AuditNet®  Ask the Auditor Forum
Sarbanes-Oxley



Also post your question at AudiTalk The AuditNet Discussion Forum
 

 

 

The following question was posted to Ask the Auditor. The responses are from the SOX404-l discussion list hosted by AuditNet

My internal audit department has been asked to do all of management's operating effectiveness testing of controls for our company - we are a non-accelerated filer so this is our first go at it. My question is -how long do we have to do the testing - do we have until the financial filing deadline or year end? we are a calendar year company.

Here are the responses received from SOX404-l subscribers:

RESPONSE 1

Our sign off was completed in February of this year for 2006. Remember, you will have annual controls that will need to be tested in January. We do our best to complete our testing by the beginning of November of each year, as to give us ample time to remediate and retest prior to year end. Because of the year end system freeze that normally occurs, you may have a difficult time finding a population to choose from for the Change Management part of the testing you need to complete - therefore, earlier is better.

For access controls, the preventative controls normally involve selecting a sample of 25 and we have been told by our externals that we don't need to test very close to the end of the year. Due to resources constraints that result due to holidays, etc, (as well as trying to find an auditee to talk to during the holiday period) we find logically that earlier testing is better suited to our needs.

For detective access controls, in the form of end user access reviews, our controls are quarterly, therefore we normally try, again, to get it done, latest, in October so that if the quarterly control fails we still have the Q4 to (hopefully) retest.

RESPONSE 2

I would recommend testing throughout the year (weighting slightly more toward year end). Waiting until close to year end could be problematic if deficiencies are noted. Testing late in the year may not give you enough time to test re-mediated controls with a sufficient sample to conclude that they are working effectively (especially quarterly and monthly controls).

RESPONSE 3

We perform testing in phases. Phase I testing is completed by June 30 and the sample size tested is about 1/2 the total sample size. Phase II testing is completed by November 30 and that includes all controls again for the remainder of the sample size. We then perform testing on year-end controls and also complete "update" testing in January as required by our external auditors. The update testing is an additional sample (two or three controls per cycle) which verifies that controls were in place at year end.

RESPONSE 4

While technically they have till filing, their externals must confirm. Practically that means their Sox team moves just behind the IA team but since they have to do it last they need the space between year end and filing to get final testing and retesting in. Therefore the IA team really has till year end and then they will need to coordinate with the externals.
 

The following question was posted in the Audit-L discussion group and then forwarded to SOX404-L.

Now I refer to what I consider to be a genuine 404/PCAOB topic, as part of the Sarbanes-Oxley 404 requirements each balance sheet account must now pass a new test for the 2005 financial statements. Management must determine the relevance of each financial statement assertion for each significant account i.e.

- existence or occurrence;
- completeness;
- valuation or allocation;
- rights and obligations; and
- presentation and disclosure

The auditors have clearly indicated that where there is no sign off there is no evidence that the control has been performed. Therfore, the 5 key criteria test might not be passed. Therefore to avoid any bleep coming out from the auditors we normally recommend to each Finance Director to ensure that

a) a formal general ledger independent review and sign-off process is made of all the balance sheet accounts without exception every month, and

b) an electronic table of authorities is created `ad-hoc` for general ledger reconciliations establishing the different individual authority levels required to

1. perform the reconciliation;
2. exercise the formal sign-off by a person independent of the performer of the reconciliation, and
3. maintain a month-on-month score-card of the total percentage of assets and liabilities effectively reconciled and duly reviewed and signed off

How many of you have a electronic table of authorities and an electronic score card?
Are there any standard templates out there in any software program?

I would like to know because I have different degree of compliance with the above recommendations

For the responses to the discussion list go to the SOX404-L archives and look in 200509 Thread

For Sarbanes-Oxley compliance, most companies provide a SAS 70 report, in absence of a SAS 70 what type of testing is necessary?

In the absence of a SAS 70, user controls have to be documented and tested. These would include authorization, input, process and output user controls. This may require performing an onsite (at the vendor's location) assessment of process, determined and tested key controls, cited deficiencies, etc. just as you would do for your own processes for SOX 404.

Suppose I'm an internal auditor for the company and I test a control once  for management in support of their assessment. Can the external auditor rely on that test for his audit of controls (provided the competence and objectivity criteria are met etc) or is my test out of bounds because it is  part of management's testing?

This is probably very unclear to those who have not performed 404 work within the Big four accounting firms. It becomes clear when you consider that even if external auditors rely on management's tests of
internal controls, the external auditor still has to re-perform a sample of those test in order to gain reasonable assurance that management's results are correct. Therefore, just because an external auditor relies upon an internal auditors work, it would suffice to say that high risk processes, or control points within those
processes, may be tested multiple times -- especially during first year testing.

I'm a little confused as to how to respond to the sox message board so I hope you do not mind if I respond directly to you.

  • We worked very hard at getting the maximum amount of reliance that our external auditors could place on the work to be performed by internal audit. Our external auditors performed a quality assurance review of
    our internal audit function to determine the extent of reliance that can potentially be placed on the work performed by internal audit.
  • While we have a very sound self assessment process supporting out Sarbanes-Oxley (SOX) process, internal audit will be the primary source of assurance when it comes to the testing for SOX purposes.
  • We as a company believe that internal audit are best suited to perform this testing, which we believe will ultimately result is a greater amount of assurance that the controls are adequate and effective.
  • I am not sure what you mean when you question whether the external auditors can rely on your work when you test it a second time. There are certain areas which the externals can take no reliance from any
    testing performed by internal audit i.e. the control environment of the company.

For all the responses to this question go the SOx404-l discussion list archives and click on the thread for September 2005

In year two of Sarbanes Oxley testing is it necessary to test 100% of the key controls or can we rely on results or prior years to limit the number of controls tested?

You would need to test 100% of key controls identified by management, however, in year 2, we have found that key controls identified as key in Year One weren't necessarily key, so we re-scoped the work needed in Year 2 to ensure we tested only the key controls.

It is necessary to test 100% of the key controls as there may have been slippage between period year 1 testing and the current round. We have, in conjunction with our external auditors, re-scoped the key controls assessment, reducing the volume by about 50%, because many of the controls tested last year were deemed not to be key.

For all the responses to this question go the SOx404-l discussion list archives and click on the thread for September 2005

I have an interview for a SOX Auditor position with a firm. What kind of questions can I expect in the interview?

I posted this message on the SOX404-L discussion list and received the following responses:

You will be expected to address risks controls and deficiencies. Also, how to mitigate future
risks and remediation techniques.

Here are some example questions:

  • What do you know about SOX?
  • If you were implementing SOX for a company, how would you go about it?
  • Who should be responsible for creating process documentation? Why?
  • Who should be responsible for identifying controls? Why?
  • How would you describe the difference between test of design and test of
    effectiveness? Give me an example of a failure in both cases.
  • How can a company best integrate SOX with other audit activities?
  • How has SOX changed the role of an auditor? Why?
  • What is the greatest challenge to a SOX implementation?

When I interviewed for my current SOx contract, I would say that the interview consisted of:

  • Questions around my understanding of the reason for SOx - you should display knowledge in the history.
  • Discussion around my take on the situation, including displaying enthusiasm for the fact that the current high profile of SOx gives us (auditors) the window of opportunity to help ensure that adequate controls around the business and systems are in place or are brought into place (anyone who has been in audit knows that control implementation has, in the past, been considered a non-value adding process to the business and to the bottom line)
  • Discussion around knowledge base, and in my case this covered both the types of businesses that I have "control" audited, including system applications and infrastructure (I am both a Financial and IT auditor)
  • If you have taken part in any projects which were control related and showed that you not only identified holes but helped in identifying remediation plans / solutions (remember though, you do not implement / decide, just put forward suggestions that could be acceptable from a risk perspective).
  • Emphasize communication skills and team work - VERY IMPORTANT. The nature of the beast means that you will be communicating with the business / IT groups A LOT. And though they have been made aware that SOx is the number one priority, it is still about controls, it is still not seen as an added value exercise by the majority of the users and so you must have patience and work around their schedule as they still have to keep the business going. Team work is also important as, depending on how the SOx process has been organized, you will be working closely with other SOx members, both within your area of expertise and other SOx teams. Where I am at now, we had one person document the process, another walkthrough the process and confirm, a third to do test design and a fourth to do the actual testing. For this to work effectively, egos need to "leave the building" and it is all about working together and communicating effectively without any finger pointing.

Questions to you:

  • How would you gather information about a financial process: answer is
    interviewing key process owners, read through public disclosures, review
    existing policy and procedure documentation for that process.
  • The documentation usually consists of a process narrative and a control
    activity template (CAT). Earlier, we were doing flowcharts, but they
    became too cumbersome with the changes to documentation over the year.
  • Make sure you can speak to COBIT and COSO, which are the widely accepted
    assessment frameworks.
  • Be sure to know what the deficiency types are: Inconsequential,
    Material Deficiency and Significant Deficiency.
  • Be sure to know the difference between a process step and a control.

Question to them:

  • Did they pass last year?
  • Can they share what their deficiencies were?
  • How many key controls are there?
  • How did they evaluate their business units to determine what was material to the company, what needed to be tested?
  • What is their typical remediation turnaround?

I have had this question on a number of IT Sox engagements and never received a satisfactory answer.

There are a number of controls where the client is to inspect a log on some frequency. The control is likely to be tested only once during the year.

How much log history should they retain? -or-
Can they keep a log that says they reviewed the log and found nothing of interest or if they did they created a service ticket for the follow up?

Does anyone know what standards various external auditors are using to review the test of these types of controls?

The clients all complain when I ask them to keep more than 30 days worth of logs. A years worth of logs would be quite large.

  1) You must assess the control as a part of financial reporting. You are not performing a best practice IT control review. Therefore, how often is this control relied upon for financial reporting? If the log is reviewed everyday, I'd say you should have some sort of documentation of that review. Our auditors have stated that the SEC requirements for adequate "books and records" applies to Sarbox, which basically means we need to keep records of the controls documentation. Its debatable whether that SEC standard applies or not, but regardless you need an audit trail.

Do you need to print the log out daily and have it signed off on? It depends on if the log can be regenerated or not. If you can regenerate it, I'd say don't worry about it. You can have your client prepare a weekly checklist of controls that the process owner performs and have the process owner sign off on the control saying that he/she performed the control for each day that week.....something like that. You don't need to print out a log everyday to have audit evidence.

If you can't regenerate the report, I'd have the client printout out one report a week (or something similar) so that you have evidence that the report exists (or existed during the year). Again, auditors want something tangible, and they want their hand held so the more audit trails/evidence you have, the better.

You also may consider doing a data dump of the information into a file so that you could have evidence of the log for every day...that should not be difficult to do, regardless of the size of the log. You can purchase compression utilities for very cheap, you can even get them for free over the internet at sites. Also, with the technology out there today, performing a dump of data daily, weekly, monthly, etc...regardless of the rigidness of the system, it just isn't difficult.

If your clients have not done any of the above, you could always use corroborative evidence to internally test and assess the control. If the control says that Manager A reviews a log and follows up any exceptions with Employees A thru Z, you could
verify with Manager A that he/she performs the review and then talk with a sample of Employees A thru Z to corroborate his review and his follow-up of exceptions with the employees. All of the Big Four have guidance that they can rely on corroborative
inquiry, so this should be a method that can be used. However, corroborative inquiry is one of the lowest forms of evidence so the audit firm may beat this up a bit in their review.

2) "Does anyone know what standards various external auditors are using to review the test of these types of controls?"
The most widely used standards to assess IT controls is COBIT. Try this link or just do an internet search using the keywords COSO and COBIT. The link provides you pretty much all you need to know about the standards used to assess IT controls.

Also, remember that the firms are assessing MANAGEMENT's assessment of controls. Is management's assessment designed effectivley, operating effectively, etc... The firms SHOULD NOT be using their own standards to test the IT Controls (or any controls for that matter), they should be assessing management's standard used and opining on its effectiveness in mitigating financial deficiencies. They should not be pulling out a control from another standard and saying you should be using it. Just like COSO, your client should be choosing the standard they are using to assess IT controls. COBIT would be the easiest as their is a plethora of information on COBIT and Sarbox that exists.

Answer provided by Blake Barney through SOX404-L

I recently got a position doing audits for SOX 404. I have never done them in the past. I have a green belt six sigma background but I know that I can ramp up my skills quickly. I am not sure what resources or tools I can use to help me gain understanding and become efficient in a timely fashion. Please advise me to the best approach.

  There are a number of Web sites that have sprung up providing advice, resources and tools for Sarbanes-Oxley including Section 404. Go to the AuditNet® Sarbanes-Oxley Resource Center for links, tools and more. Check out the Sarbanes-Oxley Books listing. AuditNet® has audit programs, internal control matrices, checklists and more. There are discussion lists, newsletters, portals and more that are now available to the growing number of companies that are establishing units for compliance with the requirements of Sarbanes-Oxley.

 What are others doing to document compliance with SOX Section 906? If we used a checklist to ensure compliance with Section 302, would this same checklist suffice for purposes of Section 906? Or should we be doing something different here? (I would appreciate any examples of processes or checklists that others might be using for SOX 906).

  Section 906 requires CEOs and CFOs to certify that information contained in periodic reports filed with the SEC fairly present, in all material respects, the financial condition and results of operations of the issuer. It also provides for significant criminal penalties for non-compliance.

Unfortunately the Act is silent on the form and/or vehicle for compliance. I would suspect that auditors will develop checklists or procedures for this requirement. As soon as these are available I will post them on the site.

 Let me pose a hypothetical case as it relates to Sarbanes Oxley 404 compliance. Suppose that in the course of their review, the external auditors copy the compliance testing workpapers which were prepared by members of the Internal Audit staff.

After issuing an unqualified opinion, a financial scandal erupts in the company, triggering a shareholder lawsuit. During discovery, the external auditors state that they relied on the workpapers of Internal Audit. While this will not be a defense for the external auditors, the attorney tracks down the Internal Audit staff member whose initials appear on the original workpaper stating the procedures were adequate and effective. This staff member also happens to be a CPA and/or CIA.

What is the possibility that this individual staff internal auditor (not a corporate officer or Audit Director) can be named as a party to the lawsuit and be held personally liable on the basis that as a certified professional he had a higher responsibility to ensure that the information was correct. Is this something we should be considering before allowing the external auditors to copy our workpapers?

  You pose a very valid and interesting question. While I understand that, in reality, lawyers are crafty individuals and have a knack for seeking someone to blame and from whom to draw damages, I do not believe that SOX was intended to hold internal auditor personally liable for a corporate control failure. The law was written  to address senior management (of which Internal Audit is independent) - specifically
the CEO and CFO.

SOX specifically charges management with the responsibility for the company's control environment. While management, according to SOX, is allowed to delegate to Internal Audit its responsibility for testing the controls, the guidance does not suggest that management can therefore shift their own liability. In short, management can decide to rely on Internal Audit, but they remain personally liable for the controls and any failures.