Fix 404, But Read The Fine Print First
October 26, 2006
404 needs to be fixed, no question. But the largest waste of money in compliance is not due to a problem with SOX, but a misunderstanding of SOX.
AS-2 requires the external auditors "attest to, and report on, the assessment made by management of the issuer", as well as the effectiveness of internal controls over financial reporting. To form the first opinion, external auditors have reperformed tests done by management, and done extensive reviews and testing of management's documentation.
But that's a lot of unnecessary work. All the external auditors have to do in order to express an opinion on management's process is, well, I'll let you hear it from Thomas Ray: Here's the money quote:
AS-2 requires the external auditors "attest to, and report on, the assessment made by management of the issuer", as well as the effectiveness of internal controls over financial reporting. To form the first opinion, external auditors have reperformed tests done by management, and done extensive reviews and testing of management's documentation.
But that's a lot of unnecessary work. All the external auditors have to do in order to express an opinion on management's process is, well, I'll let you hear it from Thomas Ray: Here's the money quote:
In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.Now here's the whole story:
There continues to be some misunderstanding with regard to the first of the two auditor opinions. Some believe that the auditor is expressing an opinion on management's assessment process. That belief, in turn, is fueling what probably is unnecessary additional work directed to evaluating the adequacy of management's process.
Let me dispel the misunderstanding. The first of the two opinions expressed by the auditor is not on management's assessment process. Rather, it is the auditor's opinion as to whether management's required statements about the effectiveness of the company's internal control and its descriptions of any material weaknesses are fairly stated.
So, how is this affecting the auditor's work? Doesn't AS No. 2 equire the auditor to evaluate management's assessment process? Yes, AS No. 2 requires the auditor to obtain an understanding of and evaluate management's assessment process, and provides direction as to what the auditor should look for when performing that evaluation. The principal objective of the auditor's valuation of management's assessment process is for the auditor to be satisfied that management has an appropriate basis for its conclusion.
Accordingly, the extent of the auditor's work is only that which is necessary for the auditor to form a conclusion as to whether management's process was sufficiently complete to provide management with a basis to support its reporting, and whether the results of management's testing support management's conclusion about internal control effectiveness.
In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.
Similarly, the auditor's documentation of his or her evaluation of management's process need not be extensive. For example, the audit documentation might consist of a summary document prepared by management that explains, perhaps for the benefit of the audit committee or other senior managers, the process management used in making its assessment, along with a memorandum prepared by the auditor that documents the auditor's procedures, the results of those procedures, other evidence obtained, if any, and conclusions.
New 404 Guidance Ready For Public Comment In December
Ready your pens!
CFO.com reports that the SEC will turn over its Management Guidance Proposal on 404 for public comment during a December 13 open meeting.
And, not to be outdone by the SEC, the PCAOB plans to propose an improved version of AS-2 later this fall. They expect to release a final draft for 60 days of public comment.
CFO.com reports that the SEC will turn over its Management Guidance Proposal on 404 for public comment during a December 13 open meeting.
And, not to be outdone by the SEC, the PCAOB plans to propose an improved version of AS-2 later this fall. They expect to release a final draft for 60 days of public comment.
Sarbox404.com's Glossary To Hitherto Enigmatic 404 Terms
October 09, 2006
Deloitte says it would be helpful to have the SEC and PCAOB provide a glossary of commonly used 404 terms, since nobody really knows for sure what they mean, which causes confusion which has resulted in - I promise they really used this term - "significant misunderstandings" by management, auditors, and investors.
They have a point.
And I have a glossary. Not to step on the PCAOB or SEC's toes of course, but here's one man's understanding to the most cryptic claptrap of 404:
Key control -
Says Deloitte:
Key control [kee kuhn-trol] - member of a set of controls relied upon by management to mitigate risks of financial misstatement
The reason: We all know that key controls are those that mitigate the financial statement risks. But since it takes a combination of controls to mitigate all the risks, you cannot identify the key controls until you have identified the combination of controls that mitigate the financial statement risks.
However, it is very possible that more than one combination of controls will successfully mitigate the financial statement risks. For instance, if your payroll process 12 controls, the financial statement risks may be successfully mitigated by a combination of controls 1,3,5,6 and 8, as well as controls 2,3,6,9,10 and 12.
In such an instance, management, at their sole discretion, may rely on either of the 2 sets of controls to mitigate the financial statement risks. For 404 purposes, those are the key controls. Whichever set of controls is less expensive and easier to test can be used.
Risk [risk] - A situation that, unless mitigated by a control, will cause a financial misstatement.
There are only three things wrong that can happen to financial accounts: something is there that should not be there; something is not there that should be there; something is there in the wrong amount. If your risk does not fall into one of these 3 categories, it is not a risk. Example: "Bank rec will not be reviewed" is not a financial statement risk. Because even if the review is not done, that does not cause a financial misstatement. It may lead to one, maybe, but it does not, per se, cause one to happen.
Following is a list of some things that are not risks, why they are not risks, and how the risk should be stated:
Bad: Bank rec is not reviewed
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Duties are not segregated in the billing system
Why it's bad: This does not result in financial misstatement
Good: Customer data in billing system is falsified
Bad: Bank rec is not done
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Unauthorized journal entries will be made
Why it's bad: Unauthorized journal entries are not necessarily inaccurate journal entries.
Good: Inaccurate / fictitious journal entries will be made
Bad: Access to payroll system is not limited
Why it's bad: This does not result in financial misstatement.
Good: Fictitious employees on payroll roster
Bad: Sales will be made to customers over their credit limits
Why it's bad: This does not result in financial misstatement
Good: Bad debt reserves improperly calculated
Bad: Daily customer receipts are not reconciled
Why it's bad: This does not result in financial misstatement
Good: Customer receipts inaccurately recorded
Bad: Physical cash collected is misappropriated
Why it's bad: This does not result in financial misstatement as the missing cash can be detected and appropriately recorded
Good: Cash receipts are understated
Bad: Spreadsheets are not effectively controlled
Why it is bad: This does not result in financial misstatement
Good: Depreciation / accruals / revenue / whatever / is improperly calculated
Reasonable [ree-zuh-nuh-buhl] - and - Remote [ri-moht] -
(as in "reasonable likelihood" and "remote likelihood") . These are a little tougher to define. But since 404 was designed to inform shareholders of the risks that management is taking with their company, reasonableness and remoteness should be measured against the amount of risk that the owner of a business would be likely to assume under similar circumstances. In other words, if you owned the business, would the level of assurance in question be sufficient for you to accept the risk. A bit subjective? Yes, but 404 was designed to inform business owners that their appointed management is allowing undue risks to exist in the business. Thus, it is logical to assume that the level of risk that is required to be disclosed to the business owner is that which a business owner would consider unreasonable.
They have a point.
And I have a glossary. Not to step on the PCAOB or SEC's toes of course, but here's one man's understanding to the most cryptic claptrap of 404:
Key control -
Says Deloitte:
The term key controls, though commonly used, is not a definedMaybe. But we can safely assume that the controls required by 404 are those which lead to the fulfillment of its objective, namely, the prevention of financial misstatements. Therefore, my definition of a key control is:
term in either PCAOB or SEC rules.
Key control [kee kuhn-trol] - member of a set of controls relied upon by management to mitigate risks of financial misstatement
The reason: We all know that key controls are those that mitigate the financial statement risks. But since it takes a combination of controls to mitigate all the risks, you cannot identify the key controls until you have identified the combination of controls that mitigate the financial statement risks.
However, it is very possible that more than one combination of controls will successfully mitigate the financial statement risks. For instance, if your payroll process 12 controls, the financial statement risks may be successfully mitigated by a combination of controls 1,3,5,6 and 8, as well as controls 2,3,6,9,10 and 12.
In such an instance, management, at their sole discretion, may rely on either of the 2 sets of controls to mitigate the financial statement risks. For 404 purposes, those are the key controls. Whichever set of controls is less expensive and easier to test can be used.
Risk [risk] - A situation that, unless mitigated by a control, will cause a financial misstatement.
There are only three things wrong that can happen to financial accounts: something is there that should not be there; something is not there that should be there; something is there in the wrong amount. If your risk does not fall into one of these 3 categories, it is not a risk. Example: "Bank rec will not be reviewed" is not a financial statement risk. Because even if the review is not done, that does not cause a financial misstatement. It may lead to one, maybe, but it does not, per se, cause one to happen.
Following is a list of some things that are not risks, why they are not risks, and how the risk should be stated:
Bad: Bank rec is not reviewed
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Duties are not segregated in the billing system
Why it's bad: This does not result in financial misstatement
Good: Customer data in billing system is falsified
Bad: Bank rec is not done
Why it's bad: This does not result in financial misstatement
Good: Not all cash deposits are recorded
Bad: Unauthorized journal entries will be made
Why it's bad: Unauthorized journal entries are not necessarily inaccurate journal entries.
Good: Inaccurate / fictitious journal entries will be made
Bad: Access to payroll system is not limited
Why it's bad: This does not result in financial misstatement.
Good: Fictitious employees on payroll roster
Bad: Sales will be made to customers over their credit limits
Why it's bad: This does not result in financial misstatement
Good: Bad debt reserves improperly calculated
Bad: Daily customer receipts are not reconciled
Why it's bad: This does not result in financial misstatement
Good: Customer receipts inaccurately recorded
Bad: Physical cash collected is misappropriated
Why it's bad: This does not result in financial misstatement as the missing cash can be detected and appropriately recorded
Good: Cash receipts are understated
Bad: Spreadsheets are not effectively controlled
Why it is bad: This does not result in financial misstatement
Good: Depreciation / accruals / revenue / whatever / is improperly calculated
Reasonable [ree-zuh-nuh-buhl] - and - Remote [ri-moht] -
(as in "reasonable likelihood" and "remote likelihood") . These are a little tougher to define. But since 404 was designed to inform shareholders of the risks that management is taking with their company, reasonableness and remoteness should be measured against the amount of risk that the owner of a business would be likely to assume under similar circumstances. In other words, if you owned the business, would the level of assurance in question be sufficient for you to accept the risk. A bit subjective? Yes, but 404 was designed to inform business owners that their appointed management is allowing undue risks to exist in the business. Thus, it is logical to assume that the level of risk that is required to be disclosed to the business owner is that which a business owner would consider unreasonable.