Another Scoping query - help. 1952



  • As in general business rules, there are no ‘absolutes’ and the guidance that was proposed was suggested to demonstrate that management has latitude regarding scoping due to a previously considered out of scope entity becoming in scope within the same year or very near the date of SOX assessment.
    The SEC states, ‘…We acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment.’
    This statement can be interpreted to also provide management with some discretion about the extent of testing for an in scope process or entity. Further, I would suggest that it might be possible for management to conduct limited tests of controls for a unit that reaches the scope materiality threshold during the year.
    In short, I suggest that you might be able to perform limited tests of controls near year end for the newly considered in scope entity and it will not be necessary to have performed quarterly tests of operating effectiveness throughout the entire year.
    However, performing limited tests of controls due to new knowledge is quite different from performing limited tests of controls or performing none at all due to resource constraints. The former seems to be the practical and more importantly. the defensible approach to discuss with the auditor.
    Before proposing the guidance, I researched this issue carefully and found that several sources noted that the SEC treats scope matters occuring throughout the year similar to that as would be treated for a new acquisition. Furthermore, one guidance specifically cites the Q-and-A noted in my original reply as support to follow the prescribed approach when an entity becomes in scope during the year.
    Milan



  • Before proposing the guidance, I researched this issue carefully and found that several sources noted that the SEC treats scope matters occuring throughout the year similar to that as would be treated for a new acquisition. Furthermore, one guidance specifically cites the Q-and-A noted in my original reply as support to follow the prescribed approach when an entity becomes in scope during the year.
    Milan
    Could you please share the Q-and-A guidance that you refer to above? I am not doubting your word on this, but rather would like to reread this (assuming that I have read it at one time) to refresh my understanding of the guidance.



  • Thanks guys. This makes me feel a little more at ease…
    We had been treating the entity as limited scope for Fixed Assets and the deferred tax element would have been tested within HQ as this function is centralised from here.
    I was just a little worried about trying to ensure that other significant accounts previously not determined as in scope would have to be reviewed as that would mean testing approximately addtional 80-100 controls.
    I think we need to argue our case with our auditors. They have enforced certain locations into scope on the basis of arguments from PCAOB guidance in relation to other entities this year, so it is really a matter of arguing the point that management are not required to follow PCAOB Audit standards in the same ridgid manner that is required for Ext auditors.
    EMM



  • Hi,
    Glad that with the combined feedback from all, the information was helpful. Good luck in your discussion with the auditors. In my opinion, all auditors are reasonable, some more than others.
    As for the reference to the guidance proposed earlier, ‘Source - Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports Frequently Asked Questions (revised October 6, 2004)’
    Milan



  • Milan,
    I am not coming to the same conclusion that you are regarding the exclusion of a consolidated entity from the scope of IC evaluation if changes in the business cause it to now become in-scope in the current year. I believe that the SEC guidance was specific to newly-acquired entities. If you refer to question 19 of the same publication, you will see the following language (emphasis added)-
    Item 308 of Regulations S-K and S-B, 17 CFR 229.308(a)(3) and 228.308(a)(3), states that management’s annual report on internal control over financial reporting must include a statement as to whether or not internal control over financial reporting is effective. While the staff will allow the exceptions outlined in Questions 1, 2, and 3 above, the disclosure requirement does not permit management to issue a report on internal control over financial reporting with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in their report that internal control over financial reporting is not effective. Further, management is precluded from concluding that the registrant’s internal control over financial reporting is effective if there are one or more material weaknesses in the internal control over financial reporting.
    Question 3 referenced in the quote above relates to acquired entities and the ability to exclude them in your IC evaluations in the current year.
    I think that the general guidance here is to perform limited procedures on the high risk controls, not all controls, for the entity that is now in-scope.



  • Mike,
    We are actually of the same opinion as I did not say that the company could or should exclude the entity from scope consideration since it became in scope during the year.
    I simply suggested that as an alternative to conducting full tests of controls, the company (after concurring with the auditor) could perform limited tests of controls. Thus, the auditor would not be precluded from assessing ICFR due to a scope limitation. Additionally, management would not need to conduct comprehensive tests of controls for the in scope entity based on the new information.
    The concept of performing limited tests of controls for the high risk areas has been promoted by the PCAOB since their guidance on 5/19/05, when it was suggested that a risk-based approach was not only acceptable, but effective to reduce performing unnecessary tests of controls.
    So respectfully, I disagree with you that we do not agree. …Talk about a paradoxical conclusion.
    Milan



  • So easy to tie yourself in knots over this stuff isn’t it :lol:
    Mike - whilst management’s assessment - i.e. the report in the financial statements - is not allowed to contain a scope limitation, Management are still allowed to define the scope of their work.



  • Hi,
    To add to the previous comment, it might also be helpful to note that some companies adopt the following strategy during the scoping exercise:

    • Define scope based on the materiality threshold and run it by the auditor to ensure consensus of areas for process documentation and tests of controls.
    • Each of the significant cycles is ranked according to significance to financial reporting and a ‘tiered’ approach is used to determine the level of documentation and extent of controls testing conducted within that cycle.
    • Areas that are ‘borderline’ or are not considered in scope due to less than the threshold amount, are documented (high level only) and perhaps, limited tests of controls are performed.
      By adopting this approach, you are technically not excluding an area for scoping purposes, but developing a less comprehensive SOX documentation set and performing only limited tests of controls for areas that are not critical to financial reporting or that may have become within scope during the year.
      As noted earlier, a scope limitation does not result and the auditor is not precluded from performing the SOX assessment.
      Hope this further helps,
      Milan


  • That definitely helps too, as the kind of locations that come into scope at year-end can tend to be the ones that were orignally borderline (but were supposed to be monitored carefully to avoid such risk).%0A I have received confirmation from our lawyers on this since I posted my query, and they referred back to SEC interpretive guidance following the first roundtable review in May 2005 . This interpretation reinforces that scoping should not only be a quantitative, but also qualitative, and that a %percentage threshold should be more of an initial review rather than the end result.%0AEMM



  • In discussing scoping with consultants, we’ve learned that most auditing firms now request formal ‘scoping memos’ from their clients which clearly outline the client’s efforts. These memos serve the purpose of memorializing the client’s defined materiality thresholds and other relevant assumptions that theywill take into account during their compliance efforts.
    My question to you all: is there some sort of standard template that is used in drafting this scoping memo?
    Thanks.



  • Our scoping document from year 1 was about 30 pages in length. In it we covered -
    Responsibility of management for SOX
    Project management of documentation / testing efforts
    Materiality determination
    Process for determining locations / accounts / processes to be covered
    IT coverage
    Spreadsheet controls
    Entity-level controls
    Use of COSO
    Fraud considerations
    How we were to evidence our controls effectiveness through testing
    Our plan for tracking and following up on control deficiencies
    Sample sizes
    Use of external service providers
    Basically, it is a definitional document. Much of the language was lifted from SEC / PCAOB / COSO literature. Once prepared, we have referenced the original document in years 2 and 3 with 1-2 page summary scope documents listing any changes to our approach.



  • We got a template from our external auditors that would link directly into our consolidated accounts for the threshold calculations.
    Any memos that have recently been generated to support deviations from threshold criteria have been written up by ourselves and cross referenced to SEC reports.
    Our may find something on Protiviti’s website - knowledgeleader.com. It has a lot of useful tools an templates


Log in to reply