuff isn’t it :lol:
    Mike - whilst management’s assessment - i.e. the report in the financial statements - is not allowed to contain a scope limitation, Management are still allowed to define the scope of their work.



  • Hi,
    To add to the previous comment, it might also be helpful to note that some companies adopt the following strategy during the scoping exercise:

    • Define scope based on the materiality threshold and run it by the auditor to ensure consensus of areas for process documentation and tests of controls.
    • Each of the significant cycles is ranked according to significance to financial reporting and a ‘tiered’ approach is used to determine the level of documentation and extent of controls testing conducted within that cycle.
    • Areas that are ‘borderline’ or are not considered in scope due to less than the threshold amount, are documented (high level only) and perhaps, limited tests of controls are performed.
      By adopting this approach, you are technically not excluding an area for scoping purposes, but developing a less comprehensive SOX documentation set and performing only limited tests of controls for areas that are not critical to financial reporting or that may have become within scope during the year.
      As noted earlier, a scope limitation does not result and the auditor is not precluded from performing the SOX assessment.
      Hope this further helps,
      Milan


  • That definitely helps too, as the kind of locations that come into scope at year-end can tend to be the ones that were orignally borderline (but were supposed to be monitored carefully to avoid such risk).%0A I have received confirmation from our lawyers on this since I posted my query, and they referred back to SEC interpretive guidance following the first roundtable review in May 2005 . This interpretation reinforces that scoping should not only be a quantitative, but also qualitative, and that a %percentage threshold should be more of an initial review rather than the end result.%0AEMM



  • In discussing scoping with consultants, we’ve learned that most auditing firms now request formal ‘scoping memos’ from their clients which clearly outline the client’s efforts. These memos serve the purpose of memorializing the client’s defined materiality thresholds and other relevant assumptions that theywill take into account during their compliance efforts.
    My question to you all: is there some sort of standard template that is used in drafting this scoping memo?
    Thanks.



  • Our scoping document from year 1 was about 30 pages in length. In it we covered -
    Responsibility of management for SOX
    Project management of documentation / testing efforts
    Materiality determination
    Process for determining locations / accounts / processes to be covered
    IT coverage
    Spreadsheet controls
    Entity-level controls
    Use of COSO
    Fraud considerations
    How we were to evidence our controls effectiveness through testing
    Our plan for tracking and following up on control deficiencies
    Sample sizes
    Use of external service providers
    Basically, it is a definitional document. Much of the language was lifted from SEC / PCAOB / COSO literature. Once prepared, we have referenced the original document in years 2 and 3 with 1-2 page summary scope documents listing any changes to our approach.



  • We got a template from our external auditors that would link directly into our consolidated accounts for the threshold calculations.
    Any memos that have recently been generated to support deviations from threshold criteria have been written up by ourselves and cross referenced to SEC reports.
    Our may find something on Protiviti’s website - knowledgeleader.com. It has a lot of useful tools an templates


Log in to reply