Turnbull and 302/404 compliance 1931
Does anyone have any case study or similar examples of how they have integrated Turnbull/corporate governance signoff with 302/404 compliance?
302 overlaps with Turnbull but Turnbull has much wider coverage and does not just focus on financial risk but the 302 sign off, whilst not requiring auditor attestation, appears to have more rigour than Turnbull because it is underpinned by 404 testing. Clearly having two methodlogies running concurrently is not the most efficient use of resources and I wondered if there were any lessons learned at other organisations
harrywaldron last edited by
Hi - While I’m not familar with this standard, our company (e.g., Insurance conglomorate) must also handle multiple regulatory standards. One approach that might help is use outlines of both the Turnbull and SOX requirements, looking for the commonality. Where possible, then design and streamline workflows around common controls, so that you only do it once. The non-common tasks can then be addressed separately for each of the two compliancy standards.
Some related articles might also be found here (add ‘www’ and paste to browser)
EMM last edited by
I think you can run the two together. The Turnbull Report focuses on Corporate Governance whilst SOX focuses on management and assessment of internal controls.
You should be able to confirm compliance over Corporate Governance for both through your Entity Wide Controls testing and documentation.
Thanks for the steer guys. I also think there is scope to run the two togther.
What is interesting me is that for Turnbull there is more of an emphasis on self certification whilst for 404 the emphasis is more audit based. As we all know 404 permits self certification for management assessment but it is not the most effective solution when there is the risk that the external auditors may find non-complaint processes which self certfication may not pick up coupled with the cost effectiveness of external auditors placing more reliance on managements own work if there is more rigourous testing.
In your experience did you make the distinction between 302 and 404? By that I am thinking the Turnbull/regulatory process could be used to cover most of 302 elements and you can then ask the 404 testers to add any pertinent observations. Alternatively I suppose you could expand the ‘tone at the top’ COSO analysis/questionnaire of the 404 work and let that cover the Turnbull signoff for you but clearly by doing so you would be impossing the rigours of 404 onto the Turnbull analysis.
Just wondered which way companies swung when faced with this.
Denis last edited by
The Financial Reporting Council issued a report on 16 December 2004 called ‘The Turnbull guidance as an evaluation framework for the purposes of s404(a) of the Sarbanes-Oxley Act’
Agreed but the report really focuses on how you can use Turnbull instead of COSO for evaluating your processes.
Denis you are based in UK, do you have a Turnbull requirement or are you part of a US corp? If the former how have you merged your 404/302/Turnbull requirements or have you kept the Turnbull separate from SOX?