Freeze processes for 5 months? 1583

  • Hi,
    Noob to the forum, already 2 years involved in SOx. We are now going for the real thing because our company is an international.
    We are doing what we think is right for SOx and we know we need to improve our processes. However, the auditors and the auditing cycle pose a strange issue; we are not supposed to change our processes in the last 5 months of each year?
    Our auditors want to be able to test over 3 months of production data for the processes. But if we change our processes, and after 3 months we realise we need to remediate some problems, we need to change controls and have another 2 months of production data to report over the remeditated processes. They need to report over 2006, so if we change processes in the last 5 months, we would not be able to deliver the required production data? Is our auditor saying we should have stable processes to test over for 5 months in a year? That looks really disruptive to me because any improvement we want to make to any control would have to wait until January? Is that possible? Surely that’s not the intention of SOx?
    How do you go about changing your processes? And in particular; when you change a significant amount of processes (because we are migrating to a standard set of best practices), how do you go about it with regards to SOx?

  • Simply put - your business requirements are not determined by audit.
    Where you do change processes and systems you do need to ensure that the change is controlled and that control operate pre and post change. However, there is nothing to stop you changing a process at any time.
    I would note, however, that it is imprudent to change significant financial systems in the last quarter of the year.

  • Hi Phillip – I’m more of an IT person, so I might not be entirely correct.
    Some quick thoughts:

    1. Freezing processes as you’ve described seems like more of a convenience and standards for the Auditors than true SOX requirements. In fact SOX encourages you to engage in ‘continuous improvements’ of your testing and measurement systems.
    2. However, I can see the auditors point because they need to measure in a static environment. How can you effectively measure a process if it’s constantly changing.
    3. Maybe as a compromise, can you all implement the most desirable changes right away (before the 5 month assessment begins)? You certainly can’t do everything, but you might be able to correct the most significant aspects you see now rather than waiting.
    4. The auditors are there to render expert opinion and a service, and not to control the business aspects and process improvements for your company. Maybe you can negotiate 4 months of static processes instead of 5, informing them that changes are in process. This might give you an extra month to get even more improvements accomplished.
    5. I’d start right away with a high priority on fixing identified issues.
      Good luck and I hope a few of these ideas might help 🙂

  • SOx is an ‘As of’ thing. %0AThe reason you got that response from your auditors are probably just that they cannot be arsed to look at the same thing twice in a short period of time.%0AI would think it would look better if you choose to rectify things before the ‘as of date’ instead of waiting until after, even tho the process is not working 100% yet.%0AAnd I see Harry agrees too…

  • From the ISACA document, IT Control Objectives for Sarbanes-Oxley:
    The 404 attestation is as of a specific date and the PCAOB standard specifically addresses financial reporting controls that should be in place for a period before the attestation date and controls that may operate after the attestation date.
    95. The auditor’s testing of the operating effectiveness of such controls should occur at the time the controls are operating. Controls as of a specific date encompass controls that are relevant to the company’s internal control over financial reporting as of that specific date, even though such controls might not operate until after that specific date.
    151. Management might be able to accurately represent that internal control over financial reporting, as of the end of the company’s most recent fiscal year, is effective even if one or more material weaknesses existed during the period. To make this representation, management must have changed the internal control over financial reporting to eliminate the material weaknesses sufficiently in advance of the as of date and have satisfactorily tested the effectiveness over a period of time that is adequate for it to determine whether, as of the end of the fiscal year, the design and operation of internal control over financial reporting is effective.
    Management should meet with their external auditors to determine the period of time a control is required to be operating before the attestation date.
    Hope this further helps,

  • Thank you for your thoughts.
    The negotiation option does seem like the most effective one. I would like to try it but that would mean convincing management.
    As it is, they are quite scared of a bad review at the end of this year (which is thanks to our good efforts the last two years to impress upon them the urgency of the SOx work :)) and now that hits us back in the face. :roll: They’d rather let sleeping dogs lie and continue with the crap we documented until now (sorry to say it, but it’s true) than improve to something much better and more controlled with the risk of not being on time and getting a bad review because the auditors say they don’t have enough evidence that the new situation is working well.
    Anyway, I’ll try to make them see that we also have a say in how SOx compliant we are, not only the auditors.
    Thanks people.

  • Hi Philip … It might be worthwhile to also work with someone in senior management who might also help champion the cause of making needed improvements now. The key point is it’s better to improve things now, than to have embarrassing comments forwarded to the board and senior management later. Having worked over 3 decades, I’ve found that you’re far better empowered if you have the backing of senior management on any endeavor. Wishing you the utmost success ahead 🙂

Log in to reply