Impact of new guidance on your SOX reviews 735

  • I just wanted to get from everyone a sense of the impact the May 16 PCAOB and SEC guidance is having.
    For us, we’ve seen a huge shift by our auditor to a risk based approach… almost a bit too much. They are waiting on their firm’s national guidance to come out before they really confirm, but it appears there will be a good deal less testing.
    When I say risk based, they have proposed:

    • Low, Medium, High categories for each process
      ** for a Low, they just look at the matrix and results of testing summary; to test, mgmt would just inspect select documents
      ** for a Medium, they review narrative, perform walkthrough, review matrix and results and just review testing
      ** for a High, same as a medium, except they also do a sample of testing of their own.
      This is predicated on a strong control environment and being able to document as such.

  • It’s a little early to be able to provide a full answer. However, we’ve seen a greater willingness to limit the processes required to be in scope. Soon after the ruling we requested new guidance on specific processes that were previously deemed in scope, but where the scoping logic escaped us. This time, they okayed the descoping.

  • We are heading down the path of requiring process owners to self-assess, even if some of their processes and controls would be deemed low on the risk scale. We don’t want to throw away any work we have done to document our processes and we want to keep process owners focused on ensuring that controls continue to work. Our IA function and our external auditors may not test everything as we will also take a risk-based approach in what we test.
    Keeping the process owners focused on controls will help to ensure a strong control environment.

  • I don’t see this approach as being particularly new.
    What our auditors are looking at is based on 1) Materiality, 2) Risk and 3) Coverage. Accounts/Processes with a higher risk profile may have a lower materiality threshold applied.
    Overall they are looking to see that management, in arriving at its assessment, has assessed processes covering a high enough percentage of each line item or disclosure note in the financial statements.
    In assessing managements assertion they need to decide which processes they will look at (which is far from all processes in our case) using the three variables I mentioned.

  • Companies have two choices: they can wait for their auditors to change their focus over the next year or two, or they can use the information from PCAOB’s May policy statement to redesign their internal controls testing methodology now. The PCAOB’s guidance is directed at auditors, but companies should use this information to redesign the testing that they present to their auditors.
    Companies can increase the efficiency and decrease the cost of their SOX compliance efforts by taking a Top-Down Risk Based Approach to controls testing.

  • I agree with Lisa Vann’s response.
    the change in approach has had a fundamental change to the approach we have adopted.
    materiality has been increased massively.
    processes categorised into high, medium and low risk
    medium and low risk just require a 1 pager on documentation of the flow
    high risk will have detailed process level documentation and detailed testing.
    the testing for low and medium hasnt yet been defined but probably will be very light.
    weve produced a high level generic document listing the key controls across certain business functions. where a process deviates from this generic document / flow and is considered high risk, there would be detailed testing and documentation of the differences.
    thats the way it is at us - cant say i agree with it in totality but that is what the powers at be have delegated to us mere minions.

  • Well, it’s been a little over two months since I first posted this and now we have our final game plan after the accounting firm (KPMG) finally got their internal guidance on using the work of others. Ok, here it is:%0ATwo things to consider:%0ARisk of the process - High, medium, low. Management will evaluate (based on a number of criteria to substantiate the final rating). KPMG will also review and come to their own conclusion.%0AIndependence and Objectivity (‘I-and-O’) of the testers - High or Medium; there can be no low. KPMG will evaluate the people doing the testing (in this case internal audit).%0AProcess Risk: Low%0AI-and-O: High%0AKPMG will select 20% of the controls they deem key for reperformance. For those 20%, KPMG will then reperform 20% of the sample size supporting the testing of those controls. If I-and-O were rated Moderate, KPMG would then reperform 40% of the sample size supporting the testing of the controls. Assuming no differences, KPMG is done with the process.%0AProcess Risk: Medium%0AI-and-O: High%0AKPMG will select 50% of the controls they deem key for further review. For those 50%, KPMG would then perform 100% independent testing using KPMG minimum sample sizes. For 20% of the controls not selected, KPMG would reperform 20% of the sample size. If I-and-O were rated Moderate, 100% of the controls would be subject to KPMG independent testing.%0AProcess Risk: High%0AI-and-O: Doesn’t matter%0APMG will select 100% of the controls they deem key for further review. All of the key controls would be subject to independent testing according to KPMG minimum sample sizes. KPMG would not use the work of others.%0ACouple of points to note:%0A* Risk rating between our company and KPMG doesn’t necessarily have to agree. We have one process that we’ve rated a medium which KPMG will rate a low; in which case KPMG will be able to fully utilize all the work that we’ve done.%0A* KPMG can pick fewer key controls than management. Just because mgmt deems it key doesn’t automatically tie their hands. Obviously, if there is something they consider key that mgmt has not, that would be an issue.%0AOverall, a little help over last year. A little disappointed that for High risk areas they can’t use any testing (this hurts since this extends to General IT Controls which are part of the Overall control environment and, thus, High risk). %0AWould love to hear your feedback.

  • I am new to this forum, and this post immediately caught my attention, since KPMG is our auditor too. Our is a June year end, and hence we are in the second year now.
    I had one question: how did you determine the process risk?

  • We evaluated the following items as they relate to the process:
    Materiality - The significance of the account balance or amount of dollars related to the process.
    Volatility - The level of volatility in an account balance or process.
    Estimation - The degree of judgment and estimation used by management related to the account balance or process.
    Fraud/Loss/Management Override - The susceptibility of the account balance or process to fraud and/or loss.
    Complexity -The degree of complexity related to calculations pertaining to the account balance or process.
    Significance (of occurrence)- What is the significance of risks related to the account or process?
    Likelihood (of occurrence)- What is the likelihood that the event underlying the risk will occur?
    Each of these items was assigned a high, medium, low. Each category was assigned a value (high=3, medium=2, and low=1). Then we added up the 7 values for each process and determined bands for the process (e.g. a total of 15 or above was a high risk process, etc.). We also tried to qualitatively take into account additional considerations (e.g. new systems) to see if that needed to be accounted for.
    Hopefully that helps.

  • Thanks. It does help. I can make these assessments, and provide them to KPMG.

  • I understand the process of categorizing the processes into High, Medium, or Low. Beyond that, are you considering all risks/key controls equal within a process? Are you considerating of significance and likelihood for the process as a whole or are you using those factors for each risk associated with the process to vary testing levels even within a process?

  • Last year, we only applied the high, medium and low to the process and then the testing of the key controls fell under that.
    This year, in addition to categorizing the process, we will be categorizing the risk (high, medium, low) and the strength of the control (high, medium, low). Thus, a key control should be high risk, high strength. This will allow us to possibly rationalize some of our controls and provide a little more support to how we identified controls. Sample sizes for testing (however) will still be dictated by the risk of the process and frequency of the control.
    Hopefully that helps.

Log in to reply