Testing beyond year 1 404

  • Not quite what I was after. I am quite comfortable with the sampling approach and this is what we have done for year 1 compliance.
    However, I am more concerned about the ‘steady state’ of Year 2 onwards. The 404 assertion is an annual one and therefore each year we must:

    1. Determine whether our processes have changed significantly
    2. If they have changed then update the documentation and evaluate control design
    3. Carry out an evaluation of control effectiveness on ALL processes regardless of whether they’ve changed or not
      My question is for the second year of 404 assertion does the extent of testing have to be the same as in year 1?
      Second we agreed on when the testing should happend. The real load would be the daily controls. So we do the testing for them in the first half of the year and have the control owner signing a statement for the second half, that nothing with respect of his control has changed.
      Not sure on this. Our auditors (E-and-Y) would definitely not accept testing done only in the first half of the year. The argument would be ‘what basis does the control owner have for making their statement if they haven’t done the testing?’
      Typically the expectation I have seen is that testing should cover a minimum of 9-10 months. It may be that you do part of your sample in the first half of the year but you would have to do part of it later to get enough coverage.

  • We won’t have the quality of the tests change for the next years. Even if the process or the key control hasn’t changed. It is only that you miss out the process documentation part. Except for new processes.
    What makes the difference if you cover 6 or 10 months with respect to daily controls? If the control is effective in april and provided nothing changed in between, why shouldn’t it be ineffective in november? Even more intruiging if you start to think about automated controls.
    We only have quarterly and year end controls tested in the last quarter.

  • Management’s obligation is to demonstrate that the internal control over financial reporting has been effective for the whole period. Obviously this requirement is met if your sample covers the whole period. If your testing is carried out at an interim date then you need to cover the period between the date of testing and the year end. The greater the gap between the testing and the year end then the greater is the effort required to demonstrate the continuing function of controls.
    Obviously different audit firms will have differing views on this but the steer we’ve been getting is that if the testing doesn’t cover at least 9-10 months then an additional sample should be tested. Where the gap is shorter then it may be sufficent just to get confirmation that the system, personnel, etc have not changed.
    For automated controls your basis for ongoing reliance is provided by General Computer Controls- which should also be tested. It is sufficient to do a ‘test of one’ for automated controls. This principle is well established.

  • If your ext. auditor insists on a sample covering the last quarter I probably would do the majority of the testing in the first half and the rest as early as possible in the last quarter.

  • A little late to the party here but I’ve a few comments:
    One of the big 4 in Calgary was adament that 404 certification was AS AT Dec 31/xx. Therefore I’m not certain that one needs to prove that controls were operating for the full year rather that controls were operating as at… xxxx date.
    For Yr 2 onward, we’re staying with a ‘risk based’ approach. Certainly for Yr 1 we’re testing a lot but for Yr 2 I intend to start some self assessment work for the low risk processes and maybe for some medium risk processes. The higer risk processes, however, will be tested at least twice a year generally early to make sure there are no busts (but to have time to remediate if we find any) then test again in late Q3 or Q4 to provide evidence that they’re still operating as designed.
    As we begin to get an understanding of which areas change a lot and which are fairly static, I intend to rely more on self assessments with rotating ‘audit class’ testing over a… say 3 year period?
    Those are my thoughts at the present time…

  • Fine for the 404?
    But what about the quarterly re-certification under 302? How are you handling it?

  • Section 302 requires you to state whether any significant changes affecting the internal controls have occured during the quarter. a reference is also stated by the AU no. 2, para. 200. however, u are not required by this section to perform management testings for each quarterly statement (as fa r as I understood)…

  • What are forum’s thoughts on testing for 302 quarterly certification?
    Since the cert focuses on material changes, it is my understanding that you need to identify changes (via self-assessment process) and then test evaluate the results. Anything less is guesswork, no matter how educated. Without tipping my hand or opinion on this topic, this was the exact interpretation I received from several Big 4 ext. auditors I’ve worked with on SOX engagements.

  • CRC - We are approaching this exactly as you laid it out -
    Identification of significant internal control changes (via questionnaire)
    Testing of those changes
    We are also having our control owners sign a representation that nothing has changed except what they have noted in their completed questionnaire

  • Our company has decided to review design and effectiveness of the whole set of controls every six months. This huge task is carried out in a decentralised way. Each department reviews its controls and the head signs-off for compliance.

Log in to reply