Reducing number of key processes and controls 1081



  • I’ve heard and read much about companies reducing the amount of time and effort they plan to spend complying with SOX in year 2 by critically examining and then reducing the number of processes and key controls that they documented and tested in year. Does anyone out there have any ‘concrete’ examples of how you accomplished this?
    What processes or key controls that you documented in year 1 were you able to eliminate? What was your logic for eliminating these.



  • First, account mapping could be a help. By linking each key control to financial statement assertions and the financial account(s)/disclosure item(s) it addresses, you might discover redundant key controls e.g.
    Materiality thresholds in a combination with a thorough analysis of significant financial accounts can also significantly reduce the number of key controls, as well as a good risk assessment approach applied to SOX processes in place.
    I know this sounds all quite theoretical, but each company is different and there is no one-size-fits-all example… However, these are some rough guides at least.



  • You can start off by looking at your process risk assessments. For your low risk processes e.g payroll and invoice processing, focus on 1. front end controls e.g request for hire approvals, change form approvals; 2. reconciliation and review of payroll registers and journals; 3. Senior level review of variance analysis and payroll analytics.%0AFor your high risk processes e.g Financial Statement Close, it is advisable to focus on divisional closing controls, HO controls around divisional results, consolidation controls, FS and note preparation controls and review and analysis of results by senior managemnet Board or Audit Committee. One thing that must be borne in mind is that you must demonstrate that your consolidated results are free of material misstatements so your divisional closing and HO review controls must be robust. %0AMany filers have also mapped their 302 disclosure controls into their close process to facilitate year 2 compliance.%0AFrom what I have seen, about 40-50% of material weaknesses or significant defeciencies are as a result of a weak close process so many filers are going heavy on controls.



  • I have a specific question regarding the optimization of controls. My company is in year 2 of SOX compliance and are currently working to remove unnecessary and irrelevant controls. I have made the case for a specific control to be deleted because I don’t see how it can cause a materially misstated financial statement.
    The control basically says, ‘There is a listing of Managers who are permitted to disburse departmental paychecks.’ This in my opinion is a good control promoting segregation of duties and is a good way to detect fraud if, say someone was terminated and their supervisor didn’t process the paperwork and simply kept the checks that employee would have received.
    Does anyone else think that this control should be deleted? Our HR dept. wants rid of it and my Chief Auditor wants to keep it.
    All replies are very appreciated.



  • First, it always makes me nervous when someone in the HR department argues that a Key Control is unnecessary. Is their argument that it is unnecessary because it failed? Or, because there is another (effective) Key Control that meet the same Control Objective.
    Just guessing, but the Control Objective is probably to prevent paying fictitious employees (a ‘Validity’ control for all of the CAVR fans). So, there very well may be other Key Controls in lieu of this control.
    Also, In the past, one of the textbook controls was to have every employee show ID and sign a receipt for their pay (especially if in cash). However, many companies now require direct deposit, so the only hard-copy payroll checks would be the first and last pay, which is mailed to the employee. And, NO ONE disburses cash payroll.
    If this is the case(direct deposit required or the norm), it seems that it should be easy to demonstrate that the amount at risk is less than the quantified materiality. So, even if it is a deficiency, it would not rise to the level of ‘significant’ or a ‘material’.
    Although, having said that, I always hate to agree with anyone in HR regarding a control issue. (LOL) At any rate, let the HR department demonstrate their reasoning, since, theoretically, they are the ‘process owner’.



  • Thanks for your response. We definitely have other controls to test for the ‘fake employee’ situation. Unfortunately, I am still unable to convince my Chief Auditor that we don’t need this. O well, back to business. Thanks again.



  • Your Chief Auditor may be as averse as I to give in to the HR department, just on general principle.
    Good luck.



  • An unofficial transcript of the Public Company Accounting Oversight Board Roundtable on Reporting on Internal Control was convened by the Public Company Accounting Oversight Board at the Capital Hilton on Tuesday, July 29, 2003.
    An archive of the webcast of the program can be found on the Public Company Accounting Oversight Board’s website at www.pcaobus.org.
    The document is titled, ‘ROUNDTABLE ON REPORTING ON INTERNAL CONTROL’. You can download the document and search on the term ‘key control’. There are at least ten references to ‘key control’ in the document with the related dialogue from the PCAOB.
    Additionally, AS2, Audit Standard No. 2 addresses important controls that should be tested to comply with SOX. It provides significant guidance about other information that might be helpful in making a decision to determine if a control is considered a ‘key control’ for SOX purposes and should be tested.
    AS2:
    http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf
    Characteristics of a Key Control
    Factors management should consider in determining which controls to test include:
    The magnitude of the potential misstatement that could result from failure of the control
    The likelihood that failure of the control could result in a misstatement
    The degree to which other controls, if effective, achieve the same control objective
    Controls to be tested include:
    Controls over initiating, recording, processing, reconciling, and reporting significant account balances, classes of transactions and disclosures, and related assertions embodied in the financial statements
    Controls over the selection and application of accounting policies in conformity with GAAP
    Controls related to the prevention, identification, and detection of fraud
    Controls on which other significant controls are dependent (includes IT controls e.g. information security, program change control, computer operations)
    Each significant control in a group of controls that functions together to achieve a control objective
    Controls over significant non-routine and non-systematic transactions (such as accounts involving judgment
    estimates)
    Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (e.g., consolidating adjustments, report combinations,
    reclassifications)
    Regards,
    milan


Log in to reply