Safeguarding of Assets controls 2300

  • I believe that safeguarding of asset controls are more Operational COSO Controls than they are controls over financial reporting, but I’ve read that SEC rules do consider safeguarding of asset controls to be an internal control over financial reporting. Is what I read about the SEC rules correct?
    Also, if the SEC does consider them to be financial reporting controls, then are they tested as part of process level controls or as part of entity level controls?
    Any help would be appreciated.

  • HI, I agree with you about the financial reporting aspect of safeguarding assets. In my company, we’ve created SOX controls related to this topic in two areas: IT/GCC and Inventory Management. In our IT/GCC control matrix, we noted our physical security measures (incl. authorized entry only in the IT room, use of security badges, bullet-proof glass windows, etc.). In our inventory management section, we noted our controls relating to cycle counting and physical security of inventory. I do not know whether the language in the Sarbanes-Oxley Act or in AS-5 specifically addresses asset security, but each company must assess their own financial risk and create appropriate controls as necessary. If you believe that a significant risk exists, then it probably does. The more preventative controls the better, provided that you can show evidence and appropriate ownership for each.

  • I agree with what you are saying. I think safeguarding controls are certainly SOX controls when they relate to inventory management as well as to key IT infrastructure. So I think my answer is that sometimes safeguarding controls are SOX relevant, depending on which process and respective financial statement risk and assertion it relates to.
    Thanks for your help.

  • PCAOB Release 2004-001 covers Safeguarding of Assets.
    Bottom line, it doesn’t matter if you fail to safeguard as long as you write down the accounts for what you’ve lost :lol:

  • Thats exactly what I wanted to hear. This is what my heart was saying deep down. In this respect, it just shouldn’t be any different from other operational controls. I believe only those controls that strictly prevent the material misstatement in the financial position of the company are SOX relevant. Many people try and argue to me about operational controls being SOX when they have financial impacts. But really SOX is not concerned with how well you run your business, just that whatever you do to it, you record and present your position in a fair manner.
    Long story short, thanks for the specific reference to the release. It saved me the time from finding it myself 🙂

Log in to reply