Planning for the 2007/08 Compliance Programme 2020
For those of you who have finished (and hopefully complied.) on your 2006-7 SOX audit, well done. Now it’s time to plan for next year.
So what are you going to change?
I ask because we have now had time to absorb the revised guidance and the focus on a ‘top down’ risk approach. I recall a number of posts over the past few months showing sample sizes according to frequency and risk - have any of you changed that by reducing the sample size requirements for low risk or have you decided that this is already a risk based approach?
Alternatively will anyone be descoping all low risk processes and relying completely on your ‘tone at the top’ testing for assurance in these areas because it is reasonable to assume that these areas are already unlikely to produce a mistatement? Therefore you can go for a very high level reasonableness check and not need to undertake transaction testing even if the process itself is significantly greater than materiality.
Will you be doing nothing different because:
- the revisions have not been finalised,
- your external auditor just doesn’t buy into this risk approach
- you are already doing this?
As I now plan for this year I would welcome input from those of you already at this stage and what impact the revised guidance has had.
Igor13 last edited by
We’re in the non-accelerated category and I’m preparing the SoX documentation under the assumption that the proposals will be approved pretty much as they were originally presented. While there may be some adjustments to the revisions to better align the methods of the SEC and the PCAOB, I think what has been issued for proposal will be approved this year. That said, I’m using the risk based approach when identifying processes and controls and advising process owners to test and document accordingly. If any auditor ‘doesn’t buy into this risk approach’ I suggest finding another firm to conduct your SoX work. I doubt this will be case, but I do foresee much ‘discussion’ over risks and testing procedures once our auditors show up and begin their walkthroughs. Should be an interesting year for all.
We are in year 4 of SOX compliance. I see our efforts changing as follows -
More focus on higher-risk areas from a testing perspective and less focus on the lower-risk areas. In fact, most of the testing of routine, transactional controls may go away. The feeling is that these, individually, could never lead to a material misstatement of our financials statements and that errors at this level, if systemic, would likely be caught with a higher-level control.
We are placing more emphasis on the coverage that company-level controls provide. We have a very rigorous management review process every quarter which helps ensure that we fully understand our balance sheet and income statement and the accounting for any issues that have arisen during the current quarter.
We will likely not remove any accounting locations from our testing scope, but rather ensure that we are focused on testing the right high-level controls.
Our controls testing in the past has been designed to test controls that would catch errors that are well below our materiality threshold. We will be changing that so that we are testing those controls that are designed to catch errors much closer to our materiality threshold.
Sample sizes have been changed to reflect relative risk of failure or impact to FS with a control failure versus a one-size-fits-all approach to sample sizes.
We will incur a bit of additional work on the front end of things this year, with a reduction of effort on the back end (testing). Total work effort may not decrease, but rather shift from low-risk areas to higher-risk areas.
EMM last edited by
I would like to introduce the risk based approach as we have some very low risk entities in scope that could be reduced to limited scope locations.
We are not planning for this until we see the sign off on the guidance at the end of May. Certainly, our auditors are not in a position to discuss the matter until they see the final draft of AS5.
Other than that, we are tightening down on deficiencies identified in 2006, and reviewing the financial audit adjusted and unadjusted differences reports to see if there were any gaps in our controls which gave rise to misstatements.
Thanks for your quick responses. I agree that the guidance being unapproved does complicate things although I am trying to assume that the finalised version will be little changed in principle from what it is now.
kymike - your approach seems very much in line with the way I was thinking of going. How have your auditors responded to this? I am conscious that whilst I may choose to go down this route (more so if the auditors are no longer required to assess my assessment.) they may themselves want to adopt a less risky approach when providing their opinion. Clearly from a cost analysis it would be in my interests to accommodate their preferred approach if I can pursuade them to rely on my own work which may mean more work than I originally planned. This may buck the guidance that is being produced because we may see the ‘brave new world’ but our auditors may not wish to embrace it.
Our auditors (KPMG) have bought off on our approach in general. Where they are pushing back some is where we have identified ELCs (detailed management review of financial results) as key controls allowing us to drop some of the lower-level controls. They want us to show them how we are mapping specific FS assertions to the new controls. A fair point. It is something that is not quite as easy to do at that level, but we will work through it with them.
The fine line that you walk here is one where you cut back so much that the auditors have to increase their work because you cut out something where they formerly could rely on your work. This will have the effect of increasing their fees for the SOX portion of their audit work. It will always remain cheaper for you to do the work than for them to do it.
Totally agree with you. I find it a little ironic that although we are no longer being assessed formally by our externals we are perhaps more beholden to their requirements than ever in an effort to make SOX compliance cost effective.
We had a presentation recently from one of the other big four on the implications. They made two interesting statements which was why I asked the question:
- Rotational testing is not permitted but some low risk controls after the first years testing could gain sufficient evidenec from the walkthrough alone. This suggested they would still insist on transactional walkthrough rather than rely on high level controls
- They can rely to a greater extent on the work of others including the perfromance of walkthroughs ‘under our direct surpervision’. Suggesting that whilst they were prepared to rely on our work if they were our auditors they would want to supervise our testing work.
External auditors could not rely on our walkthroughs anyway, so they will likely continue to do them. This would not be any incremental work for them based on past controls reviews.