Frequency question 1342

  • Hi All,
    Please help settle an argument between a fellow SOX consultant and myself:
    For controls such as reviews/approvals of invoices, expense reports, fixed asset additions, etc. (to satisfy objectives for accuracy and validity), would it be appropriate to consider these as weekly controls if these reviews are only performed at the end of each week (assuming they are packaged as a nice-and-clean weekly review)? Or should they still be considered as more than daily/multiple times per day� controls since essentially the control activity is performed for each individual invoice/expense report/addition?
    Your 2cents would be greatly appreciated.

  • One of my clients has added a frequency of ‘ad hoc’ for anything that doesn’t fit into a more defined category such as weekly or daily.

  • Is it feasible for the orgn to have a concurrent audit setup :?:
    If not, a better thing to do would be to maintain a cross functional chek as an end of day activity,( or end of two days). A week, gives a potential fraudster, ample time to modify records to suit his requirement( it can be done in two days as well). the point here is at least the thot of being checked will keep such ppl in a fix for sometime.
    Just a suggestion, dunno if the above will suit ur orgn.

  • I think you need to do a sniff test on what would be the ultimate sample size you would end up reviewing in your test.
    For our organization, a weekly control in a low risk area would have a sample size of 5. Now, given that you would be checking the review of expense reports, invoices, etc. and there are quite a few of those, do you think a review of 5 would give management sufficient information to base a conclusion on? If there is only one signoff on a cover letter that contains the package of invoices / expense reports, the answer would probably be yes. If the signoff is on each individual item, the answer would probably be no.
    Another way to look at ad hoc controls would be to look at the population of occurences and see what the population equates to. For example, if the population of invoices for the year was 60, that would be pretty close to a weekly control (using the 52 week year). If your population of invoices was closer to 400, you would probably treat it as a daily control, and so forth. You could limit your population for the review by stratifying your sample, i.e. invoices greater than USD10k may be what you limit your test to (to avoid the noise of the small invoices) and then see how many that gives you.
    Hope that helps.

  • We have frequently been using the ‘ad-hoc’ frequency. But an control like yours, jty, would be a ‘mulitple times per day’ control in my company.
    When using the ‘ad-hoc’, defining frequency for testing is a bit tougher, because you must go back to check the control itself, and maybe even interviewing the person performing the control to define a proper sample size for testing, unless it is a programmed control that is 🙂

  • The sample size should also be looked on based on the initial size. If you cut checks once a month but you cut 2,000 checks, a sample size of 5 would not validate the control is effective. We have some subjective processes like you have mentioned. What I outlined for a sample size on those is based on a 10% of total population or 25 samples. If the original sample size is less than 5 we recomend testing of all samples.

  • I would probably call these activities ‘transactional’ and generally would expect sample size to be the same as - or even slightly higher than - a daily control. It doesn’t matter that you review invoices weekly - because for the control to be effective you do need to review them all.

  • Hi All
    Need your advise on this on Transactional activities. I’m also debating on this with another colleague that if it’s transactional actitivites even though you only exercise the review quarterly, the control frequency should be daily and not quarterly. This is especially so for revenue recognition. He doesn’t seem to agree with this. How should i be putting my case forward?

  • Erika - I am assuming that there (at least) are two different controls occurring here - one on a daily basis for transactions and one on a quarterly basis for higher-level review. If that assumption is correct, then you would need to test both controls based on their frequency - either daily or quarterly.
    If the revenue recognition control that you are describing is only a cut-off control at quarter end to ensure that all revenue is included or that you are not accelerating any revenue, then I would concur that this is a quarterly control should be and tested as such (sample size of at least 2 per year).

  • … if it’s transactional actitivites even though you only exercise the review quarterly, the control frequency should be daily and not quarterly. This is especially so for revenue recognition.
    I agree with kymike’s good points … The following are a few ideas in making the case, if it’s applicable for daily review also:

    1. It’s important to correct issues or address unusual findings ASAP. Thus, daily analysis and control points, might allow better research (when the data is fresh)
    2. It could also prevent all the work from stacking up, as quarter-ends are typically a very busy period for any company.
    3. While a daily focus might require a little more work, it’s also a more thorough check.

  • Kymike and HarryWaldron - Thanks for the advise.
    Yes I’m refering to testing the controls of ensuring all revenue is appropriately recognized for the quarter and that’s the only test they do. I just think that based on the sample guidelines on quarterly samples (general across all accounting firms) the number of samples to be tested is just too little. And it’s a challenge to convince the team to do more becos’ most of them want to do the minimal requirement.
    Nonetheless thanks for your valuable input.

  • Just make certain that one of the quarters tested is Q4 as that is the most important quarter to have correct. If you are in a business where revenue recognition can be problematic, then you really should be testing every quarter if you have any concerns or have had any problems in the past.

  • most of them want to do the minimal requirement …
    This is truly the hard part of SOX compliancy, as many companies are stretched thin already in meeting their day-to-day business requirements. Adding one thing to the ‘hopper’ will be met with resistance and it’ll be low on the priority list.
    Some suggestions:

    1. Make sure the sampling/testing process is as efficient as possible. Have the IT area create reports or queries, if can make things easier. If there’s any fine tuning that make things better, it’s worthwhile as a more efficient and effective process will be better received.
    2. Maybe a compromise between daily and quarterly, is to conduct some of the needed sampling on a monthly basis. Monthly or weekly intervals might be better negotiated than daily. I like monthly sampling, as it allows folks to get some ‘real work’ done and spreads out the work over a quarter. Also, keeping a constant SOX focus in place, might mean there is less to look up ‘how to do this’ each time verses the quarterly approach.
    3. Probably the most important thing of all is to have senior management ‘back the process’ . If key executives and managers see this as a very important item to get done, that will help folks on the front-lines to focus better and to do this less begrudgingly – or at least in theory it will … From a project management standpoint, it’s always beneficial having a senior executive at the ‘kick off’ meeting for a new project, and this same principle might be helpful for key SOX meetings sometimes.

Log in to reply