Reliance on External Audit 3173
With Internal Audit Functions working closely with external audit I have noticed the distinction between them has become less marked.
So I found it interesting to see that this year our IA function intend to change their approach. Where the external auditor cannot rely on IA’s work (because the EA function rates the control as high risk and wants to test it themselves) then IA, rather than do sample testing of around 45 for a daily control (as normal) would instead do a sample of only 5 and rely on the work of the external auditors.
Now I thought SOX did not allow management to rely on the work of EA, especially for higher risk controls. Has this now been relaxed when I was not looking and we can do minimal testing and rely on the annual SOX testing results of EA?
IA cannot rely on the work of the external auditors. Management’s assessment of the effectiveness of controls must be based on its own evidence. However, if management does become aware of an issue discovered by the external auditors, then they must consider that issue when making their assessment.
Management can outsource the testing to other auditors, but not to the auditor that provides an opinion on management’s financial statements.
If the external auditors are not going to rely on management’s testing of high risk items, there is no reason for management to use the same sample sizes as the external auditors use.
This is a slippery slope to go down. I am not certain how often (if ever) the SEC examines management support for controls assessments unless there is a reason for the SEC to examine the support, but I would not like to be in management’s shoes if the SEC did an examination and found out that management was not performng the appropriate level of diligence in controls monitoring and assessment.
Bingo, thanks for that Kymike- it confirms everything I thought. I did look for a specific statement from the SEC but could not find anything - probably because it is blindingly obvious.
On a similar note testing has also changed so that virtually all controls are conlcuded by mid August with full sample sizes taken for the period to then (different process testing is concluded between June and August). This is then augmented by a follow up in December where IA enquire ‘has anything changed’ and if it hasn’t then they sign off.
Again it’s been a while since I managed independent testing for SOX but is this a properly designed methodlogy as it is not assessing risk and ensuring higher risk controls are looked at closer to year end? In this scenario the only controls tested at year end would be those that only operate at year end regardless of risk. For a site visited in June all results would be based on sample testing to the end of May with no furtehr testing follow up.
I will admit I am getting very disturbed by it all…
I know that auditors are scrutinized closely by the PCAOB, so they tend to err on the side of overdocumenting and testing more than management would.
I think that audit standards would require more than inquiry on a higher risk area as roll-forward testing at year end, but there are no similar standards for management regarding testing of controls. Management is not really held to the higher audit standard, but is allowed the flexibility to design its own approach to testing (though they must select a framework for their controls).
At the end of the day, management is responsible for accurate financial statements and must decide the level of risk that they want to assume when designing their controls assessment. By performing inquiry only at year end, the external auditor cannot rely on that and must perform their own testing. In theory, when the auditors cannot rely on management’s test work, then they spend more time testing and, in theory, their audit fees are higher.
OK I’ve been out of this arena for some time and I am surprised by how things have changed. When I did this many years ago management took responsibility for self testing/internal testing and sampling was based on risk and degrees of confidence. So typically low risk had samples of 1 and high risk samples around 30-40 for the year.
I now gather that it is acceptable for management to tick the box to confirm the control has not changed and then Internal Audit test to a maximum sample size of 5 and that is sufficient to validate that controls are operating effectively.
Clearly it is difficult to comment on anything specifically and I realise there is no detailed guidance laid down by the SEC. But is anyone else aware of/are part of an organisation that applies testing at such a low level for SOX? Is a sample of 5 sufficient to conclude that a high risk control is operating effectively (without relying on external audit results)?
Sample size is a function of control frequency (how often per year is the control executed) and risk. You didn’t mention the frequency of the control you were referring to in your question.
For multiple times per day controls (invoice processing, for example), we test 25-40 depending on risk profile.
For monthly controls, we test q sample of 3.
The reason no mention of frequency was made was because it does not feature in IA’s analysis (and I am not too sure where risk features either).
Where external audit rely on IA the sample size is per the requirements of external (which is more than enough for management). Where the control is a higher risk and external place no reliance then IA will test up to 5 (more dependent on whether there were 5 cases rather than actual sample size) and take comfort from the result of external’s testing to confirm there are no issues.
Moreover with the exception of year-end controls all the testing occurs mid financial year with no further testing taking place (except for controls that have been remediated) and instead they are all followed up by enquiry only around financial year-end (again regardless of risk).
I guess this is IA’s interpretation of the guidance. Management can rely on them because they are independent professionals. I am not sure as to management’s liability as they can only go what IA tell them and I guess as long as IA have a clearly articulated testing plan it can be relied upon.
Whilst the approach is not one I am familiar with, I guess if IA conclude it is OK to give them the assurance they need and they can certify the validity of the controls framework then it is acceptable. After all the SEC guidance doesn’t forbid it (in fact it doesn’t say you have to follow a statistical sampling methodology based on frequency or population size). I just need IA to tell me everything is ok.