Pass or Fail
September 14, 2006
The IIA's release to the SEC (paragraph 15; see also 19) describes an approach used by Internal Control practitioners (good phrase - I think I'll call myself that from now on), which they suggest the SEC might consider:
this requires obtaining an understanding of the risks and then selecting the most effective combination of controls to provide reasonable assurance etc.
This statement can be misleading. "The most" effective controls are not necessary; effective controls are. The only two grades you can get for 404: P or F. There are no A's B's or C's. If your controls are effective, you've complied.
External auditors have been citing instances where, even though the controls are effective, they "would like to see" additional or "different" controls, because they are "even more effective" than the ones in place. This is not correct. Especially since, the IIA mentions in their release (para. 32),
a reasonable level of internal control assurance should take into account the
cost of providing that control.
It may therefore be reasonable for management, under various circumstances, to forgo having the "best" controls, in favor of less expensive, but acceptable ones. But in any case, as long as a combination of controls reduces the risk of financial statement to below the required level, 404 has been fulfilled. Having the "most effective" controls is not only not a requirement, it is not even recognized.
2 Comments:
SOX is a complaince mandate, and so "comply" is what you wanna do. Like taxes.
If you feel that your internal controls need improvement, then by all means, improve them! But you dont need SOX for that. You can do that at your own pace, your own budget, and in your own way. And you dont have to pay external auditors to reperform your work.