Reassessing Key Controls 2367

  • I am currently reviewing controls previously tested under our SOX404 program and I would like to challenge some of them from a ‘KEY’ standpoint. Objective is to gain efficiencies by reducing the number of controls while still meeting the objective of preventing / detecting material misstatement. %0AI have two scenarios for further discussion: (I have plenty more)%0A1) Say a company has Preliminary Materiality set at 500k and has an international location with Revenue forecasted around 1.5mil. Let’s say that during the year you monitored cash receipts and sometime in the 4th quarter you provide evidence that cash receipts against current year revenues were 1.1million. Given the primary assertion here is Existence and cash receipts prove existence since the customer paid for the goods / services. Of course you would test the bank reconciliation and also there is good management control over A/R, wouldn’t this in essence bring revenues down under materiality? Would this be sufficient?%0A2) Next, Say a company has cash receipts going 80% through a lockbox and 20% through local receipts at the office. Daily reconciliations are performed for the Lockbox receipts, and proper SOD is in place for the local receipts. Currently we test this as a multiple daily control and select many cash receipts during each test phase. I am having trouble seeing this area as key for SOX 404. Given the lockbox account is reconciled monthly by someone outside of the cash receipts area in treasury, so any discrepancies between the books and the bank would be caught by this control before the quarterly’s are filed. Next, for the local cash receipts there is proper SOD in place. If there is something going on such as kiting or lapping wouldn’t this would become apparent through customer complaints way before becoming material to the F/S? Say these scenerios did occur at a low USD threshold, yes this could happen but even if it is occurring your still only effecting balance sheet accounts not P_and_L. Could you limit testing to ensure the SOD is in place for local receipts, and just test the monthly cash reconciliations and walk away from the area without testing daily controls (e.g., the local cash logs, daily bank deposits, bank receipt slips…etc)%0AAny debating comments / suggestions will be greatly appreciated.

  • Ringo,
    Welcome to the forum.
    I think that what you are suggesting is exactly what the SEC has in mind with their latest guidance. Materiality and risk are both being considered as well as other controls in existence (SOD, bank recons). Depending on your other accounting locations, you might even be able to argue that this location with revenues of only 1.5MM could be considered out of scope for SOX as there are quite likely other management controls over a high-level review of this location’s financial results.

  • Kymike,
    Thank you for the welcome and your reply.
    Your previous post ‘scaling back on the testing of entity-level controls that offer no direct reduction of financial reporting risk at the assertion level’ is related to this theme of re-evaluating KEY controls. This post gave me some ideas where I could hopefully scale back in this area. I have yet to run it by our externals…I will let you know.
    I think the key here is not to focus so much on the risk at the account balance level but instead focus on the relevant primary assertion which will maybe reduce management’s overall testing, as well as the external auditor’s test efforts since they rely on managements work. reference IIA SOX 404 guidance 2nd Edition for more information on this topic. This is a great ‘free’ resource.
    I hope to hear from others on how they are gaining efficiencies related to the new AS5 / SEC guidance and how they got their external auditors to concur on the methodology. This doesn’t only have to be related to only re-evaluating key controls, but also redesigning current controls so they function at a higher level resulting in less process level testing, or automating controls, or scaling back in areas which aren’t necessarily key, etc…
    Hopefully there is more posts in this area in which we all can benefit from.

  • Ringo,
    I am a little late to this discussion but I agree with your assessment. A top down risk based approach looks to test controls in place higher in the control sequence. Stepping back to the reconciliation is a realistic level to test.
    I am curious how you handle testing at the reconciliation level. The control is the completion of the reconciliation and timely resolution of any discrepancies. We determine the reconciliation and resolution occur on a timely basis. I am aware of companies that actually recreate the reconciliation.

Log in to reply