High risk location, but financially insignificant 2309

  • I work for a manufacturing company with 6 subs. One of the subs is not in scope for our 404 assessment based on revenue, total assets, and EBITDA. All subs were required to develop documentation and test controls regardless of scoping. This particular sub is a mess, with high management turnover, numerous exceptions/control deficiencies (33 in total for Q4), and no time to devote to SOX. Even though they’re financially out of scope, I’m having a hard time convincing myself that they don’t represent a material weakness that should be reported on our 10k (we’re a non-accelerated filer). Would a prudent official in the conduct of their own affairs (wording from SEC guidance) want access to this information? I’m a one-man audit shop and doing these year end SOX evaluations alone is not fun at all.
    Any input would be most appreciated.

  • You need to look at the potential for errors and the relative impact on your financial statements. If this ‘insignificant’ subsidiary could still have a 5%-10% error impact on your consolidated FS, then I would think that you have at least a significant deficiency, if not a material weakness.%0AEven though you are a non-accelerated filer and your audito is not providing an opinion on controls this year, ask them for their opinion given the circumstances. They likely will be providing an opinion next year and you don’t want to be taken by surprise if they view this as more significant than you do.

  • I agree it is important to get the input from your external auditors. We were in a similar position a few years ago where we had scoped a facility out due to standard materiality measurements but due to high management turnover, a number or historical adjustments and a variety of other issues our external auditors strongly encouraged us to include them.
    As kymike said, it is best to know now and not get surprised later.

  • To be honest I think you are right to be concerned and you certainly should be giving this sub some attention.
    To me the bigger concern is over the appropriate level of control to run your business robustly rather than whether this represents a material weakness for SOX i.e. management should be dealing with because a) financial data on which they make business decisions may lack integrity and b) they might be losing money. Mangement’s tolerance for loss or error in day-to-day operations should be far lower than what is required to comply with SOX.

  • If your concern is about fraud, you should make some anti-fraud tests (also, substantive tests). What I do not agree is to consider an immaterial location individually insignificant (less than 5%) in SOX scope, even for Softer COSO controls.%0AAccordingly to the AS5, we should no longer use materiality criteria for considering locations. But, how would an insignificant location become right risk if the impact is to low? In my opinion, in the risk assessment we should consider this location with high probability and low impact.

  • I’m not concerned about fraud and have learned that the the accounting functions at this particular location are going to be integrated with another one of our subs, one which is operating much better than the other.
    Regarding location scoping, I honestly don’t believe that any location, regardless of risk, should be considered in scope if their financial impact is below certain thresholds. Also, there may be a location that is financially significant but is very low risk and can therefore be subject to reduced testing and less stringent evidence requirements. The top-down, risk based approach is supposed to allow for such flexibility in designing and implementing 404 efforts.

  • Here is the relevant text from AS-5. You might be interested in reading it, in case you have not done so already:
    ‘Multiple Locations Scoping Decisions
    B10. In determining the locations or business units at which to perform tests of controls, the auditor should assess the risk of material misstatement to the financial statements associated with the location or business unit and correlate the amount of audit attention devoted to the location or business unit with the degree of risk. Note: The auditor may eliminate from further consideration locations or business units that, individually or when aggregated with others, do not present a reasonable possibility of material misstatement to the company’s consolidated financial statements.
    B11. In assessing and responding to risk, the auditor should test controls over specific risks that present a reasonable possibility of material misstatement to the company’s consolidated financial statements. In lower-risk locations or business units, the auditor first might evaluate whether testing entity-level controls, including controls in place to provide assurance that appropriate controls exist throughout the organization, provides the auditor with sufficient evidence.’

Log in to reply