Back to basics - self certification.. 2384



  • In the companies I have worked for we have interpreted the SEC/PCAOB to allow for self-cert but that it should also include regular independent review of these certs. Self-cert on its own was insufficient.
    Recently I have been working with some smaller US companies and found that they almost totally rely on self-cert with a bit of adhoc testing as and when they feel like it (or internal audit do something).
    Now I would have expected some form or cyclical plan over a recognised period that covers all in-scope areas. In fact, per AS5, you could argue that every process in scope needs to have a walkthrough each year (but maybe that is more a management risk because the auditors are going to do that and you don’t want them to find anything.).
    Applying a risk based approach to self-cert I would have expected to see the high risk processes to be tested on a regular basis, probably annually given that self-cert on its own is unacceptable and these are high risk areas. Yet as I said before, these smaller companies appear to rely on self-cert irrespective of the risk and test on an adhoc basis (so a high risk process could be signed off based solely on a self cert and nothing else).
    I know that management defines its own testing and the auditor does not comment on that but I still thought SEC guidance was fairly clear. Am I stuck in a rut and have I missed something in the new guidance? I am happy to receive correction from all you gurus out there.


Log in to reply