Management Discussion and Analysis 65



  • What position is everyone taking regarding the MD_and_A included in SEC filings - in or out of scope for SOX 404? Since this is not audited information, can we assume that it is outside the scope of 404? What about other unaudited information included in the 10K? We are currently excluding all unaudited information from the scope of our documentation.
    If anyone feels that unaudited information should be included in the scope of 404, can you point to definitive literature that leads you to believe that this information is within the scope of 404?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Out – its not part of the FS or disclosures. Its unaudited information.



  • The requirements of Sarbanes-Oxley with regard to control environment are not limited to ‘audited’ statements. In fact, there is substantial language suggesting the need for a broadly conceived controls environment that will help companies manage a wide range of risks. The PCAOB release of March 9, 2004 specifically lists the following as components of management’s assessment of internal control:
    from Page A-12
    Generally, such controls include:

    Controls over initiating, authorizing, recording, processing, and
    reporting significant accounts and disclosures and related
    assertions embodied in the financial statements.
    Controls over the selection and application of accounting policies
    that are in conformity with generally accepted accounting principles.
    Antifraud programs and controls.
    Controls, including information technology general controls, on
    which other controls are dependent.
    Controls over significant nonroutine and nonsystematic
    transactions, such as accounts involving judgments and estimates.
    Company level controls (as described in paragraph 53), including:

    The control environment and
    Controls over the period-end financial reporting process,
    including controls over procedures used to enter transaction
    totals into the general ledger; to initiate, authorize, record,
    and process journal entries in the general ledger; and to
    record recurring and nonrecurring adjustments to the
    financial statements (for example, consolidating
    adjustments, report combinations, and reclassifications).
    Note: References to the period-end financial reporting
    process in this standard refer to the preparation of both
    annual and quarterly financial statements.

    From Page A-26

    Control Activities. The auditor’s understanding of control activities relates
    to the controls that management has implemented to prevent or detect
    errors or fraud that could result in material misstatement in the accounts
    and disclosures and related assertions of the financial statements. For the
    purposes of evaluating the effectiveness of internal control over financial
    reporting, the auditor’s understanding of control activities encompasses a
    broader range of accounts and disclosures than what is normally obtained
    for the financial statement audit.



  • I think that one of the keys in determining what is in or out of scope is the definition of ‘financial statements’. While MD-and-A is included in SEC filings, I do not believe that it is considered part of the financial statements.
    Also, since the MD-and-A is unaudited, it would be cumbersome for the external auditor to render an opinion on that part of the filing while not including MD-and-A in the scope of their audit.



  • The audit of financial controls called for in SOX requires ‘a company’s independent auditor to complete a separate report that attests to management’s assessment of the effectiveness of internal controls and procedures for financial reporting.’ - From Moving Forward, A Guide to Improving Corporate Governance Throught Effective Internal Control: A Response to Sarbanes-Oxley by Deloitte and Touche
    This report goes on to point out that ‘the testing procedures performed not designed to meet the attestation requirements [of 404]’
    My point is not that MD-and-A will be audited, but that the audit of the control environment requires substantially more than has been required in the past. Both in terms of what companies need to document and in what auditors will need to examine. Thus, it is a mistake to expect that the scope of SOX audits will conform to the scope of previous financial statement audits.


Log in to reply