Sarbox404.com's Glossary To Hitherto Enigmatic 404 Terms
October 09, 2006
Deloitte says it would be helpful to have the SEC and PCAOB provide a glossary of commonly used 404 terms, since nobody really knows for sure what they mean, which causes confusion which has resulted in - I promise they really used this term - "significant misunderstandings" by management, auditors, and investors.
They have a point.
And I have a glossary. Not to step on the PCAOB or SEC's toes of course, but here's one man's understanding to the most cryptic claptrap of 404:
Key control -
Says Deloitte:
Key control [kee kuhn-trol] - member of a set of controls relied upon by management to mitigate risks of financial misstatement
The reason: We all know that key controls are those that mitigate the financial statement risks. But since it takes a combination of controls to mitigate all the risks, you cannot identify the key controls until you have identified the combination of controls that mitigate the financial statement risks.
However, it is very possible that more than one combination of controls will successfully mitigate the financial statement risks. For instance, if your payroll process 12 controls, the financial statement risks may be successfully mitigated by a combination of controls 1,3,5,6 and 8, as well as controls 2,3,6,9,10 and 12.
In such an instance, management, at their sole discretion, may rely on either of the 2 sets of controls to mitigate the financial statement risks. For 404 purposes, those are the key controls. Whichever set of controls is less expensive and easier to test can be used.
Risk [risk] - A situation that, unless mitigated by a control, will cause a financial misstatement.
There are only three things wrong that can happen to financial accounts: something is there that should not be there; something is not there that should be there; something is there in the wrong amount. If your risk does not fall into one of these 3 categories, it is not a risk. Example: "Bank rec will not be reviewed" is not a financial statement risk. Because even if the review is not done, that does not cause a financial misstatement. It may lead to one, maybe, but it does not, per se, cause one to happen.
Following is a list of some things that are not risks, why they are not risks, and how the risk should be stated:
Bad: Bank rec is not reviewed
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Duties are not segregated in the billing system
Why it's bad: This does not result in financial misstatement
Good: Customer data in billing system is falsified
Bad: Bank rec is not done
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Unauthorized journal entries will be made
Why it's bad: Unauthorized journal entries are not necessarily inaccurate journal entries.
Good: Inaccurate / fictitious journal entries will be made
Bad: Access to payroll system is not limited
Why it's bad: This does not result in financial misstatement.
Good: Fictitious employees on payroll roster
Bad: Sales will be made to customers over their credit limits
Why it's bad: This does not result in financial misstatement
Good: Bad debt reserves improperly calculated
Bad: Daily customer receipts are not reconciled
Why it's bad: This does not result in financial misstatement
Good: Customer receipts inaccurately recorded
Bad: Physical cash collected is misappropriated
Why it's bad: This does not result in financial misstatement as the missing cash can be detected and appropriately recorded
Good: Cash receipts are understated
Bad: Spreadsheets are not effectively controlled
Why it is bad: This does not result in financial misstatement
Good: Depreciation / accruals / revenue / whatever / is improperly calculated
Reasonable [ree-zuh-nuh-buhl] - and - Remote [ri-moht] -
(as in "reasonable likelihood" and "remote likelihood") . These are a little tougher to define. But since 404 was designed to inform shareholders of the risks that management is taking with their company, reasonableness and remoteness should be measured against the amount of risk that the owner of a business would be likely to assume under similar circumstances. In other words, if you owned the business, would the level of assurance in question be sufficient for you to accept the risk. A bit subjective? Yes, but 404 was designed to inform business owners that their appointed management is allowing undue risks to exist in the business. Thus, it is logical to assume that the level of risk that is required to be disclosed to the business owner is that which a business owner would consider unreasonable.
They have a point.
And I have a glossary. Not to step on the PCAOB or SEC's toes of course, but here's one man's understanding to the most cryptic claptrap of 404:
Key control -
Says Deloitte:
The term key controls, though commonly used, is not a definedMaybe. But we can safely assume that the controls required by 404 are those which lead to the fulfillment of its objective, namely, the prevention of financial misstatements. Therefore, my definition of a key control is:
term in either PCAOB or SEC rules.
Key control [kee kuhn-trol] - member of a set of controls relied upon by management to mitigate risks of financial misstatement
The reason: We all know that key controls are those that mitigate the financial statement risks. But since it takes a combination of controls to mitigate all the risks, you cannot identify the key controls until you have identified the combination of controls that mitigate the financial statement risks.
However, it is very possible that more than one combination of controls will successfully mitigate the financial statement risks. For instance, if your payroll process 12 controls, the financial statement risks may be successfully mitigated by a combination of controls 1,3,5,6 and 8, as well as controls 2,3,6,9,10 and 12.
In such an instance, management, at their sole discretion, may rely on either of the 2 sets of controls to mitigate the financial statement risks. For 404 purposes, those are the key controls. Whichever set of controls is less expensive and easier to test can be used.
Risk [risk] - A situation that, unless mitigated by a control, will cause a financial misstatement.
There are only three things wrong that can happen to financial accounts: something is there that should not be there; something is not there that should be there; something is there in the wrong amount. If your risk does not fall into one of these 3 categories, it is not a risk. Example: "Bank rec will not be reviewed" is not a financial statement risk. Because even if the review is not done, that does not cause a financial misstatement. It may lead to one, maybe, but it does not, per se, cause one to happen.
Following is a list of some things that are not risks, why they are not risks, and how the risk should be stated:
Bad: Bank rec is not reviewed
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Duties are not segregated in the billing system
Why it's bad: This does not result in financial misstatement
Good: Customer data in billing system is falsified
Bad: Bank rec is not done
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Unauthorized journal entries will be made
Why it's bad: Unauthorized journal entries are not necessarily inaccurate journal entries.
Good: Inaccurate / fictitious journal entries will be made
Bad: Access to payroll system is not limited
Why it's bad: This does not result in financial misstatement.
Good: Fictitious employees on payroll roster
Bad: Sales will be made to customers over their credit limits
Why it's bad: This does not result in financial misstatement
Good: Bad debt reserves improperly calculated
Bad: Daily customer receipts are not reconciled
Why it's bad: This does not result in financial misstatement
Good: Customer receipts inaccurately recorded
Bad: Physical cash collected is misappropriated
Why it's bad: This does not result in financial misstatement as the missing cash can be detected and appropriately recorded
Good: Cash receipts are understated
Bad: Spreadsheets are not effectively controlled
Why it is bad: This does not result in financial misstatement
Good: Depreciation / accruals / revenue / whatever / is improperly calculated
Reasonable [ree-zuh-nuh-buhl] - and - Remote [ri-moht] -
(as in "reasonable likelihood" and "remote likelihood") . These are a little tougher to define. But since 404 was designed to inform shareholders of the risks that management is taking with their company, reasonableness and remoteness should be measured against the amount of risk that the owner of a business would be likely to assume under similar circumstances. In other words, if you owned the business, would the level of assurance in question be sufficient for you to accept the risk. A bit subjective? Yes, but 404 was designed to inform business owners that their appointed management is allowing undue risks to exist in the business. Thus, it is logical to assume that the level of risk that is required to be disclosed to the business owner is that which a business owner would consider unreasonable.
6 Comments:
commented by herbie, 1:56 PM
What is it exactly that you disagree with, herb? It is the external auditors who have requested clarification on key 404 terms, precisely because they are not clear in AS2.
Shapi,
When it comes to key controls we enter the realm of subjectivity, is bank account reconciliation a key control? What if the all the reconciliations are not signed by the preparer and the reviewer, and a test of the all the reconciliations reveals that the reconciliation is accurate in all respects, have we failed a key control because of signatures?
I know common sense is uncommon, however, we need to get back to basic auditing and accounting, and we need to stop looking to others to provide cover for our misunderstanding of pronouncements or mistakes. The accounting is according to GAAP or not that is the bottom line, auditors need to learn that management for the most part is preparing their financials according to GAAP, however, every once in a while we deal with snake oil salesmen, and auditors know when they are being snowed, we just need a little back bone to stand up to and challenge management when we have doubts about the accounting. Internal auditors should use their external auditor contacts when the accounting appears to be fuzzy, and external auditors should use the company’s internal auditors when the think there is an accounting problem.
When it comes to key controls we enter the realm of subjectivity, is bank account reconciliation a key control? What if the all the reconciliations are not signed by the preparer and the reviewer, and a test of the all the reconciliations reveals that the reconciliation is accurate in all respects, have we failed a key control because of signatures?
I know common sense is uncommon, however, we need to get back to basic auditing and accounting, and we need to stop looking to others to provide cover for our misunderstanding of pronouncements or mistakes. The accounting is according to GAAP or not that is the bottom line, auditors need to learn that management for the most part is preparing their financials according to GAAP, however, every once in a while we deal with snake oil salesmen, and auditors know when they are being snowed, we just need a little back bone to stand up to and challenge management when we have doubts about the accounting. Internal auditors should use their external auditor contacts when the accounting appears to be fuzzy, and external auditors should use the company’s internal auditors when the think there is an accounting problem.
commented by , 9:45 AM
Herb,
You're stuck in the Auditing Age. In those days, you would look for "key" controls based on your preconceived notions of which controls ought to be present. That's fine ... for auditing.
But for SOX, any combination of controls that mitigate the financials statement risks qualify as "key", even if those controls that you would prejudicially consider "key" are not there. The terms "key control" in auditing and in SOX are nothing but homonyms - their meaning is completely different.
You're stuck in the Auditing Age. In those days, you would look for "key" controls based on your preconceived notions of which controls ought to be present. That's fine ... for auditing.
But for SOX, any combination of controls that mitigate the financials statement risks qualify as "key", even if those controls that you would prejudicially consider "key" are not there. The terms "key control" in auditing and in SOX are nothing but homonyms - their meaning is completely different.
You say: {any combination of controls that mitigate the financials statement risks qualify as "key"}. This raises a point that causes much confusion and consternation between management, consultants and external auditors - the defining of key and non-key controls. I have seen plenty of controls that we define as "non-key", but they still mitigate the risk of financial statement errors. So do we test key and non key controls? Is there even such a thing as a non-key control? Please help...!
commented by , 9:06 AM
The confusion that often ensues is due to auditors using the pre-404 definition of "key" control and applying it to 404. We need to understand that the definition has changed.
A "key" control used to mean simply "an important control." That is no longer the case. Now, for 404, "Key control" means "a control that is needed to mitigate financial risks." Any control, without which the a financial statement risk will not be mitigated (including by a compensating control) is, by definition, a "key" control.
So you can't ask about "non key controls that mitigate risks". If it mitigates a risk, it's a key control.
Test it.
A "key" control used to mean simply "an important control." That is no longer the case. Now, for 404, "Key control" means "a control that is needed to mitigate financial risks." Any control, without which the a financial statement risk will not be mitigated (including by a compensating control) is, by definition, a "key" control.
So you can't ask about "non key controls that mitigate risks". If it mitigates a risk, it's a key control.
Test it.
I see you have not recovered from Dante’s 404th level, you can very easily recover from this by relying less on sox, and PCAOB, and following the requirement set by the AICPA, see attached, AS 2 also has good guidance. I think that everyone would be better off if they viewed their job as an external auditor would, and then proceed accordingly. This will put you and the externals on the same page. Audit standards for internal control have been around forever, the only difference is that know one paid attention to this until WorldCom, Enron etc.