Design Deficiencies?. 447



  • Hello there. I would like to hear your opinion on the following issue we have at our company and would be greatful to get a feedback asap due to a conference with our auditors on Monday, Feb. 14th.
    Our company is in Germany and we have an US parent. At the moment, we are getting the final SOX Report from our auditors and I have just received a draft, where they included a Summary of Aggregated Deficiencies as well. Well, to my surprise, our auditors have included into this SAD all the key controls that were established during the year 2004 and were not in place therefore with January 1st 2004 (we would always include the effective date of a control established). However, by the point of time our auditors were in the house and performing their walkthroughs and testing later, these controls were effective having an effective design as well. So, they did not conclude any design deficiency performing tests of opertaing effectiveness.
    In their SAD however, an external reader gains an impression that all these controls are deemed to have a design deficiency.
    This is what they wrote: ‘…The remaining controls listed on the SAD, for which a remediation date is also included, are controls implemented for the first time in 2004, which were not in existence before, i.e. a design deficiency existed prior to their implementation. No remediation measures had to be taken except that these controls had to be set up to ensure adequate design of the respective process’
    To me, this sounds like a design deficiency conclusion. Can they deem them to have an design deficiency only because they were not effective as of January 1st 2004?. What do u think?. Thanks a lot in advance.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Sounds like they’re going beyond their remit to me. Firstly, there is no requirement to report every control deficiency - only material and significant ones.
    Secondly, as you suggest, that a control was not in place at 1/1/04 does not necessarily mean you have a control deficiency.



  • I guess this depends on the audit instructions and reporting requirements they received from the corporate/group auditor.
    First of all, while reading the quote from the report, I wasn’t under the impression that this should be interpreted as they having identified a deficiency in design regarding those controls. But that’s me of course :roll: It states that the controls didn’t exist at the beginning of the year, but were in fact implemented during the year. And this of course, could well be relevant for the financial statements audit, whereas the financial statements relate to an entire year, meaning that the auditor might have to perform additional substantive testing in those areas. That’s perhaps why they (were requested to) report on these matters. This should, however, have no impact on the attestation to management’s statement on internal control over financial reporting, as required under SOx. If you are of the opinion that their report is still not clear enough on this matter, you might want to request your auditor to further clarify this part of their report.
    Regarding reporting of non-significant control deficiencies: the assessment whether identified control deficiencies, if any, are to be considered significant/material is sometimes done at corporate/group level and not at local entity level. In that case, local auditors are requested to report every control deficieny identified. This is done in order to be able to assess whether local control deficienies in aggregate should be considered significant. Imagine, several local entities having a control deficiency relating to the same account. Those deficiencies might not be considered significant at local entity level. However, this might well lead to a significant deficiency when aggregated with other entities.
    I’m not completely sure on this one, but If I’m not mistaking, auditors are also obliged to report every identified control deficiency (also the non-significant ones) to the Executive Board (and also to the audit committee?). Those deficiencies won’t be disclosed in the company’s filing, but management should be informed on all of the identified deficiencies regardless.



  • Thanks for your opinion, Denis and JREW.
    at Denis: Thatll let u know what the outcome was. And thanks again.



  • If they will not back off of their stance of including pre-2004 control design deficiencies in their internal report, then you should be proactive with your parent company and explain to them what has happened so that they do not mis-read the report. It doesn’t sound like they are reporting anything untrue, only not being fully clear about the deficiencies.



  • I guess you should try to figure out, if you’re talking about the ‘normal’ annual audit or the sox audit. The auditor has to communicate everything he disclosed to the management also to the audit committee (SAS90 - I believe). Therefore it can be, that a SOX deficiency report is only focusing on significant deficiencies or material weaknesses, but a report out of a annual audit discloses everything they learned addressed to the audit committee or supervisory board.



  • at holger: it was a sox audit issue and we we have discussed it with them so far. as they state, they are required to report all controls not being effective as of january 1st to the parent’s auditor, for whatever reason… however, whenever I read about the design deficiencies, one would refer to them as to the design deficiencies identified in tests of operating effectiveness . that would equal zero in our case, because as they tested, the designs were effective. alone the fact that we communicated to them that some of the controls were put in place in march e.g. does not make them have an ineffective design to my understanding, or does it?.
    but, I would like to ask you, Holger, another question, since I appreciate your impressive sox-knowledge… can u give me some kind of a link between financial statement assertions and key controls? to my understanding, all financial statement accounts or relevant transactions or disclosures embody financial statement assertions, and for these financial assertions, there should be key controls in place. is this correct? so, do I have to cover every single fin. assertion related to a particular account by a key control or is it fine if I cover at least one? and what if I have a key control that cannot be clearly mapped to any of the fin. assertions? is it then still a key control? thanks a lot in advance.



  • My opinion on your last question:

    • It’s key when it is of importance for a material account
    • If it is key, but there’s no account, it can stil be key. F.e. coningent liabilities, controls for high-risks which could impact an account (timely VAT report to tax authorities)


  • _at_Melly: In order to identify which internal controls are key and, therefore, are required to be evaluated and tested independently, management must perform a risk assessment analysis based upon identified financial misstatement risks at the significant process and related sub-process level. This risk assessment provides the basis from which key controls are identified.
    Key controls are those controls that are important to each relevant assertion in the financial statements. The PCAOB standard emphasizes controls that affect relevant assertions because those are the points at which financial misstatements could occur. The standard prescribes that it is neither necessary to test all controls nor to test redundant controls. Therefore, only key controls will be subject to management and auditors test procedures. Key internal controls over financial reporting include:
    -and-#61550; Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements;
    -and-#61550; Controls over the selection and application of accounting policies that are in conformity with IFRS and US GAAP;
    -and-#61550; Antifraud programs and controls relevant to the financial statements;
    -and-#61550; Controls, including IT general controls, on which other controls are dependent;
    -and-#61550; Controls over significant non-routine transactions and nonsystematic transactions, such as accounts involving judgments and estimates; and
    -and-#61550; Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statement.
    Judgment will be necessary to determine whether a control is redundant with other controls or is a key control. In addition, management should review the identification of the key controls, along with the relevant FMRS’s for each significant process and related sub-process to confirm its assessment. Please remember that all key controls will have to be tested. Therefore, it is important that management only select the significant controls.
    In determining which controls are key controls for a particular risk scenario, management should identify those controls as key which enable management to conclude that there is a remote risk of a material financial misstatement occurring, assuming that the identified key controls are working effectively.
    In the process of identifying key controls you may conclude that a deficient preventive control could be compensated for by an effective detective control and, therefore, not result in a significant deficiency or material weakness. For example, a monthly reconciliation control procedure (a detective control) would detect an out-of-balance situation resulting from an input error due to an ineffective data interface control.
    In making a determination that the detective control compensates for the defective preventive control, the evaluator should ensure that the detective control is designed to achieve the control objective to which the preventive control relates to in a timely manner and that the detective control is effective. One should consider that reliance on high-level analytical procedures, by themselves, may not be sufficiently precise to achieve the control objective.



  • at Holger: thanks a lot.



  • You’re welcome… 😉



  • Note - the PCAOB standard is for auditors and sets out the minimum you need to comply with SOX.
    If a company is looking to embed controls into its organisation it may decide to test beyod key controls. An alternative view may be that if a control is worth documenting in a process document then it is worth evaluating its effectivenss.



  • _at_Denis: At last a company will provide their opinion about their effectnivness of their internal Controls over financial statements. The ext. Auditor, who’s has to comply to the PCAOB’s Standard 2, will also review the controls and also provide a opinion.
    I believe it makes total sense to make sure that the auditors get what they need. So you better make sure you know what they’re looking for… 😄



  • _at_holger agree with you generally, however
    In our project we are identifying key controls and using these to demonstrate that we have ‘complied with SOX’ but we have a wider objective to build controls ‘into the DNA of the organisation’ on the basis that compliance only will not benefit our organisation.
    We are evaluating ALL controls that figure in our process documents. If there is an argument over the control being not important enought to test the question is then is it important enough to perform? We are actually removing some redundant controls and simplifying our processes.
    Where I see this being a strong approach is that it gets staff responsible for financial control out of a ‘minimum effort’ mindset. It stops staff assuming that key controls are the only ones they have to do on a day-to-day basis.
    We do mitigate this ‘extra’ work however. Where a control is not ‘key’ we might use a smaller sample size and a deficiency in a non-key control is not a SOX deficiency and has a different remediation process.
    We involved our auditors in this at an early(ish) stage, so they understand where we’re coming from.



  • _at_Denis: I understand your position. Acutally we’re doing something similar. What I wanted to point out is, that for SOX you better streamline your effort towards the ext. Auditor.
    I totally agree that ‘onlx achieve compliance’ doesn’t make much sense.
    You only need to look at the money spend to get that conlusion. :twisted:
    We also follow the approach to get as much a rise of quality all over the company as possible. We use the same approach over the whole company (doesn’t matter if a dept. is SOX relevant or not). In all cases were a dept. or subsidiary is not SOX relevant we leave our ext. Auditor out.


Log in to reply