Audit Serve, Inc.

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

SOX 404 Year II: Lessons Learned, Initiatives to Pursue and
Interpretation of Guidance Provided by the SEC & PCAOB
(Part 1 of 2)
By: Mitchell H. Levine, CISA

                                                             

Low Cost & Highly Skilled 
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or 
email levinemh@auditserve.com for additional information

On May 16th the SEC and PCAOB both released guidance regarding SOX 404 which forced them to take a defensive posture regarding the complaint of the excessive costs for implementing controls
for 404. This action was partially attributed to feedback received from the SEC’s roundtable on Implementation of  Internal Control Reporting Provisions. Besides the Commission’s and PCAOB’s view that they expect the second year costs to be significantly reduced based on the work performed the first year, they offered guidance (SEC) and policy statements (PCAOB) which they would also expect to help reduce the cost of compliance with SOX going forward.  However, in many cases, as discussed in this article, there is not sufficient detail provided in the policy statements  which will translate into significant changes in which the external auditors will operate during year II of SOX.

The first cost reduction area mentioned in PCAOB and the Commissions May 16th statement was the need to use a  risk-based approach to determine the significant accounts, controls to be evaluated and the level of testing to be performed which they admit is subjective. The “top-down approach” that they advocate in which company-level controls are first evaluated before “diving” into the individual areas of a company (i.e., process controls) seems like a reasonable approach. However, it seems unrealistic that external auditors will accept management risk assessments and self-assessment processes as the basis of obtaining  comfort that control processes have been implemented within the individual organizational units. If management adopts this approach as the basis for not assessing the controls of an organization unit which is deemed to be in scope for SOX, they need to ensure that the external auditors share the same view. However, this top-down approach may allow 
for organizations to set a “more relaxed” criteria to define in-scope processes and locations which require a 
vigorous review of controls and testing, knowing that they can use the “top down” approach for areas which do not meet the revised in-scope criteria. This approach would also be easier to “sell” to the external auditors.

The SEC and PCAOB also made statements that a “cookbook” approach should not be used by the external auditors when evaluating and testing controls because “one size does not fit all” and therefore plans needs to be tailored individually for each organization. Unfortunately the SEC and PCAOB fail to recognize that the most of the teams being deployed by the external audit firms consisted of inexperienced auditors which could not tailor the required control based on the size and unique characteristics of an organization. Therefore, the only alternative was to provide their teams with predefined checklists to at least ensure some level of consistency. In most cases, the external audit firms dispatched their best talent to the “high dollar” SOX consulting adviser positions with the issuer organizations. Most medium and large size issuers protected themselves during the first year of the SOX project by hiring consultants from the external audit firms because it was perceived that they would most knowledge in regards to the project approach since they perform external audits of other organizations.

We have all seen first hand the varying degrees of details amongst the external audit firms which varies significantly at the partner level and even at the engagement manager level. Most organizations have formalized their impressions of their Year II requirements based on the compilation of the audit teams which will be used. 

In regards to the Commission’s and PCAOB statement not to use predefined Checklists to assess the controls within an organization, this appears to invalidate the direct use of the ITGI issued IT General Control Checklists that organization used during the early stages of their projects.  ITGI first issued a checklist containing 130+ control objectives which were later reduced to 80+ control objectives in a subsequent release of the standard. By the 3rd quarter of 2004, most of large external audit firms were not  endorsing the full implementation of the controls advocated by the ITGI standard realizing that (1) it went beyond most SOX practitioners expectations (2) was too costly to implement and test and (3) was not scalable to smaller organizations. Specific areas required within ITGI, Offsite Disaster Recovery and Performance Monitoring, were specifically mentioned as “out of scope” areas in prior policy statements issued by PCAOB in 2004. However, the ITGI SOX standards for IT General Controls could still be used as a reference guide in which key controls can be selectively used by an organization.

One of the surprising development’s from the Commission’s guidance issued on May 16th was reaffirming that internal controls must be in place and operating effectively as of the end of the issuer’s fiscal year. During the first 
year of SOX and compliance with AS2 (PCAOB Auditing Standard No. 2), there was a perception that the controls had to be effective for the entire year. However, as the year progressed where there were delays in the 
remediation of control design issues, issuers were guided by the Big Four to only ensure that their controls were
effective far enough in the advance to the end of the fiscal year in which they could be effectively tested. 
This is where guidance was provided regarding the number of days or months prior to the end of the fiscal year-end in which controls had to be effective which was based on the control frequency. For instance, a daily control had to be effective at least 20 days prior to the end of the fiscal year to allow for sufficient sample sizes to be pulled for testing. What was surprising about the SEC’s guidance is that most organizations expected that in Year II of SOX they would be required to prove that the controls were effective during the entire fiscal year which is not the case. Depending on the design of the General Ledger system being used, if each monthly compilation is treated separately and stands on its own (i.e., unless adjusted in later months), then it would be critical to have the controls effective since the first month of the GL reporting. It would seem that the Commission assumes that the final month’s reporting would represent the aggregate of the entire year which is not necessarily the case.  The same approach would also apply to all systems feeding the General Ledger with Asset valuation, Revenue and Expense data.  Although Section 302 of the Act requires the certification of the quarterly financial statements, it is not supported by the requirements of SOX 404 testing. Issuer may choose to follow the Commission’s guidance to only have the control effective as of the end of the fiscal year but “common sense”
may prevail in future years to require controls to be effective as of the start of the fiscal year.

The Commission also provided guidance regarding the flexibility of when testing should be performed which 
does not necessarily have to occur around the year-end  close. Besides the reality that most General Ledger 
adjustments are performed just prior to the year-end close, I would agree that testing can occur at different
stages of the fiscal year. The lesson learned from the first year of SOX is to identify the retention period 
for data used to support testing to ensure it is available based on the same period included in the test.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.