Adding more entity level controls 2453
Hoiya last edited by
Last year, our company took advantage of the key control approach to reduce the number of testing. We did not fully utilize the top-down approach, though we have some monitoring controls or entity level controls within our key controls.
This year, our auditors keep saying that we should designate some more ELCs or monitoring controls. I tried gathering the monitoring controls by business segment, but that has proven quite time-consuming and I am not sure what that does for us at the end. Management got comfortable with the set of key controls last year. And I do not think any new monitoring/ELCs can further reduce the number of tests. It seems almost as if the auditors want us to test more ‘high level’ controls so we can say we have a ‘top down’ approach. That does not add much value in my opinion.
kymike last edited by
I wouldn’t add and test high-level controls if you don’t feel that they will allow you to reduce some of the lower-level controls that are tested.
The monitoring controls that can allow you to eliminate lower-level controls are those such as analytical analyses (days sales in inventory, days receivables outstanding, COS, COL) monitoring of account reconciliations timeliness and unreconciled balances (may only help reduce sample sizes versus eliminating testing of reconciliations).
The external auditors may have higher standards for what they can rely on for controls testing evidence and are probably trying to get you to do some of their work for them. Tha is OK if you are going to see a fee reduction for the additional work. I wouldn’t increase my SOX work or documentation at this point unless I was going to see a direct payback or if the external auditor is identifying deficiencies that I missed because of my limited testing or small sample sizes.
gmerkl last edited by
As long as extra testing of entity-level controls including monitoring controls lets you reduce your work on process-level controls that is fine.
If you see monitoring in conjunction with relying on testing done in prior years, then monitoring that no change in the process or in the persons performing the process took place, may reduce the sample size of testing the operating effectiveness of the process-level control or even eliminate the need to test the operating effectiveness in this year.
If the auditors don’t offer you any benefit in terms of reduced testing on your side or their side (together with a reduction in audit fees) for extra testing done by you on entity-level controls, then you should politely decline.
Denis last edited by
I agree with the previous two comments.
I woul dask the question as directly as ‘if we do this extra work then by how much will you reduce your fees ?’