SOX

AUDIT

SOLUTIONS

AuditOne LLC

 

AuditOne is well qualified to help you meet both your documentation and testing needs in connection with Sarbanes-Oxley Act (“SOX”) compliance.  Not only do we offer extensive and directly relevant expertise and experience drawn from our core, internal audit (IA) activities, but we also can offer efficiencies (i.e., time and cost savings) where we are performing both IA and SOX work for a client.

 

Overview

 

SOX was passed in 2002 in response to accounting scandals at Enron, Worldcom and elsewhere.  It addresses the internal control environment surrounding the financial reporting process for a publicly-traded entity.  It is only concerned with controls over financial reporting;  there is currently no requirement for a similarly comprehensive assessment of operations or compliance controls. 

 

Although broader in scope (and heavier in its penalties), SOX is modeled on the provisions of FDICIA Section 36, which has been in place since the early 1990’s.  Sections 302 and 906 of SOX require management’s (quarterly) assertion that internal controls in place are appropriate and that there are no errors, omissions or misstatements in the financial disclosures.  Section 404 supports 302 by requiring that key controls be reviewed, tested and approved (annually) by external auditors, as well as management.  The comments below relate to 404 compliance.

 

Timing:  Accelerated filers (defined by market value of common equity greater than $75 million) have been required to certify compliance with SOX requirements since 2004 or 2005, depending on their fiscal year-end.  For non-accelerated filers, the timing was changed in mid-2008 as follows:  1) For the annual report for the first fiscal year ending on or after December 15, 2008, management’s assertions as to the adequacy and effectiveness of controls must be included;  2) For the following year’s annual report, external auditor’s attestations must be included as well.

 

 

AuditOne Can Help

 

Setting up a SOX framework and then going through the requisite testing is a daunting task for the uninitiated.  We have gone through this exercise with various clients and have the hands-on experience to draw on.  The fact that AuditOne does internal audit work in all of the areas touched by a SOX set-up further solidifies our credentials in this area.  Our staff are top-notch, our organizational and reporting abilities are well proven, and we have the flexibility, adaptability and creativity to work around any special needs or circumstances that might arise on a project like this.  Please call Bud Genovese, Kevin Watson or Jeremy Taylor to discuss how we can help you navigate the challenges that SOX compliance can pose.

       

Documentation Methodology

 

The Sarbanes-Oxley Act requires that controls over financial reporting be organized according to a widely recognized format such as COSO’s.  COSO is the Committee of Sponsoring Organizations of the Treadway Commission, which first reported on this subject in 1987, updated in 1992.  It provides an integrated framework for internal control that organizes a firm’s controls into five interrelated components:  Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.

 

AuditOne recommends following the COSO methodology with an approach consisting of 1) an assessment of the overall internal control environment, 2) a business process risk assessment, 3) documentation of financial reporting work flow, 4) categorization of the financial reporting objectives along with the related risks and controls, and 5) a test of the key controls. 

 

First, the assessment of the overall internal control environment provides the context for assessing how seriously and effectively the Board and management have taken their internal control responsibilities.  This becomes important input to the exercise of figuring out where the significant risks reside within the institution and to identifying controls over those risks.  If the internal control environment lacks formal written procedures for major operating areas, for example, it suggests need to recognize certain sources of risk and to look for other possible compensating controls. 

 

The second step involves decomposing the institution’s activities into a limited number of categories, or business processes, and assigning risk ratings to each major area.  These process categorizations may be driven by major balance sheet and/or income statement items.  But they will also include functions or activities that span other areas – IT and financial reporting are two obvious examples.  Each process may then be further subdivided into two or more sub-processes for control assessment and testing purposes. 

 

Third, the documentation of financial reporting work flow (the “Narrative”) consists of a written description of all the steps, risks and controls that make up each business process.  Narratives may be supplemented with flow charts, spreadsheets and exhibits (preferably in electronic format).  The exhibits are cross-referenced to the Narrative.  The Narratives contain all of the financial reporting controls for a given business process, including those deemed to be Key Controls that are therefore subject to SOX 404 testing.

 

Fourth, the categorization of financial reporting objectives, along with corresponding risks and controls, is documented on a Risk Assessment and Control Activities (“RACA”) worksheet.  We prepare a separate RACA for each sub-process.  The RACA identifies: the basic financial reporting assertions for each sub-process (in accordance with SAS 106); the risks to achieving those assertions; and the key mitigating controls in place.  Risks are assessed as high, moderate, or low, according to the likelihood of financial statement misreporting due to the risks in that business area, together with the projected impact of a risk event.  Only Key Controls are indicated on the RACA, whereas our Narrative includes all relevant controls.  Key controls are those that, if they are functioning properly, provide reasonable assurance that risks have been addressed to allow objectives to be met.  Other controls provide additional support and may serve as compensating controls.

                                                 

Finally, all of the Key Controls for risks assessed as High or Moderate need to be tested, as discussed further below.  We recommend that areas identified as Low Risk be discussed in the Narrative but any related controls not be tested as Key Controls.  They may, however, be changed to a Key Control if a test fails and a compensating control is deemed necessary (see below).

 

Testing Methodology

 

The tests of financial reporting controls must be performed annually.  The tester (auditor) can be either internal or external, but cannot be the same individual or firm as was hired to perform the annual financial statement audit.  We provide clear presentation of the test results – in summary form on the corresponding RACA, and in detail on separate test sheets.  We are careful to document the time required to perform each test and to put in place continuous reporting of project status using the dedicated and secure online site we are able to make available to clients via our arrangement with GroveSite (provided by Grove Technologies).  GroveSite also functions as a valuable tool for collecting, sharing and reporting test results and other key output from each phase of a SOX project. 

 

Testing methods can include corroborative inquiry (the weakest form), observation, or tests of transactions.  Tests of transactions must employ a representative sample.  To the extent possible, the testing should be distributed throughout the year, with some roll-forward testing late in the fiscal year.  An indication of sampling parameters is provided below.  Ultimately, this will be discussed with management and then with the institution’s external auditors before it is finalized.  AuditOne places emphasis on the importance of close communication with both those parties, both before and during a SOX engagement, since both of them must give their sign-off on the adequacy of the institution’s controls as part of their Section 404 external financial reporting requirements.