Design Deficiencies?. 447



  • I guess you should try to figure out, if you’re talking about the ‘normal’ annual audit or the sox audit. The auditor has to communicate everything he disclosed to the management also to the audit committee (SAS90 - I believe). Therefore it can be, that a SOX deficiency report is only focusing on significant deficiencies or material weaknesses, but a report out of a annual audit discloses everything they learned addressed to the audit committee or supervisory board.



  • at holger: it was a sox audit issue and we we have discussed it with them so far. as they state, they are required to report all controls not being effective as of january 1st to the parent’s auditor, for whatever reason… however, whenever I read about the design deficiencies, one would refer to them as to the design deficiencies identified in tests of operating effectiveness . that would equal zero in our case, because as they tested, the designs were effective. alone the fact that we communicated to them that some of the controls were put in place in march e.g. does not make them have an ineffective design to my understanding, or does it?.
    but, I would like to ask you, Holger, another question, since I appreciate your impressive sox-knowledge… can u give me some kind of a link between financial statement assertions and key controls? to my understanding, all financial statement accounts or relevant transactions or disclosures embody financial statement assertions, and for these financial assertions, there should be key controls in place. is this correct? so, do I have to cover every single fin. assertion related to a particular account by a key control or is it fine if I cover at least one? and what if I have a key control that cannot be clearly mapped to any of the fin. assertions? is it then still a key control? thanks a lot in advance.



  • My opinion on your last question:

    • It’s key when it is of importance for a material account
    • If it is key, but there’s no account, it can stil be key. F.e. coningent liabilities, controls for high-risks which could impact an account (timely VAT report to tax authorities)


  • _at_Melly: In order to identify which internal controls are key and, therefore, are required to be evaluated and tested independently, management must perform a risk assessment analysis based upon identified financial misstatement risks at the significant process and related sub-process level. This risk assessment provides the basis from which key controls are identified.
    Key controls are those controls that are important to each relevant assertion in the financial statements. The PCAOB standard emphasizes controls that affect relevant assertions because those are the points at which financial misstatements could occur. The standard prescribes that it is neither necessary to test all controls nor to test redundant controls. Therefore, only key controls will be subject to management and auditors test procedures. Key internal controls over financial reporting include:
    -and-#61550; Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements;
    -and-#61550; Controls over the selection and application of accounting policies that are in conformity with IFRS and US GAAP;
    -and-#61550; Antifraud programs and controls relevant to the financial statements;
    -and-#61550; Controls, including IT general controls, on which other controls are dependent;
    -and-#61550; Controls over significant non-routine transactions and nonsystematic transactions, such as accounts involving judgments and estimates; and
    -and-#61550; Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statement.
    Judgment will be necessary to determine whether a control is redundant with other controls or is a key control. In addition, management should review the identification of the key controls, along with the relevant FMRS’s for each significant process and related sub-process to confirm its assessment. Please remember that all key controls will have to be tested. Therefore, it is important that management only select the significant controls.
    In determining which controls are key controls for a particular risk scenario, management should identify those controls as key which enable management to conclude that there is a remote risk of a material financial misstatement occurring, assuming that the identified key controls are working effectively.
    In the process of identifying key controls you may conclude that a deficient preventive control could be compensated for by an effective detective control and, therefore, not result in a significant deficiency or material weakness. For example, a monthly reconciliation control procedure (a detective control) would detect an out-of-balance situation resulting from an input error due to an ineffective data interface control.
    In making a determination that the detective control compensates for the defective preventive control, the evaluator should ensure that the detective control is designed to achieve the control objective to which the preventive control relates to in a timely manner and that the detective control is effective. One should consider that reliance on high-level analytical procedures, by themselves, may not be sufficiently precise to achieve the control objective.



  • at Holger: thanks a lot.



  • You’re welcome… 😉



  • Note - the PCAOB standard is for auditors and sets out the minimum you need to comply with SOX.
    If a company is looking to embed controls into its organisation it may decide to test beyod key controls. An alternative view may be that if a control is worth documenting in a process document then it is worth evaluating its effectivenss.



  • _at_Denis: At last a company will provide their opinion about their effectnivness of their internal Controls over financial statements. The ext. Auditor, who’s has to comply to the PCAOB’s Standard 2, will also review the controls and also provide a opinion.
    I believe it makes total sense to make sure that the auditors get what they need. So you better make sure you know what they’re looking for… 😄



  • _at_holger agree with you generally, however
    In our project we are identifying key controls and using these to demonstrate that we have ‘complied with SOX’ but we have a wider objective to build controls ‘into the DNA of the organisation’ on the basis that compliance only will not benefit our organisation.
    We are evaluating ALL controls that figure in our process documents. If there is an argument over the control being not important enought to test the question is then is it important enough to perform? We are actually removing some redundant controls and simplifying our processes.
    Where I see this being a strong approach is that it gets staff responsible for financial control out of a ‘minimum effort’ mindset. It stops staff assuming that key controls are the only ones they have to do on a day-to-day basis.
    We do mitigate this ‘extra’ work however. Where a control is not ‘key’ we might use a smaller sample size and a deficiency in a non-key control is not a SOX deficiency and has a different remediation process.
    We involved our auditors in this at an early(ish) stage, so they understand where we’re coming from.



  • _at_Denis: I understand your position. Acutally we’re doing something similar. What I wanted to point out is, that for SOX you better streamline your effort towards the ext. Auditor.
    I totally agree that ‘onlx achieve compliance’ doesn’t make much sense.
    You only need to look at the money spend to get that conlusion. :twisted:
    We also follow the approach to get as much a rise of quality all over the company as possible. We use the same approach over the whole company (doesn’t matter if a dept. is SOX relevant or not). In all cases were a dept. or subsidiary is not SOX relevant we leave our ext. Auditor out.


Log in to reply