Controls around credit limits. 2018



  • The following are 2 controls that have been documented as key for the 404 assessment. I am of the opinion that these are not necessary to a SOX review due to the fact a failure in either of these controls would not cause a misstatement in the financials. If a customer were extended a line of credit that was not in accordance with company policy and the customer subsequently was unable to satisfy their commitment to pay, it would be recorded as bad debt. Thoughts?
    -Obtain a report of all changes to credit limits in the customer master file. Take a sample of 5 changes and verify that the change was properly approved.
    -Attempt to enter an order for a customer who has exceeded his or her credit limit or who is on credit hold. Verify that the order goes on credit hold.



  • We apply both of those controls and believe that they ARE key.

    • Unapproved changes to credit limits due to bad debts, but may also arise due to pressure from Sales and marketing to increase their sales, and receive commission - therefore resulting in an expense of commission and an expense for the write off of bad debts. It also needs to be linked to what bad debt controls there are in place.
    • Credit holds are often used to stop sales going through for slow paying customers and therefore giving rise to further company losses.
      Such controls reduce the risk of bad debt understatement as they prevent bad debts and losses in the first place.


  • Interesting point. I agree that from an operational perspective, these are necessary controls. However, if the losses that accompany bad debt are properly tracked, recorded, and reported, there will not be a misstatement. The assumptions that dictate the bad debt reserves would need to be adjusted to reflect such an environment, and with proper controls around reserves, I think the risk should be adequately addressed. No?



  • Interesting point. I agree that from an operational perspective, these are necessary controls. However, if the losses that accompany bad debt are properly tracked, recorded, and reported, there will not be a misstatement. The assumptions that dictate the bad debt reserves would need to be adjusted to reflect such an environment, and with proper controls around reserves, I think the risk should be adequately addressed. No?
    This is where I come from on this. Controls over granting and monitoring credit limits are valuable operational and commercial considerations. However from a SOX 404 point of view they MAY not be relevant. For SOX purposes you need only consider whether the controls over assessing the provision for bad and doubtful debts is adequate.



  • I agree with Denis. This seems to be an operational control and not a financial reporting control. As long as you have identified the correct controls over reporting of credit sales and AFDA, then you should be OK.



  • Previously, a question was posted on the forums that requested clarification on the definition of a key control. An excerpt from this dialogue…
    Characteristics of a Key Control
    Factors management should consider in determining which controls to test include:

    • The magnitude of the potential misstatement that could result from failure of the control
    • The likelihood that failure of the control could result in a misstatement
    • The degree to which other controls, if effective, achieve the same control objective
      Controls to be tested include:
    • Controls over initiating, recording, processing, reconciling, and reporting significant account balances, classes of transactions and disclosures, and related assertions embodied in the financial statements
    • Controls over the selection and application of accounting policies in conformity with GAAP
    • Controls related to the prevention, identification, and detection of fraud
    • Controls on which other significant controls are dependent (includes IT controls e.g. information security, program change control, computer operations)
    • Each significant control in a group of controls that functions together to achieve a control objective
    • Controls over significant non-routine and non-systematic transactions (such as accounts involving judgment estimates)
    • Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (e.g., consolidating adjustments, report combinations, reclassifications)
      Hope this further helps,
      milan


  • I can see the point that you are all making, but it is very much reliant on sufficient controls to ensure that bad debts are properly accounted for, and most finance departments tend to be unwilling to write off or provide for large amounts of debts due to the loss impact.
    In addtion, it encourages sales staff to perform possibly invalid sales transactions just for the sake of of receiving more commission.
    As for deviations from Policy - would this not affect your entity level controls and the ‘Tone at the Top’?



  • In addtion, it encourages sales staff to perform possibly invalid sales transactions just for the sake of of receiving more commission.

    This sounds like an opportunity to change the commission calculations such that they are also impacted by account collections. No collection, no commission.



  • In addtion, it encourages sales staff to perform possibly invalid sales transactions just for the sake of of receiving more commission.
    How would lack of (SOX) controls over credit limits create an opportunity for invalid sales transactions? If credit limits/increase are granted to customers without performing a thorough background review to determine their credit worthiness, and the customer does not honor the debt, the sales are still valid in that they’ve been authorized, however bad debt will need to be increased. Granted, not recommended from an operational stance, but from a SOX point of view, I don’t think controls over establishing/increasing credit limits are necessary. Interesting posts though.



  • …my company views the credit management process as integral to revenue recognition. One of the tenets of being able to recognize revenue on an accrual basis is the concept of assured collectibilty. Sales to customers without a reasonable assurance of collectibility could in fact be inappropriately recorded as sales.



  • Thank you dorjwill.
    It is the collectability of sales that puts the revenue recognition in to question.
    In reference to SAB 104, there are 4 criteria to be met where revenue is to be realized:
    ’ Persuasive evidence of an arrangement exists
    ’ Delivery has occurred or services have been rendered
    ’ The seller’s price to the buyer is fixed or determinable
    ’ Collectibility is reasonably assured.
    Surely, the application of appropriate credit limits provides comfort that collectibility is reasonably assured?



  • But in reality invoices are recorded when they are raised and coded to revenue, a provision is made for items where collectability is not reasonably assured. It can be no other way under an accruals accounting convention.
    To my mind having good processes around approval of credit limits is not a sufficiently well designed control to give you assurance that all items recorded in revenue/receivables are reasonably collectable. If this were the case companies would have no bad debts. A better control would be review of aged receivables.
    I am not discounting that good credit control is an excellent idea, but I do not generally see it as key for SOX 404.



  • Good point Denis.
    We also apply aged debtors reviews as key controls in each entity but still feel (and so does our auditor) that it is a good system to have in place, particularly in locations where we know that reviews are performed, but debts do not appear to be chased up on a timely basis.
    As for the deviation in Policy - do you not think that this may affect entity level controls?



  • Hi,
    I am internal auditor of European subsidiary which is in scope for SoX.
    Within credit management we are using automatic credit check. When a sales order meets the criteria of defined credit check, the sales order is blocked. The credit representative reviews the blocked order and overwrites them by either increasing the credit limit or releasing the block order.
    A report a released blocked order is generated daily which is review by supervisor.
    This detective control is considered key.
    Other key controls which are in place are the review of changes to customer master data (credit limit, risk cat), bad debt analysis and procedure for the allowance of doubtful accounts.
    If all recorded well, what would be the added value of having a control of reviewing the release blocked order (overwrites) as key. Note, when the report is reviewed, the goods are already delivered to customer.
    I would appreciate your thoughts.
    Thanks


Log in to reply