Review sox globally an create light version 1788



  • You said Financial Services, well, you may have one more compliance viz. Basel II. Please confirm this.



  • What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.

    Why the cost for new management structures?
    SOX does not mandate that we change our management structure in order to comply? Just because you have a thin organization does not mean that you cannot have good internal controls.
    Now, if you previously relied on your external auditor to assist with your tax calculations and SEC filings and to find errors before your financial statements were issues, then I can see the expense for additional management costs, but in that scenario, auditors are not really independent and the management team needs to be beefed up.



  • Oooh the arrogance to assume we have thin management structures. In a highly regulated industry with products that are heavily scrutinised by goverment, policy-holders, other FS bodies and third parties, I would say we already have more than enough staff focused on risk, compliance, fraud, etc. But for all these staff, for all these controls, these are not good enough for the auditors interpretation of SOX because they want to look at it from a different angle and not rely/cannot rely on these controls.
    No matter how much everyone rambles on about risk based auditing, likelihood of material mis-statement, etc, I would suggest that the auditors are primarily still concerned with maximising profit whilst minimising the risk of any litigation. As a result they remain focused on controls that gives them comfort (after all they still build the goal posts between which we have to score) irrespective of our own views.
    Tax calculations and SEC filings are easy. They’re self contained within the environs of the Finance Departments and are easily controlled. The complexity comes from the need to go into every aspect of the business, because everything is financial, and test the variety of financial products sitting on a number of different systems. This takes up most of our own and our auditors time yet is very low risk given the high volume, low value transations that are then scrutinised by all the parties referred to earlier.
    Why additional management costs? Because all this information has to be gathered up and presented back to the auditors so that they can understand it. We considered self certification, minimal staff time but insufficient for auditor relaince. With one member of staff dedicated to SOX complaince/testing and costing be 50,000 per annum can save me more than that in reduced audit fees. We have considered removing the SOX team but the cost benefit analysis shows that the external audit fees will increase such that it would be more expensive to satisfy SOX requirements without them.
    Chhaava - Basel II will have an impact although my knowledge is somewhat limited here. I am hoping our SOX work will help (so that is a bonus.) although does this only really impact Banks? I have not looked into this yet as we have a separate team and I am dedicated to resolving SOX issues. What confuses me is that this standard keeps getting postponed and I am never quite sure what we are going to need to do - perhaps the sponsoring organisations have forseen the possible compliance costs and questioned whether cost outweighs the value.



  • The SOX work should complement BASEL II. Other requirements for BASEL II are deemed operational for SOX. Self Assessment is the best solution and Big 4 are researching whether they can rely on Self Assessments performed by client. They should atleast for remote locations.



  • Oooh the arrogance to assume we have thin management structures. In a highly regulated industry with products that are heavily scrutinised by goverment, policy-holders, other FS bodies and third parties, I would say we already have more than enough staff focused on risk, compliance, fraud, etc. But for all these staff, for all these controls, these are not good enough for the auditors interpretation of SOX because they want to look at it from a different angle and not rely/cannot rely on these controls.

    Do you mind stating who your auditor is? It sounds to me like it is time for a new auditor.



  • I thought it might but I still thought it only related to banks and not the insurance and assurance businesses? I also wondered how it compared to the Integrated Prudential Source Book that the FSA require us to use in the UK that also looks at capital risk, credit risk and liquidity risk, etc. which already abide by (although in truth don’t add anything that our SOX work can rely on). Also has a date been set for compliance, I note updated versions continue to be issued?
    kymike - auditors are KPMG. New auditors - probably not. Believe it or not they have been very good and what has been done and agreed has been quite innovative. I think their interpretation of SOX is not unreasonable eg reliance on our testing, required documentation, etc and falls in line with PCAOB requirements. I would still maintain that it is the generalisations that SOX was based on that throws up these issues.



  • Yes. Basel II is not applicable to you.



  • We have KPMG as well. My feeling is that they are pretty easy on us in our UK business. We have one incremental headcount for our global business dedicated to SOX. The remainder of the work has been spread out amongst the control owners with our internal audit team performing some quality review work.
    I have noticed, however, that the work performed by the external auditors will vary from partner to partner. You may have just drawn an extremely conservative partner who feels that he needs to have more work done on your business than another would choose to do.



  • Exactly, it boils down partner to partner and sometimes staff level also. Because of demand there is dearth of talented auditors, making this Big 4 approach recent grads(sent to audit within two days of joining without requisite orientation which we had to take even after three years articleship/internship when joining them from smaller firms (non Big 8 in those days)



  • Just a few comments in response.%0AI agree there is a degree of inconsistency between partners and firms. I even noted it within a firm on the same account that had locations around the world.%0AAs I said before, taking our auditors perspective, given what they are testing I think most of their demands are reasonable. In fact our working relationship is very constructive. %0AGoing back to the start of this dialogue I was complaining about the unecessary level of work needed to comply with SOX. If I look at income I have millions of low value receipts. Looking at our various life products we find that many schemes are FRAG’d, audited or similar on a regular basis. We also report regularly to external monitoring bodies who also access our data and audit us. Together these would give me very strong comfort that we are not mistating our income (particularly with out bank reconciliations in tow). %0ABut income is a line entry on our P-and-L, we cannot rely on 3rd parties for evidence, therefore we must show that at least 70% of our line item cannot be wrong which means going into the business and transalting the controls into financial reporting ones and then undertake testing. This has to be done through a combination of self certification, internal testing and external audit, and because we have so many products and systems this becomes a significant pice of work.%0AI appreciate that this is unusual and most businesses are not in the same position as us. But this is why I contend that 1) SOX has had a significant negative impact both in cost and time and 2) the risk that SOX should be addressing is how management manipulate the data rather than the accuracy of the data itself.%0AWe do have a permanent SOX team of around 6 staff at present. This has reduced the risk that operations have bought into SOX and over time we should see a positive move, it has lead to a better use of resources by minimising audit fees and als because of the major restructuring that is impacting the Financial Services business in Europe with highly publicised redundancies and relocation of work to India etc we need to make sure we stay on top of that.%0AInterestingly our Internal Audit have refused to get involved with SOX claiming it impacts their ‘independence’. This is a senior management decision so I have had to improvise.%0AChaava - Basel will impact because we do have a banking business but it is only one aspect of our company. I think I will put it on hold until 2007 - I can only hold so many hoses at any given time.


Log in to reply