SOX - Company Level Controls - Tone at the Top 810



  • our company (non accelerated filer) is in the process of of implementing sox. we have begun by identifying the key accounts and significant processes, completed most of the walkthroughs and have created a control matrix similar to one posted as a down load.
    however i’m trying to document company level controls as discussed in the PCAOB release paragraphs 52-53 and 113-115 including
    tone at the top
    audit committee performance and effectiveness
    managment integrity and ethical values
    managements risk assesment process
    managements philosophy and style
    etc, etc
    is there an example of this ‘tone at the top’ or a template for completing this - what is the best direction to move re the company level controls.
    any help would be appreciated



  • IMO company level controls are a more subjective area than process/application controls and as such does not lend itself easily to a rigorous control matrix type approach.
    What I would be looking at would be a more narrative type approach that talks about the influencing factors that lead you to conclude whether there are or are not reasonable company level controls.
    Whilst you do need to evalutate company ;evel controls, you should not be looking to test these in the same manner as process level controls or you’re just going to cause yourself a lot of unecessary work and not a little heartache.



  • I’ve seen companies demonstrate tone at the top through the following:

    • Meeting minutes: board meetings, strategic meetings, etc…
    • Internal audit memos to the audit committee
    • Corporate Communications to employees
    • Compensation plans: What behavior is the company rewarding?
    • Performance appraisals of key personnel
    • Promotion and Salary history of key personnel
    • Investment in career development and tracking of results
    • Turnover of top talent vs. retention of top talent


  • Tone at the top can also be demonstrated by way of the following:
    Ethics policies and Processes
    Management Representation Letters
    Financial Planning and Outlook process
    Employee Hiring Policies and related processes
    Record retention policies
    Disaster Recovery and Business resumption plans.
    Hope this helps
    Arun



  • With the support of the recent PCAOB guidance (May) that states that auditors should be using a Top-Down Risk Based Approach to their audit (and thus companies should use a Top-Down Risk Based Approach to their controls evaluation before the audit), we have been given the green light to better utilize entity level controls.
    Most companies I have seen have just done a write up of their controls. With this new guidance, I believe that we can now make the case for truly using entity level controls. But to do so, we will have to present them properly. This will include documenting the controls, but add the additional step of evaluating them and then creating a methodology for using them within our evaluation of key control failures.
    This is the main topic of the next issue of my newsletter at soxbriefs.com.



  • Hi Soxbrief,
    I quite glad to read what you wrote about the company level controls. I went to PCAOB web to find the guidance of May you referred. Could you give me the web address where to find this document?
    THanks



  • the tone at the top is subjective. management is a big driver in the attitude towards compliance and how it is preceived and embraced.
    is there enthusiastic compliance? (we are seeing the benefits of these controls and we are streamlining our processes–yeah.)
    OR
    is there malicious compliance? (we don’t need no stinking sox and if we do then we are only doing what is absolutely required because we have to and not one thing more as there is no value to our shareholders)



  • Hi Soxbrief,
    I quite glad to read what you wrote about the company level controls. I went to PCAOB web to find the guidance of May you referred. Could you give me the web address where to find this document?
    THanks
    Sorry for the slow response. Here is the website for the guidance.
    http://www.pcaobus.org/News-and-Events/News/2005/05-16.aspx
    You can also read about our views on how the guidance should be implemented at our website at soxbriefs.com


Log in to reply