Control Remediated but failed on re-test due to non activity 1309
We remediated a control based on them originally failing somewhere in June 2005. The effective date of the remediation was 12/30/2005. The remediation was to make sure that all employee status changes in the ERP are compared to signed approvals. Our Internal Auditors considered it a no activity because of the remediation date of 12/30/2005. Because of this no activity, they failed the control saying it is an industry standard to do so.
I am asking the forum whether they are aware of such a standard - PCAOB, ISO, QSO etc.
I could not find in the PCAOB.
In order for a control to be effective for the year, it has to be operating effectively for at least the last quarter.
I’m not sure that you’re going to find anything to cite the one-fiscal-quarter rule as an ‘industry standard’ though. It’s just hard to defend that a control was in place and had any effect on the control environment if instituted so near the end of the year.
Thank you John.
I feel that if If I am not mistaken, the Independent Auditor opines on controls to mitigate misstatement of financial reporting and fraudulent reporting. As long as controls are in place as at the end of the reporting period, there is Sox Compliance. But, merely nailing the auditee because of non activity may not be tenable.
There are two parts to the independent auditor’s attestation under SOx Section 404:
The first is whether (or not) management’s methodology and assessment of the company’s control environment was sound.
The second is whether (or not) the control environment is effective (Key Controls are operating during the year and have been tested to the extent that they can be relied upon to preclude a material mis-statement of the financial statements).
In your company’s case, it sounds like your auditor is going to issue an unqualified opinion on the methodology, but may need to disclose that the control environment is inneffective (if there are material Weaknesses in the Key Controls).
Having said that, just because a control was in place too late in the year to be relied upon, does not necessarily mean that it is a Material Weakness. It has been my experience that it’s better to argue with the auditor that this particular deficiency is not a material weakness, rather than trying to show that the control was in place (by the end of the year), which is a losing battle.
I tell my clients that ‘internal control’ is where the art and science of accounting intersect. Now is the time for you to lean on the ‘art’ aspect and haggle.
There is an established framework for determining the severity of a control deficiency, which I can send to you or discuss, if you’d like. That’s the best place to start as you begin to summarize and analyze your control deficiencies (individually and aggregated).
Also, the CPA firm is the final arbiter of whether your controls are effective. You may want to go directly to the independent auditors rather than fighting with the internal auditor(s). If you are the process owner, you can take the lead to defending your controls. (You can always try to wear the auditors down. It doesn’t always work, and it may not be effective, but only you can say if it is the best option.)
At any rate, good luck and welcome to SOx.
Arun70 last edited by
In your earlier post you had mentioned about the availability of a framework for assessing the significance of a failed control. In my company we are struggling to convince the auditors that some of the control weakness are not material.I would be grateful if you could share that. My e mail id is optimist_16_at_yahoo.com.
Thanks in advance
The link to the framework to analyze (potential) material weaknesses is:
If you have any questions, I’d be happy to ‘walk you through the boxes’
You did not mention whether or not this was deemed to be a material weakness. Some of the responses above made that assumption. I am under the assumption that this was not a material weakness. Personally, I cannot see how the ineffectiveness of this control on its own could lead to a material weakness over financial reporting as you generally have budgetary controls and financial reviews that would catch anything of a material nature. The one exception may be if an officer of the company made unauthorized changes to his annual pay or benefits.
Based on the frequency of the control, it needs to be operating for a minimum period of time in order to be (re)tested for effectiveness. This seems like a daily or weekly type of control. The standards that my company uses for daily controls is that they need to be operating for at least 20 days before they can be tested. If you implemented a new control on the last day of the year, then there is no way for it to have operated long enough to realistically test for effectiveness. This is why we test controls early in the year so that they can be remediated and in operation for the requisite period of time to allow for testing.
It is inconsequential deficiency, but forming part of a score card of deficiency. I believe that we should test this control post year end. I am of the opinion that auditors give opinion on controls in place as at end of the year, not during the year. Therefore, even though, there was no activity, I would still believe that re-testing should be made subsequent to the year end to confirm that the control was in place as at end of the year.
How can you truly test a control if there is no activity to test?
Post Year End till the signing of 10-K to substantiate the event as at the year end.
This would prove that the control was effective post year end, but not during the year be attested to. About the only controls that occur post year-end and pre-filing of the 10K are those that are annual or quarterly controls related to preparation of the financial statements. What you have described above does not appear to be that type of a control and any effectiveness of that control for activities post year end would not impact the financials that you are reporting, but woudl impact the subsequent year financials.
I think that your auditors are following the general practice of their peer auditors.
Post-Year End Re-Testing is resorted in this case, because of Lack of Activity. We cannot penalize process owners to deem the control as ineffective, just because of no new hires no status changes. Don’t we use the pay-hike till the 10-K signing to accrue for leave balances as at year-end. On same logic, I am recommending the post year end re-testing to pass the control remediated as at year-end. If we keep them ineffective, this becomes a reportable condition to the Audit Committee, even if an inconsequential finding.
Thank you very much.
milan last edited by
I. protiviti Consulting has a resource that addresses this issue directly (protiviti.com).
Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition
Updated to reflect PCAOB Auditing Standard No. 2
See Question #156 and #157
II. A good resource to gauge the impact of the internal control failure:
sarbanes-oxley.be/internal controls_overall effectiveness.pdf
III. A search on the word ‘materiality’ might provide additional clarity.
IV. Additionally, a detailed discussion of IC evaluation may be found at:
V. The PCAOB states the following in Audit Standard 2:
98. Timing of Tests of Controls. The auditor must perform tests of controls over a period of time that is adequate to determine whether, as of the date specified in management’s report, the controls necessary for achieving the objectives of the control criteria are operating effectively.
The period of time over which the auditor performs tests of controls varies with the nature of the controls being tested and with the frequency with which specific controls operate and specific policies are applied. Some controls operate continuously (for example, controls over sales), while others operate only at certain times (for example, controls over the preparation of monthly or quarterly financial statements and controls over physical inventory counts).
99. The auditor’s testing of the operating effectiveness of such controls should occur at the time the controls are operating. Controls ‘as of’ a specific date encompass controls that are relevant to the company’s internal control over financial reporting ‘as of’ that specific date, even though such controls might not operate until after that specific date. For example, some controls over the period-end financial reporting process normally operate only after the ‘as of’ date. Therefore, if controls over the December 31, 20X4 period-end financial reporting process operate in January 20X5, the auditor should test the control operating in January 20X5 to have sufficient evidence of operating effectiveness ‘as of’ December 31, 20X4.
100. When the auditor reports on the effectiveness of controls ‘as of’ a specific date and obtains evidence about the operating effectiveness of controls at an interim date, he or she should determine what additional evidence to obtain concerning the operation of the control for the remaining period. In making that determination, the auditor should evaluate:
The specific controls tested prior to the ‘as of’ date and the results of those tests;
The degree to which evidence about the operating effectiveness of those controls was obtained;
The length of the remaining period; and
The possibility that there have been any significant changes in internal control over financial reporting subsequent to the interim date.
101. For controls over significant nonroutine transactions, controls over accounts or processes with a high degree of subjectivity or judgment in measurement, or controls over the recording of period-end adjustments, the auditor should perform tests of controls closer to or at the ‘as of’ date rather than at an interim date. However, the auditor should balance performing the tests of controls closer to the ‘as of’ date with the need to obtain sufficient evidence of operating effectiveness.