SOX - Company Level Controls - Tone at the Top 810
-
our company (non accelerated filer) is in the process of of implementing sox. we have begun by identifying the key accounts and significant processes, completed most of the walkthroughs and have created a control matrix similar to one posted as a down load.
however i’m trying to document company level controls as discussed in the PCAOB release paragraphs 52-53 and 113-115 including
tone at the top
audit committee performance and effectiveness
managment integrity and ethical values
managements risk assesment process
managements philosophy and style
etc, etc
is there an example of this ‘tone at the top’ or a template for completing this - what is the best direction to move re the company level controls.
any help would be appreciated
-
IMO company level controls are a more subjective area than process/application controls and as such does not lend itself easily to a rigorous control matrix type approach.
What I would be looking at would be a more narrative type approach that talks about the influencing factors that lead you to conclude whether there are or are not reasonable company level controls.
Whilst you do need to evalutate company ;evel controls, you should not be looking to test these in the same manner as process level controls or you’re just going to cause yourself a lot of unecessary work and not a little heartache.
-
I’ve seen companies demonstrate tone at the top through the following:
- Meeting minutes: board meetings, strategic meetings, etc…
- Internal audit memos to the audit committee
- Corporate Communications to employees
- Compensation plans: What behavior is the company rewarding?
- Performance appraisals of key personnel
- Promotion and Salary history of key personnel
- Investment in career development and tracking of results
- Turnover of top talent vs. retention of top talent
-
Tone at the top can also be demonstrated by way of the following:
Ethics policies and Processes
Management Representation Letters
Financial Planning and Outlook process
Employee Hiring Policies and related processes
Record retention policies
Disaster Recovery and Business resumption plans.
Hope this helps
Arun
-
With the support of the recent PCAOB guidance (May) that states that auditors should be using a Top-Down Risk Based Approach to their audit (and thus companies should use a Top-Down Risk Based Approach to their controls evaluation before the audit), we have been given the green light to better utilize entity level controls.
Most companies I have seen have just done a write up of their controls. With this new guidance, I believe that we can now make the case for truly using entity level controls. But to do so, we will have to present them properly. This will include documenting the controls, but add the additional step of evaluating them and then creating a methodology for using them within our evaluation of key control failures.
This is the main topic of the next issue of my newsletter at soxbriefs.com.
-
Hi Soxbrief,
I quite glad to read what you wrote about the company level controls. I went to PCAOB web to find the guidance of May you referred. Could you give me the web address where to find this document?
THanks
-
the tone at the top is subjective. management is a big driver in the attitude towards compliance and how it is preceived and embraced.
is there enthusiastic compliance? (we are seeing the benefits of these controls and we are streamlining our processes–yeah.)
OR
is there malicious compliance? (we don’t need no stinking sox and if we do then we are only doing what is absolutely required because we have to and not one thing more as there is no value to our shareholders)
-
Hi Soxbrief,
I quite glad to read what you wrote about the company level controls. I went to PCAOB web to find the guidance of May you referred. Could you give me the web address where to find this document?
THanks
Sorry for the slow response. Here is the website for the guidance.
http://www.pcaobus.org/News-and-Events/News/2005/05-16.aspx
You can also read about our views on how the guidance should be implemented at our website at soxbriefs.com