Evidence of Control 2508



  • With the released of the AS 5 which to the certain extent reduce the management burden in term of the documentation. However, I have been always face the dilema of the requirement or expectation in term of the evidence of control. To a large extent, in order to produce the evidence of control it would means that additional print-out of document and signature to indicate the evidence and this is actually non-value added from the point of view of the process owners. Following are some of the examples:

    1. Process owners shall review the MRP result in the system to identify whether there is any ‘error’ and required to investigate and resolve the error in the timely manner. In this case there is no evidence of performance of such control unless the results of MRP is printed out and initail by the process onwners as evidence of review.
    2. In ERP environment, process owners will review the reports in the System, in the same token is it necessary to print out the reports and initial on the reports as a proof of evidence of review? For example Shipping Assistant shall review the delivery schedule to ensure all the required shipments are made on a daily basis. Does this mean that print out the report from the system and inital on it as evidence of review?
    3. The process owner shall review the Customer PO against the RFQ quoted to the customer to ensure accuracy. It is necessary to print out the customer PO initial on it as an evidence of review?
      I can go on and on with the requirement of the evidence of controls but all this are really non-value added and created unncessary paperwork. As such it is necessary to have evidence of control as the examples i gave above? My view is that evidence of control is required for the key control whereas for non-key control it is not necessary.
      What is your opinion on this?


  • Requiring the printing out of reports and the initialling or signing of those reports as supposed ‘evidence’ of the performance of a control is a waste of time. Unfortunately I have heard several times that some external auditors require this.%0AThere is no basis for this in the SEC’s rule for managements’s assessment of the effectiveness of ICFR, in PCAOB Auditing Standard No. 5 or in SEC or PCAOB staff Q and As.%0AIt is also a waste of paper and a waste of storing space to print out all the stuff.%0AThe external or internal auditors have a point in interviewing you how the test is performed and ideally documentation that allows them to reperform the tests. You should also point out that an initialled or signed print-out of a report is no evidence of a review of the report or any action taken as a result of the review. Tell the external auditors that you could fake the whole review by just printing out and initialling the stuff and claiming that there were not exceptions.%0AIf all items on the reports are reviewed and if the reports generated at different times leave no items not covered by any report (i.e. a review of 100% of the population), then it should suffice that you document that you run the report with a specific frequency and to only document the items where you identified deficiencies, what the deficiencies were and the date of the identification of the deficiencies (this can even be an e-mail to sombebody where you ask for further information on a suspected deficiency). They can then run the report for any time window, reperform you review and see if they found any additional deficiencies in the items on the report that were not identified during the review or any items that were marked as deficient as a result of the review, but which were not deficient. If only sample of the items on the report is reviewed, then the items included in the sample should be documented, so that the external auditor can reperform the review for the sample items. If the sample items have an identifying number that allows you to pick all data referring to the item from the system, then you only need the identifying number for each item in the sample.%0AReperformance is the only way through which they can prove that a review was not done or that the quality of the review was poor. Simply looking whether print-outs exist and whether they are intialled or signed, does not prove anything.



  • Sorry to resurrect this old threat, but the issue of signing and dating evidence is really annoying people in my company. The external auditors are quite happy to see evidence of a control (ie, a reconciliation which clearly balances, and maybe some notes to explain o/s items) - but the internal auditors ALWAYS insist that the reconciliations are printed, signed by the preparer and reviewer and dated. I bang my head on the table trying to explain to them them how pointless this is, but in there narrow little world the control is not the fact that the reconciliation exists and has been completed, but the existence of a signature / date.
    Do other forum users still need to sign/ date evidence??



  • Without a signature or date, how do you evidence (timely) review?
    We are moving to electronic signatures on spreadsheets to evidence review.



  • Without a signature or date, how do you evidence (timely) review?
    We are moving to electronic signatures on spreadsheets to evidence review.
    Electronic signatures on spreadsheets is something I saw at a previous client. Rather than simply add the name / date of the reviewer into [an editable] cell, they devised a macro which captured the user’s Win userID and exact date-time stamp. Is this the type of thing you are moving to kymike? Although I’m sure this date stamp was unalterable - how do you ensure it is thus?



  • Microsoft Excel (and probably other Office Suite software) has the ability to add a digital signature to a file. We are using that functionality.


Log in to reply