An exception? 2270
Control states that the bank recs are prepared and reviewed by different individuals. Due to turnover, bank recs for 2 months in Q4 were prepared and reviewed by the same person. Technically, this is an exception, but should it be noted as such with a statement provided explaining the circumstances? Or, should no exception be identified but provide explanation describing the environment that led to the issue? Similar issue exists around journal entries, which are being prepared and entered by the same person (the same person who’s doing the bank recs).
WrightLot last edited by
You must have an exception - the control is not operating as described. You noted that yourself with the statement that ‘technically this is an exception’.
What is more important is your evaluation of that exception which is where you are highlighting the need to explain the circumstances and in effect establish its significance. The answer to this depends on what other controls there are in place and what risk(s) this control mitigates.
For example is it critical that the bank rec is performed, is reviewed or both?
Is there a bigger issue in that the same individual undertakes the bank recs and journal entries, neither of which were being reviewed?
With these controls not operating as described is the design of the process still effective as it stands?
Could a significant or material error, deliberate or otherwise, occur undetected because of these exceptions irrespective of whether that has happened?
kymike last edited by
This is a significant segregation of duties issue. You should never have the same individual preparing a bank reconciliation and making journal entries with no other reviewer as a control. This presents a good opportunity for fraud to occur. Testing in this area should be performed more strenuously given the high risk of fraud.
Albie last edited by
Agree with WrightLot and KyMike. We are undergoing Year One testing right now and ran across similar S.O.D. issues with journal entries and wire transfer approval. These were both identified as exceptions and we consider them highly significant. Separate Entry/Review is one of those ‘hot button’ issues that auditors will flag in a New York minute.
Thanks for the replies.
While I’ve noted these SOD issues as exceptions, I am not immediately concerned that either would rise to a significant deficiency or material weakness, as there are adequate compensating controls to prevent such from occurring. Factor in that we’re a non-accelerated filer with a relatively small corporate staff, I believe (hope) I’ve assessed, and concluded upon, the issues appropriately.
Any additional feedback/comments would be greatly appreciated.
kymike last edited by
I would term the SOD issues as control deficiencies versus exceptions as your stated control (management review of the bank recons and JEs) was not operating for the periods tested.
As for severity of the deficiencies, that is a judgment call based on other controls that you have operating effectively. Guidance indicates that if you have identified compensating controls that reduce the severity of the deficiencies, then you need to test the sompensating controls for operating effectiveness.
I’ve identified them as exceptions, and when I do my evaluation to determine which exceptions, individual or in the aggregate, represent control deficiencies, I will note as such at that time. From there I will do another evaluation to determine if any of these control deficiencies amount to a significant deficiency or material weakness. It is during these evaluations that I will identify the compensating and/or redundant controls (in addition to entity level controls) that mitigate the risk of material misstatement.