sarbanes-oxley -- friend or foe?
TRANSCRIPT
-
8/9/2019 Sarbanes-Oxley -- Friend or Foe?
1/522 Sarbanes-Oxley Disclosures July/August
Leveraging
Sarbanes-Oxley
to drive change
and mitigate riskin small and
medium-sized
entities
Sarbanes-Oxley:
Friend
-
8/9/2019 Sarbanes-Oxley -- Friend or Foe?
2/5
Sarbanes-Oxley Disclosures July/August 23
By Heather Judson, CPA, CMA
Is the Sarbanes-Oxley Act (SOX) a riend or oe to small andmedium-sized companies (SMEs)? Oten, those entities willanswer oe.
Status quo may generally be the policy ollowed bySMEs, which are those publicly traded companies with
less than $75 million in market capitalization, as dened by theU.S. Securities and Exchange Commission. Typically, SMEs willeither scramble to document their processes just prior to their
nancial audits or will rely on the external auditors to documenttheir processes or them.
Explaining the status quoFor SMEs, SOX can seem to be an exercise in documenting
what actually occurs. This may seem tedious and without merit.Each department knows what they do and may wonder why theyneed to write a narrative explaining their duties.
Oten the answer to this question is because the auditorsasked or it. However, SMEs might do better to engage thevarious departments and show them how they can benet romSOX. The rst step to getting department managers on board
is to present top management with the benets that may be hadrom utilizing SOX, such as driving change and mitigating risk.
PCAOB directionThe Public Company Accounting Oversight Board (PCAOB)
instructs external auditors in Auditing Standard No.5 (AS5)to evaluate the extent to which he or she will use the work oothers to reduce the work the auditor might otherwise perorm
himsel or hersel. Further, the PCAOB allows the external au-ditor to rely on the work o internal auditors, company person-nel (in addition to internal auditors), and third parties workingunder the direction o management or the audit committee.
This statement should pique top managements interest.Any documentation or procedures that are perormed in houseshould save money on the overall audit. Top management shouldencourage external auditors to utilize any viable internal docu-mentation. This alone should have management interested inperorming SOX procedures in house.
In AS5, the PCAOB directs the external auditor to ask him orhersel What could go wrong? in determining likely sourcesw
r Foe?
-
8/9/2019 Sarbanes-Oxley -- Friend or Foe?
3/5
24 Sarbanes-Oxley Disclosures July/August
orpotential misstatements in the nan-cials. This is basically asking: What risksare present?
Mitigating riskEnterprise Risk Management (ERM)
has become the best practice or largercorporations. The Enterprise Risk Man-
agement Integrated Framework romthe Committee o Sponsoring Organiza-tions (COSO) o the Treadway Commis-sion, published in 2004, denes ERM asa process, eected by an entitys board odirectors, management and other person-nel, applied in strategy setting and acrossthe enterprise, designed to identiy poten-tial events that may aect the entity, andmanage risk to be within its risk appetite,to provide reasonable assurance regardingthe achievement o entity objectives.
The article urther straties the com-
pany into our categories susceptible torisk: strategic, operations, reporting andcompliance. Strategic risks are those thataect the company at a high level andtend to be external to the company. Manystrategic risks can be explored throughthe entity-level assessment perormedin SOX. Operational risks are those thataect the company at a lower level in itsday-to-day operations. Reporting risksare those risks that aect the reliability onancial reporting, and compliance risks
aect compliance with applicable laws andregulations.Many o the operational, reporting and
compliance risks can be examined and ad-dressed in the various process documentscreated through SOX. See Table 1 ormore inormation on risks.
Best practicesVarious department heads should
be encouraged to go through the SOXprocess o interviews, walkthroughs, gapsand management action plans. A company
employee documenting processes with acritical eye and a sense o the big picturecan help the various departments runsmoother and with less error. Addition-ally, he or she can help the various depart-ments work together to mitigate risk.
Its important to understand bestpractices and potential risks beore start-ing the SOX documentation process.Best practices are the current standard.When researching best practices, you areendeavoring to learn rom the experience
and knowledge o others. You are lookingor the best in the business.
Dont discount the less than best. Thestories o the less than successul will giveyou an idea o the risks that you mightace. For instance, stories o employeethet can help you to understand the prac-tices that lead to that risk materializing.
Perhaps the company ailed to segregateduties surrounding cash or ailed to physi-cally secure assets.
Best practices research is usually inex-pensive. The Internet is a wealth o inor-mation, and you can nd inormation atthe library. You can network and conductresearch through proessional organiza-tions. Furthermore, once you identiyorganizations and people you should talkto, you can initiate inormal chats on thesubject matter.
InterviewsYou can begin your organizations SOX
documentation once you understand thebest practices and key risks surroundingeach process. The rst step is to interviewthe manager o the process, who can ex-plain everyones role in that area. Addi-tionally, he or she will be able to provideyou with a birds eye view o the processand its controls. Keep in mind you are ol-lowing a transaction rom its inception toall the stops it makes along the way prior
to hitting the general ledger.The interview process should eel likean inormal conversation rather than aninterrogation. The interviewee shouldeel comortable and relaxed. Stay incontrol o the conversation and keep theinterviewee on topic. Make sure to useopen-ended questions rather than leadingquestions. You want to know who, what,when, where, how and why. You dontwant to ask yes or no questions. See Table2 or question examples.
Keep in mind that silence is a strong
stimulus or conversation. Typically, yoursilence is an indicator that the other per-son should be talking. People tend to wantto ll silence with conversation. Once theinterviewee is responding to the open-ended questions, you can ollow up withmore direct questions to clariy details.
When you understand the process romstart to nish, make sure to repeat theprocess back to the interviewee. Makesure to mention all the key employeesnames. Repeating the inormation back
Table 1:Examplesof riskStrategic risks
Higher-level risks mainly external to thecompany
Change in interest rates
Customer buying behavior change
Substitutes enter the market
Technological advances
Trade embargos
No business process improvement
Operational risks
Lower-level risks mainly internal to thecompany
Fraud
Workplace saety
Product aws
Business disruption
Damage to physical assets
System ailures
Reporting risksRisks relating to the reliability o fnancialreporting
Transactional errors
Miscommunication
Data entry or loading error
Accounting error
Inaccurate external report
Missing transactions
Compliance risksRisks relating to applicable laws andregulations
Changing or new laws and regula-tions
Inadequate sta training
Miscommunication
Human error
-
8/9/2019 Sarbanes-Oxley -- Friend or Foe?
4/5
Sarbanes-Oxley Disclosures July/August 25
to the interviewee ensures that there hasbeen no miscommunication. Leave theinterview with the possibility o ollow-upquestions. Document the interview in anarrative immediately ollowing the inter-view while your memory is resh.
Narratives
You can start the documentationprocess by dividing the process into sub-processes. For cash receipts, this might
be: receive cash, deposit cash, pettycash, bank reconciliation and collections.Use titles rather than employee namesthroughout the narrative so that updatesare easier. You want to identiy key con-trols and gaps.
In the 2008 Sarbanes-Oxley Section404: A Guide or Management by InternalControls Practitioners, the Internal Insti-tute o Auditors (IIA) denes a key control
as a control that, i it ails, means thereis at least a reasonable likelihood that amaterial error in the nancial statementswould not be prevented or detected on atimely basis. In other words, a key controlis one that is required to provide reason-able assurance that material errors will beprevented or timely detected.
Each key control should have keyinormation documented as well. The IIAguide urther recommends documentationsuch as identiying who is perorming the
control, when the control is operatingand at what requency, how the control isperormed, what evidence exists that thecontrol was perormed, and which reportsare used in the operation o the control.
Gaps are missing controls, and bestpractices research helps identiy thesecontrols. For example, a gap may be thatthe bank deposit is prepared by the sameperson who updates customer accounts,updates the general ledger and reconcilesthe bank statement. This would go againstsegregation o duties, which is one o the
best practices surrounding cash receipts.The IIA guide recommends that a nar-
rative enables a reasonably knowledge-able individual this person does nothave to be an expert with experience inthe area, but should have some knowl-edge o the company or its business tounderstand the process; and overall,enables a reasonable person to have a basisupon which to assess the design o thecontrols: Are the controls identied anddocumented sufciently to either prevent
or detect a material misstatement? Atercompleting the narrative process, the nextstep is to perorm a walkthrough.
WalkthroughsSometimes what is perceived as stan-
dard operating procedure isnt what actu-ally occurs. A walkthrough will get you
down into learning and testing the detailswith the person who perorms the day-to-day transactions.
In AS5, the PCAOB explains thatsome types o tests, by their nature, pro-duce greater evidence o the eectivenesso controls than other tests. The ollowingtests that the auditor might perorm arepresented in order o the evidence thatthey ordinarily would produce, rom leastto most: inquiry, observation, inspectiono relevant documentation, and re-peror-mance o a control.
A walkthrough starts by interviewingthe employees who perorm the duties inthe narrative. The interview techniquesdescribed above should be utilized. How-ever, as the person walks through theprocess, they should ask show me oreach control along the way. For example,i the employee says that a check log ismaintained, then the evidence o onedays check log would be asked or.
Furthermore, i the employee saysthat the controller matches the check log
to the days deposit slip and initials thedeposit, then the deposit slip related tothe check log observed would be askedor. I the employee says he or she updatesthe accounting system and must use apassword to log in, then re-perormancewould be utilized to see the control work.
Through this process, it can be ob-served i the narrative documented bymanagement matches the walkthrough.Sometimes there are additional controlsmanagement may not be aware o, orgotto mention or didnt realize were eec-
tive controls. Sometimes the controlscommunicated by management are not
being perormed correctly or at all. Also,through the best practices research, miss-ing key controls can be documented basedon what actually occurs.
Walkthroughs are a great way to un-derstand how standard operating proce-dure documentation and narratives matchup to what actually occurs. By askingor the employee to show each controlthrough documentation or re-peror-
mance, the walkthrough can be docu-mented and management can be updatedaccordingly.
Operation improvementAdditionally, employees should be
asked questions in regards to processimprovement:
I someone wanted to commit raud,
how would they do it?
I you were to improve this process,what would you do?
Are there redundancies in this process?How would you make the process moreefcient?
Is there any training you wished youhad to help you perorm your job?
What equipment, programs or assis-
tance do you wish you had?Asking these types o questions can
help pinpoint areas or improvement andmay help management improve itsw
Table 2:Question this
Leading questions
Do you have a check log to record
checks as they are received?
Do you segregate duties surround-ing cash receipts?
Do you give numbered receipts tocustomers?
Do you keep copies o the checksdeposited?
Open-ended questions
Whats the rst thing that happens
when you receive mail with checks?
Who opens the mail? Who updatescustomer accounts? Who makesbank deposits? Who perorms thebank reconciliations?
How do you process customer pay-ments?
What records do you maintain?
-
8/9/2019 Sarbanes-Oxley -- Friend or Foe?
5/5
operations. SOX process documentationcan be leveraged by asking about processimprovement even though this step mightnot be required. Suggestions to improveoperations can be provided to manage-ment.
Gaps and a MAP
Ater the walkthrough is complete anddocumented, and the narrative has beenupdated or walkthrough ndings, itstime to bring management in to discussthe results. Management should be madeaware o the identied control gaps in theprocesses.
Once the gaps have been communicat-ed to management, its up to managementto communicate a management actionplan (MAP) to remedy gaps. Additionally,they should give a timerame or imple-mentation o the MAP.
The risk identied in the gap can beremediated in various ways. Managementmay take the position that the gap presentsa risk that is not material to the nancialsand thus does not require any remedia-tion. Management may transer the riskthrough an insurance policy. Managementmay reduce or mitigate the risk throughaction.
Changing mindsetsSMEs tend to adopt the philosophy o
only looking at processes to put out res only i something is broken will theyspend time to x it.
In contrast, Kaizen, the Japanesephilosophy o continuous improvement,adopts the attitude o even i it isnt bro-ken, it can be done better. This philoso-phy encourages businesses to make smallimprovements continuously day to day,and it can certainly be applied to SOXdocumentation.
Leveraging SOX can help evaluate andimprove the operations o any business
continuously and over time.
26 Sarbanes-Oxley Disclosures July/August
Heather Judson, CPA,
is a management
accountant at a private
medical manufacturing
company. Contact her
The new VSCPA Career Center makes
searching for jobs or candidates more efficient,
leaving you more time to focus on growing
your business opportunities. Simply set up an
Agent and receive updates whenever jobs or
resumes matching your criteria are first posted .
SETADIDNACDEIFILAUQ
PROFESSIONAL PROFILES
SEARCHABLE PORTFOLIOS
AFFORDABLE JOB POSTINGS
RESUME ACCESS INCLUDED
VSCPA CAREER CENTERJOB SEEKERS | EMPLOYERS
FOCUS YOUR SEARCH AND GROW.
Virginia Society of
Certified Public
Accountants
(800) 733-8272
WWW.VSCPA.COM