Shapi's Summary of PCAOB AS-5
December 20, 2006
So I read the PCAOB's new release last night. Here's what I think are the most noteworthy points:
1) They keep saying (p.6, A1-9)they will look for controls to prevent management override.
2) Company-level controls may be sufficient to address certain WCGWs (p.6 note 10, p. A1-9)
3) Audit procedures should be flexible and dynamic. The auditor should continually adjust his procedures to reflect new information learned (p.7). This includes knowledge based on previous years' work. Such knowledge can allow the auditor to reduce testing in some areas based on the effect this knowledge has on risk assessment (p.19, A1-26)
4) Testing procedures depend on risk. There should be a direct relationship between risk and evidence necessary to confirm controls to mitigate it (p.7, A1-21)
5) When determining the risk related to a given control, the auditor should take into consideration the audit procedures performed in the financial statement audit (p.8)
6) Regarding the new "definition" of MW - a "reasonable possibility": When I heard the PCAOB was coming out with this, I thought it meant something different than the old definition, "a less than remote chance." I was wrong; they both mean the same thing. The new definition is just a clarification of the old one (p.9)
7) "Strong indicators" of MWs are no longer automatically SDs (p.11).
8) SDs that are not remediated timely may or may not be MWs. It depends on why they were not remediated. If the company is not sufficiently committed to remediating SDs then it becomes an MW because it reflects on the control environment, not because of the issue itself (p.12 see also p.A1-30)
9) The same materiality and procedural guidelines for the financial statement audit should be used in the audit of ICFP (pp 13,14, A1-5).
10) There is no longer a requirement for the auditor to provide an opinion on management's assessment of internal controls; auditors only express an opinion on the effectiveness of the internal controls themselves (p. 15,16)
11) Auditors still need to acquire an understanding of management's process to determine the amount of management work they can rely on, as well as other reasons. However, the extent of work that auditors should perform for these purposes should be limited (p.16)
12) The amount of work the auditors can rely on depends on the competence and objectivity of those who performed the work. To determine this, auditors should, among other things, test some work of the individual whose work they want to rely on (p.17, 24, p.A2-4
13) Besides relying on work of management, auditors may also have management assist them in their own work (p.A2-8).
14) Auditors only need to obtain from management information that constitutes evidence about effectiveness of internal controls or potential misstatements. Anything beyond this does not need to be provided to the auditors (p.23, p. A2-3, p. A2-4).
15) Auditors only have to do walkthroughs for each significant process, not for each significant transaction within the process (p.26)
16) Auditors should use individual circumstances to determine specific procedures, based on the Standard's general principles (p.31).
17) Lack of documentation of a control is NOT determinative of the lack of a control. In smaller companies, such documentation is typically lacking. In such cases, inquiry, observation, and other such procedures can suffice for testing (p. A1-8).
18) Testing only should be done when a controls deficiency will violate an assertion to the point of creating a MW (p. A1-11, A1-18 See also p. A1-15).
19) You don't need to identify assertions. Quote: "The auditor may base his or her work on assertions that differ from those in this standard if the auditor has selected and tested controls over the pertinent risks in each significant account and over the representations by management that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated." (p. A1-16).
20) There is no preference for a preventive control over a detective control (p. A1-19)
21) Benchmarking is permitted for automated application controls (p.A1-26, A1-57, A1-58).
1) They keep saying (p.6, A1-9)they will look for controls to prevent management override.
2) Company-level controls may be sufficient to address certain WCGWs (p.6 note 10, p. A1-9)
3) Audit procedures should be flexible and dynamic. The auditor should continually adjust his procedures to reflect new information learned (p.7). This includes knowledge based on previous years' work. Such knowledge can allow the auditor to reduce testing in some areas based on the effect this knowledge has on risk assessment (p.19, A1-26)
4) Testing procedures depend on risk. There should be a direct relationship between risk and evidence necessary to confirm controls to mitigate it (p.7, A1-21)
5) When determining the risk related to a given control, the auditor should take into consideration the audit procedures performed in the financial statement audit (p.8)
6) Regarding the new "definition" of MW - a "reasonable possibility": When I heard the PCAOB was coming out with this, I thought it meant something different than the old definition, "a less than remote chance." I was wrong; they both mean the same thing. The new definition is just a clarification of the old one (p.9)
7) "Strong indicators" of MWs are no longer automatically SDs (p.11).
8) SDs that are not remediated timely may or may not be MWs. It depends on why they were not remediated. If the company is not sufficiently committed to remediating SDs then it becomes an MW because it reflects on the control environment, not because of the issue itself (p.12 see also p.A1-30)
9) The same materiality and procedural guidelines for the financial statement audit should be used in the audit of ICFP (pp 13,14, A1-5).
10) There is no longer a requirement for the auditor to provide an opinion on management's assessment of internal controls; auditors only express an opinion on the effectiveness of the internal controls themselves (p. 15,16)
11) Auditors still need to acquire an understanding of management's process to determine the amount of management work they can rely on, as well as other reasons. However, the extent of work that auditors should perform for these purposes should be limited (p.16)
12) The amount of work the auditors can rely on depends on the competence and objectivity of those who performed the work. To determine this, auditors should, among other things, test some work of the individual whose work they want to rely on (p.17, 24, p.A2-4
13) Besides relying on work of management, auditors may also have management assist them in their own work (p.A2-8).
14) Auditors only need to obtain from management information that constitutes evidence about effectiveness of internal controls or potential misstatements. Anything beyond this does not need to be provided to the auditors (p.23, p. A2-3, p. A2-4).
15) Auditors only have to do walkthroughs for each significant process, not for each significant transaction within the process (p.26)
16) Auditors should use individual circumstances to determine specific procedures, based on the Standard's general principles (p.31).
17) Lack of documentation of a control is NOT determinative of the lack of a control. In smaller companies, such documentation is typically lacking. In such cases, inquiry, observation, and other such procedures can suffice for testing (p. A1-8).
18) Testing only should be done when a controls deficiency will violate an assertion to the point of creating a MW (p. A1-11, A1-18 See also p. A1-15).
19) You don't need to identify assertions. Quote: "The auditor may base his or her work on assertions that differ from those in this standard if the auditor has selected and tested controls over the pertinent risks in each significant account and over the representations by management that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated." (p. A1-16).
20) There is no preference for a preventive control over a detective control (p. A1-19)
21) Benchmarking is permitted for automated application controls (p.A1-26, A1-57, A1-58).
Integration of Duties I
December 15, 2006
Even after two years of struggling to streamline the Sarbanes-Oxley compliance process, particularly in regard to Section 404, much of corporate America believes there is still room for improvement.
The culprit this time is ITGC.
404 requires the identification and testing of key controls that prevent material financial misstatement. But while the effect of routine financial-side controls such as bank recs and rollforwards can be clearly and measurably linked to the financial statements, exactly where, and in what amount, a failed ITGC will impact the financials is not always clear.
And if you don't know if, where, or in what amount your control affects your financial statements, then from a 404 perspective, you do not know whether it is a key control.
Part of the problem is that Internal Audit departments are not prepared for - and certainly not experienced with - this kind of approach. Before SOX, the well-known "pervasive" effect of ITGC on the financial statements was more than enough to warrant the close scrutiny of IT auditors. Hither came SOX, which requires the identification and testing only of key controls that have a material effect on the financial statements. That includes key controls on the IT side, if they have a material effect on the financial statements. The need to tie ITGC to material financial misstatement is new, and auditors do not have an established approach to doing it.
So how have companies been choosing which ITGC are considered key?
By squandering a lot of resources, it seems. The IIA reports:
And from the Institute of Management Accountants:
(to be continued)
______________________
[1] David A. Richards CIA, President, IIA, Response to SEC Release No. 34-54122; File No. S711-06 CONCEPT RELEASE CONCERNING MANAGEMENT’S REPORTS ON INTERNAL CONTROL OVER FINANCIAL REPORTING, September 18, 2006. http://www.sec.gov/comments/s7-11-06/s71106-145.pdf. Examples of companies with the same experience include NASDAQ, whose SVP of Internal Audit, Brian G. O'Mally, commented to the SEC: "Guidance is required to identify the portions of IT frameworks that are specifically applicable to SOX. In the absence of such guidance, the conservative approach taken by many auditors causes the entire framework to be incorporated into SOX compliance efforts". http://www.sec.gov/comments/s7-11-06/s71106-168.pdf. Similarly, Kerry Bailey, SVP Global Operations Cybertrust. Corp writes: To date, the determination of the IT general controls to be tested in a given filer's environment has been a delicate negotiation between the filer and the public accounting partner, with the advantage clearly in favor of the accounting firm. There has been no clear definition of relevant controls, no consensus on the scope of the target environment that produces the financials as a subset of the entire corporate computing environment, and no uniformity in testing methodology. This has contributed greatly to the exorbitant costs of Section 404 compliance for the accelerated filers, and is a source of concern for small and micro-caps. http://www.sec.gov/comments/s7-11-06/s71106-72.pdf . And Jeff Straton, VP US Operations Finance and Corporate Controller at Alcon comments: Based on discussion forums, articles we have read in various publications, and our experience, most companies feel they are spending excessive amounts of time in the testing of controls related to general computer controls and specific controls over applications. By their very nature, automated financial controls are in place to eliminate human errors. Once a base-line for automated financial controls has been set, continued testing is redundant, and should be minimized. http://www.sec.gov/comments/s7-11-06/s71106-64.pdf
[2] http://www.sec.gov/comments/s7-11-06/s71106-106.pdf p.24
[3] http://www.sec.gov/comments/s7-11-06/s71106-75.pdf p.4
[4] Ibid. p.7
The culprit this time is ITGC.
404 requires the identification and testing of key controls that prevent material financial misstatement. But while the effect of routine financial-side controls such as bank recs and rollforwards can be clearly and measurably linked to the financial statements, exactly where, and in what amount, a failed ITGC will impact the financials is not always clear.
And if you don't know if, where, or in what amount your control affects your financial statements, then from a 404 perspective, you do not know whether it is a key control.
Part of the problem is that Internal Audit departments are not prepared for - and certainly not experienced with - this kind of approach. Before SOX, the well-known "pervasive" effect of ITGC on the financial statements was more than enough to warrant the close scrutiny of IT auditors. Hither came SOX, which requires the identification and testing only of key controls that have a material effect on the financial statements. That includes key controls on the IT side, if they have a material effect on the financial statements. The need to tie ITGC to material financial misstatement is new, and auditors do not have an established approach to doing it.
So how have companies been choosing which ITGC are considered key?
By squandering a lot of resources, it seems. The IIA reports:
In the absence of current guidance that enables an identification of specificAnd from Deloitte:
risks, many organizations are performing full IT general controls testing on all
applications involved in financial reporting processes. As we indicated in our
response to the recent SEC Roundtable, we believe that has led to excessive
testing and resource costs among both registrants and their auditors.[1]
[I]t is important to note that many companies, generally speaking, have struggled with conducting the IT portion of their assessments of internal control. For instance, many companies struggled to understand what was required relative to IT controls, and in particular with the issue of identifying which IT controls are indeed relevant to financial reporting. They also struggled in applying a risk-based approach for IT, and as a result, spent time documenting and testing controls in areas of lesser risk. Overall, many companies have tended to document and test IT general controls without a good understanding of how their computer processing environments and the related IT general controls impact the financial reporting process and the associated risks.[2]
And from the Institute of Management Accountants:
[R]egistrants and auditors are spending a significant amount of time documenting
and testing IT general controls (and application controls) even though past experience has shown these controls are effective and pose low risk as it relates to a misstatement of financial reporting. [3]There has been an overemphasis on the area of general computer controls as a result of lack of clarity of the level of testing required, lack of appropriate assessment of risk and companies defaulting to the Control Objectives for Information and related Technology ("COBIT" framework as a supplement to COSO.[4]
(to be continued)
______________________
[1] David A. Richards CIA, President, IIA, Response to SEC Release No. 34-54122; File No. S711-06 CONCEPT RELEASE CONCERNING MANAGEMENT’S REPORTS ON INTERNAL CONTROL OVER FINANCIAL REPORTING, September 18, 2006. http://www.sec.gov/comments/s7-11-06/s71106-145.pdf. Examples of companies with the same experience include NASDAQ, whose SVP of Internal Audit, Brian G. O'Mally, commented to the SEC: "Guidance is required to identify the portions of IT frameworks that are specifically applicable to SOX. In the absence of such guidance, the conservative approach taken by many auditors causes the entire framework to be incorporated into SOX compliance efforts". http://www.sec.gov/comments/s7-11-06/s71106-168.pdf. Similarly, Kerry Bailey, SVP Global Operations Cybertrust. Corp writes: To date, the determination of the IT general controls to be tested in a given filer's environment has been a delicate negotiation between the filer and the public accounting partner, with the advantage clearly in favor of the accounting firm. There has been no clear definition of relevant controls, no consensus on the scope of the target environment that produces the financials as a subset of the entire corporate computing environment, and no uniformity in testing methodology. This has contributed greatly to the exorbitant costs of Section 404 compliance for the accelerated filers, and is a source of concern for small and micro-caps. http://www.sec.gov/comments/s7-11-06/s71106-72.pdf . And Jeff Straton, VP US Operations Finance and Corporate Controller at Alcon comments: Based on discussion forums, articles we have read in various publications, and our experience, most companies feel they are spending excessive amounts of time in the testing of controls related to general computer controls and specific controls over applications. By their very nature, automated financial controls are in place to eliminate human errors. Once a base-line for automated financial controls has been set, continued testing is redundant, and should be minimized. http://www.sec.gov/comments/s7-11-06/s71106-64.pdf
[2] http://www.sec.gov/comments/s7-11-06/s71106-106.pdf p.24
[3] http://www.sec.gov/comments/s7-11-06/s71106-75.pdf p.4
[4] Ibid. p.7
Labels: Identifying Key controls, Integration of Finance and IT, ITGC
SEC Votes to Improve SOX Implementation
December 14, 2006
Here's what they said, short version:
1) Materiality threshold for misstatement is higher: The definition of Material Weakness was changed to from a "more than remote possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner, to a "reasonable possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner. I assume a "reasonable possibility" is greater than a "more than remote possibility".
2) Risk evaluation more customized: Management is allowed to direct their efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. Support for this evaluation can be done in a variety of ways that involve its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities.
3) Documentation requirements are eased (a bit): Documentation of contols and testing can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. Sometimes you can rely on your daily interaction with your controls as a basis for your assessment with no adidtional transaction testing. In such a case, you may have limited documentation created specifically for the testing beyond documentation regarding how its interaction provided you with your comfort that the controls are effective.
For the long version, click here.
1) Materiality threshold for misstatement is higher: The definition of Material Weakness was changed to from a "more than remote possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner, to a "reasonable possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner. I assume a "reasonable possibility" is greater than a "more than remote possibility".
2) Risk evaluation more customized: Management is allowed to direct their efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. Support for this evaluation can be done in a variety of ways that involve its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities.
3) Documentation requirements are eased (a bit): Documentation of contols and testing can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. Sometimes you can rely on your daily interaction with your controls as a basis for your assessment with no adidtional transaction testing. In such a case, you may have limited documentation created specifically for the testing beyond documentation regarding how its interaction provided you with your comfort that the controls are effective.
For the long version, click here.
Whistleblower Protection Inapplicable To US Foreign Subsidiaries
November 08, 2006
The First Circuit U.S. Court of Appeals has ruled that the whistleblower protection provisions of Sarbanes-Oxley do not have extraterritorial impact, meaning they do not apply to foreign citizens reporting accounting irregularities at an American company's foreign subsidiary.
Unbelieveble.
Unbelieveble.
Fix 404, But Read The Fine Print First
October 26, 2006
404 needs to be fixed, no question. But the largest waste of money in compliance is not due to a problem with SOX, but a misunderstanding of SOX.
AS-2 requires the external auditors "attest to, and report on, the assessment made by management of the issuer", as well as the effectiveness of internal controls over financial reporting. To form the first opinion, external auditors have reperformed tests done by management, and done extensive reviews and testing of management's documentation.
But that's a lot of unnecessary work. All the external auditors have to do in order to express an opinion on management's process is, well, I'll let you hear it from Thomas Ray: Here's the money quote:
AS-2 requires the external auditors "attest to, and report on, the assessment made by management of the issuer", as well as the effectiveness of internal controls over financial reporting. To form the first opinion, external auditors have reperformed tests done by management, and done extensive reviews and testing of management's documentation.
But that's a lot of unnecessary work. All the external auditors have to do in order to express an opinion on management's process is, well, I'll let you hear it from Thomas Ray: Here's the money quote:
In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.Now here's the whole story:
There continues to be some misunderstanding with regard to the first of the two auditor opinions. Some believe that the auditor is expressing an opinion on management's assessment process. That belief, in turn, is fueling what probably is unnecessary additional work directed to evaluating the adequacy of management's process.
Let me dispel the misunderstanding. The first of the two opinions expressed by the auditor is not on management's assessment process. Rather, it is the auditor's opinion as to whether management's required statements about the effectiveness of the company's internal control and its descriptions of any material weaknesses are fairly stated.
So, how is this affecting the auditor's work? Doesn't AS No. 2 equire the auditor to evaluate management's assessment process? Yes, AS No. 2 requires the auditor to obtain an understanding of and evaluate management's assessment process, and provides direction as to what the auditor should look for when performing that evaluation. The principal objective of the auditor's valuation of management's assessment process is for the auditor to be satisfied that management has an appropriate basis for its conclusion.
Accordingly, the extent of the auditor's work is only that which is necessary for the auditor to form a conclusion as to whether management's process was sufficiently complete to provide management with a basis to support its reporting, and whether the results of management's testing support management's conclusion about internal control effectiveness.
In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.
Similarly, the auditor's documentation of his or her evaluation of management's process need not be extensive. For example, the audit documentation might consist of a summary document prepared by management that explains, perhaps for the benefit of the audit committee or other senior managers, the process management used in making its assessment, along with a memorandum prepared by the auditor that documents the auditor's procedures, the results of those procedures, other evidence obtained, if any, and conclusions.
New 404 Guidance Ready For Public Comment In December
Ready your pens!
CFO.com reports that the SEC will turn over its Management Guidance Proposal on 404 for public comment during a December 13 open meeting.
And, not to be outdone by the SEC, the PCAOB plans to propose an improved version of AS-2 later this fall. They expect to release a final draft for 60 days of public comment.
CFO.com reports that the SEC will turn over its Management Guidance Proposal on 404 for public comment during a December 13 open meeting.
And, not to be outdone by the SEC, the PCAOB plans to propose an improved version of AS-2 later this fall. They expect to release a final draft for 60 days of public comment.
Sarbox404.com's Glossary To Hitherto Enigmatic 404 Terms
October 09, 2006
Deloitte says it would be helpful to have the SEC and PCAOB provide a glossary of commonly used 404 terms, since nobody really knows for sure what they mean, which causes confusion which has resulted in - I promise they really used this term - "significant misunderstandings" by management, auditors, and investors.
They have a point.
And I have a glossary. Not to step on the PCAOB or SEC's toes of course, but here's one man's understanding to the most cryptic claptrap of 404:
Key control -
Says Deloitte:
Key control [kee kuhn-trol] - member of a set of controls relied upon by management to mitigate risks of financial misstatement
The reason: We all know that key controls are those that mitigate the financial statement risks. But since it takes a combination of controls to mitigate all the risks, you cannot identify the key controls until you have identified the combination of controls that mitigate the financial statement risks.
However, it is very possible that more than one combination of controls will successfully mitigate the financial statement risks. For instance, if your payroll process 12 controls, the financial statement risks may be successfully mitigated by a combination of controls 1,3,5,6 and 8, as well as controls 2,3,6,9,10 and 12.
In such an instance, management, at their sole discretion, may rely on either of the 2 sets of controls to mitigate the financial statement risks. For 404 purposes, those are the key controls. Whichever set of controls is less expensive and easier to test can be used.
Risk [risk] - A situation that, unless mitigated by a control, will cause a financial misstatement.
There are only three things wrong that can happen to financial accounts: something is there that should not be there; something is not there that should be there; something is there in the wrong amount. If your risk does not fall into one of these 3 categories, it is not a risk. Example: "Bank rec will not be reviewed" is not a financial statement risk. Because even if the review is not done, that does not cause a financial misstatement. It may lead to one, maybe, but it does not, per se, cause one to happen.
Following is a list of some things that are not risks, why they are not risks, and how the risk should be stated:
Bad: Bank rec is not reviewed
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Duties are not segregated in the billing system
Why it's bad: This does not result in financial misstatement
Good: Customer data in billing system is falsified
Bad: Bank rec is not done
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Unauthorized journal entries will be made
Why it's bad: Unauthorized journal entries are not necessarily inaccurate journal entries.
Good: Inaccurate / fictitious journal entries will be made
Bad: Access to payroll system is not limited
Why it's bad: This does not result in financial misstatement.
Good: Fictitious employees on payroll roster
Bad: Sales will be made to customers over their credit limits
Why it's bad: This does not result in financial misstatement
Good: Bad debt reserves improperly calculated
Bad: Daily customer receipts are not reconciled
Why it's bad: This does not result in financial misstatement
Good: Customer receipts inaccurately recorded
Bad: Physical cash collected is misappropriated
Why it's bad: This does not result in financial misstatement as the missing cash can be detected and appropriately recorded
Good: Cash receipts are understated
Bad: Spreadsheets are not effectively controlled
Why it is bad: This does not result in financial misstatement
Good: Depreciation / accruals / revenue / whatever / is improperly calculated
Reasonable [ree-zuh-nuh-buhl] - and - Remote [ri-moht] -
(as in "reasonable likelihood" and "remote likelihood") . These are a little tougher to define. But since 404 was designed to inform shareholders of the risks that management is taking with their company, reasonableness and remoteness should be measured against the amount of risk that the owner of a business would be likely to assume under similar circumstances. In other words, if you owned the business, would the level of assurance in question be sufficient for you to accept the risk. A bit subjective? Yes, but 404 was designed to inform business owners that their appointed management is allowing undue risks to exist in the business. Thus, it is logical to assume that the level of risk that is required to be disclosed to the business owner is that which a business owner would consider unreasonable.
They have a point.
And I have a glossary. Not to step on the PCAOB or SEC's toes of course, but here's one man's understanding to the most cryptic claptrap of 404:
Key control -
Says Deloitte:
The term key controls, though commonly used, is not a definedMaybe. But we can safely assume that the controls required by 404 are those which lead to the fulfillment of its objective, namely, the prevention of financial misstatements. Therefore, my definition of a key control is:
term in either PCAOB or SEC rules.
Key control [kee kuhn-trol] - member of a set of controls relied upon by management to mitigate risks of financial misstatement
The reason: We all know that key controls are those that mitigate the financial statement risks. But since it takes a combination of controls to mitigate all the risks, you cannot identify the key controls until you have identified the combination of controls that mitigate the financial statement risks.
However, it is very possible that more than one combination of controls will successfully mitigate the financial statement risks. For instance, if your payroll process 12 controls, the financial statement risks may be successfully mitigated by a combination of controls 1,3,5,6 and 8, as well as controls 2,3,6,9,10 and 12.
In such an instance, management, at their sole discretion, may rely on either of the 2 sets of controls to mitigate the financial statement risks. For 404 purposes, those are the key controls. Whichever set of controls is less expensive and easier to test can be used.
Risk [risk] - A situation that, unless mitigated by a control, will cause a financial misstatement.
There are only three things wrong that can happen to financial accounts: something is there that should not be there; something is not there that should be there; something is there in the wrong amount. If your risk does not fall into one of these 3 categories, it is not a risk. Example: "Bank rec will not be reviewed" is not a financial statement risk. Because even if the review is not done, that does not cause a financial misstatement. It may lead to one, maybe, but it does not, per se, cause one to happen.
Following is a list of some things that are not risks, why they are not risks, and how the risk should be stated:
Bad: Bank rec is not reviewed
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Duties are not segregated in the billing system
Why it's bad: This does not result in financial misstatement
Good: Customer data in billing system is falsified
Bad: Bank rec is not done
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Unauthorized journal entries will be made
Why it's bad: Unauthorized journal entries are not necessarily inaccurate journal entries.
Good: Inaccurate / fictitious journal entries will be made
Bad: Access to payroll system is not limited
Why it's bad: This does not result in financial misstatement.
Good: Fictitious employees on payroll roster
Bad: Sales will be made to customers over their credit limits
Why it's bad: This does not result in financial misstatement
Good: Bad debt reserves improperly calculated
Bad: Daily customer receipts are not reconciled
Why it's bad: This does not result in financial misstatement
Good: Customer receipts inaccurately recorded
Bad: Physical cash collected is misappropriated
Why it's bad: This does not result in financial misstatement as the missing cash can be detected and appropriately recorded
Good: Cash receipts are understated
Bad: Spreadsheets are not effectively controlled
Why it is bad: This does not result in financial misstatement
Good: Depreciation / accruals / revenue / whatever / is improperly calculated
Reasonable [ree-zuh-nuh-buhl] - and - Remote [ri-moht] -
(as in "reasonable likelihood" and "remote likelihood") . These are a little tougher to define. But since 404 was designed to inform shareholders of the risks that management is taking with their company, reasonableness and remoteness should be measured against the amount of risk that the owner of a business would be likely to assume under similar circumstances. In other words, if you owned the business, would the level of assurance in question be sufficient for you to accept the risk. A bit subjective? Yes, but 404 was designed to inform business owners that their appointed management is allowing undue risks to exist in the business. Thus, it is logical to assume that the level of risk that is required to be disclosed to the business owner is that which a business owner would consider unreasonable.
Federal Reserve Fossil Greenspan Wants To Take SOX With Him Into Oblivion
September 26, 2006
Q: According to Alan Greenspan, what do Alan Greenspan and the Sarbanes-Oxley Act have in common?
A: The time has past for both to call it quits.
The Boston Herald reports:
A: The time has past for both to call it quits.
The Boston Herald reports:
Right, except Greenspan does not tell us how in the world chief executives would be able to personally certify that their accounts are accurate without the rest of SOX. Everyone agrees SOX has to be revamped, but to expect chief officers to be personally responsible for the financials of their institutions without anything to back their signature up is not sensible or productive.Former Federal Reserve Chairman Alan Greenspan told a Boston business audience last night that most of the Sarbanes-Oxley corporate governance rules enacted in 2002 had become a "nightmare" and should be scrapped as soon as possible.
Greenspan, who in his 18 years running the Fed earned a reputation for speaking cautiously, raised eyebrows with several unusually frank remarks in an hourlong discussion in front of 800 members of the Mass. Technology Leadership Council.
The legendary former Fed chief said the Sarbanes-Oxley regulations hampered business, discouraged risk-taking and were driving foreign companies to shun the New York Stock Exchange for the lighter rules in London.
The only part he praised was the rule that chief executives had to certify their companies' accounts personally.
"The rest we could do without," he said.
Cox on SOX
September 20, 2006
Christopher Cox, SEC Chairman, testified to the Committee on Financial Services, US House of Representatives, re: fixing Sarbanes-Oxley. See what he said here.
Mexican Company Nailed By SOX
September 19, 2006
Mexican billionaire, Ricardo Salinas Pliego, allegedly bought the discounted debt of one of his outside holdings, and then sold it back to the company at face value, pocketing close to $109 million in the process for himself and a partner. He reached a settlement with the SEC last week in the first lawsuit against a foreign company under the rules of the Sarbanes-Oxley Act. Here's the story.