Can you Document AND Test?? 814



  • Just wondering if anyone has come across external contractors being asked to test key controls, advise the remedial work necessary, and then be involved in the re-test.
    For context, this activity is all taking place prior to the external auditors arriving.
    I wouldn’t think it would be acceptable, but would be grateful for your views.
    Thanks



  • I’ve seen it happen at a couple of client sites. They formed a sox team that was a mix of employees and contractors. They positioned themselves as sox consultants to get the other divisions ready for sox compliance. The sox team was totally separate and divorced/independent from the internal audit group. This was so that the external auditors could rely more on the work done by the sox team.
    The sox team broke their testing into 2 major phases. The first phase was the Test of Design (TOD) phase to evaluate the design of the financial, application, and IT key controls. They filed issues for tracking purposes and worked with each division to get these items remediated. Sometimes this would involve documenting or writing naratives, putting together process flows, writing policies/procedures.
    Then they began the Test of Effectiveness when most of the TOD issues were resolved. They recorded their findings and issues. The team leads werre resoponsible for following up and consulting with the divisions to remediate the defficiencies. There were multiple testing cycles for the Test of Effectiveness to ensure that all the defficiencies were addressed prior to the external auditors arriving.



  • This is perfectly acceptable as long as management realizes that it is responsible for internal controls. Outsourcing documentation and testing is no different than outsourcing any other process.
    As for remediation of controls, management should be approving changes recommended by the outside contractor and should also be aware of all controls in place in order to better show that they are taking their responsibility for controls seriously.



  • In our organization we had outsourced the testing and the once the deficiencies were remediated the outsourced contractors were asked to re test.
    I think it is perfectly acceptable.



  • This is perfectly acceptable as long as management realizes that it is responsible for internal controls. Outsourcing documentation and testing is no different than outsourcing any other process.
    As for remediation of controls, management should be approving changes recommended by the outside contractor and should also be aware of all controls in place in order to better show that they are taking their responsibility for controls seriously.
    Absolutely right, couldn’t have put it better myself.



  • As mentioned by others, the objective of testing / retesting - before the External Auditors arrive, is to assist the management to ensure proper (internal) assessment is completed.
    In larger organizations, Internal Audit department is vested with this responsibility. External Auditors would only rely on the company management’s work papers only to an extent. If such work had been performed by the qualified Internal Auditors of the Company, the degree of reliance would be high.
    In the case if the management does not have access to qualified internal resources, they can engage an outside company ( typically another Public accounting / Risk Consulting company) which would directly work under management/BOD supervision.
    Third alternative could be to engage independent contractors who would work with the management designees/process owners. However this method is not popular at large organizations. When process owners are heavily involved in the testing, the true independence of the audit would be compromised.
    Finally the pointers to remember are:

    1. The degree of independence of the IA/Testing Team
    2. Quality of the work products (Stems from the Qualification and Experience of the teams)
    3. Adherence to Standards and Methodologies (IIA Standards, Sampling Techniques etc)
    4. Management’s participation through out the process including in the remediation and retesting phase.
    5. Finally External Auditors would exercise their own judgment on placing the reliance on the documentation and testing that was already completed by the management.


  • Would it be ok if an IT department at a big box company located in the US was assigned a manager that works for an offshoring company (Genpact) and that same exact manager also made money from hiring people in that offshore company (Genpact) located in India to replace the America workers of the big box company in the US while he is also being a Vice President of Genpact?
    Can that manager’s manager at the big box company, (also from India) a director at the big box company also have his wife from India at the big box hire resources to her offshore company that she supposedly owns?



  • Three words immediately spring to mind.
    CONFLICT OF INTEREST
    It might not be wrong to enter into such arrangments but conflicts of interest do need to be handled carefully. Most large companies have processes in place to flag such conflicts and deal with them acordingly
    One also needs to be careful of requirements around
    RELATED PARTY TRANSACTIONS
    IAS 24 covers requirements for most of the world and I believe there is an SEC requirement also (on executive compensation and RPTs)
    Mostly this is around disclosure of RPTs but there are some restrictions


Log in to reply