Mending Your SOXNicole Saldamarco
November 14, 2005 — 1,323 views
Did you spend significantly more than you budgeted on your Sarbanes-Oxley documentation and testing? Are you wondering how to reduce your costs in the upcoming year? Have you recognized value from your investment?
Based on our experience and based on guidance from the PCAOB May 16, 2005 Staff Questions and Answers bulletin, there are six primary areas in which you can reduce costs while obtaining value related to Sarbanes-Oxley compliance. They include:
- leveraging prior-year knowledge;
- automating your internal controls;
- utilizing a top-down approach;
- coordinating and sharing information with your external auditors;
- relying on the work of others; and
- extracting value from software designed to maintain Sarbanes- Oxley-related documentation.
Leveraging Prior-Year Knowledge
In year two, you can use the knowledge obtained in the prior year about the company’s internal controls to help assess risks for the current year. Based on a reevaluation of risk and identification of key controls, you can potentially reduce the number of controls required to be tested and, potentially, the sample sizes chosen for the current year.
One of the more significant ways to reduce costs in year two is by evaluating automated application controls. When testing manual controls, a sample must be chosen, and then each item selected must be tested. For example, if the control is a daily control, a typical sample size of 25 may be selected for testing. You may be able to reduce your sample size selected for testing by evaluating the controls and determining if they are or can be automated. You may not need to perform sampling and testing if general controls over the program change access to programs and computer operations, provided the automated controls are being tested in conjunction with your overall testing strategy.
If you do decide to automate controls, it is important to consider:
- • the effect of related files, tables, data and parameters on the consistent and effective functioning of the automated application control;
- • the extent to which the application control can be matched to a defined program within an application;
- • the extent to which the application is stable; and
- • whether a report of the compilation dates of all programs placed in production, including program changes, is available and is reliable.
Evaluating your controls in year two to determine if there are automated controls present will not only reduce your costs related to Sarbanes-Oxley compliance, but may also enable you to obtain efficiencies in daily processing. Perhaps accountants are performing manual functions that can be performed within your accounting system. This affords a company an opportunity to revisit and evaluate the modules and characteristics of the accounting system to ensure that the optimal value is derived from the system.
Another area of significant cost savings is the evaluation of the company’s “key” controls. When assessing internal controls, be sure to use a top-down approach. Start with company-level controls and then address key individual controls at the process level before addressing transaction or application level controls.
A direct relationship exists between the degree of risk that a material weakness could pose in a particular area of the company’s controls and the amount of audit attention the auditor should devote to that area.
For instance, if fixed assets are an immaterial balance on your balance sheet, controls over this area may not need to be tested under Sarbanes-Oxley. Documentation of the applicable controls with a conclusion that the line item is immaterial to the financial statements taken as a whole may be sufficient, and the applicable testing may not be necessary.
Coordination with External Auditors
Be sure to discuss your approach with your external auditors. One way would be to include your external auditors on your Sarbanes-Oxley task force. You could include the auditors in your interviews when updating the documentation of internal controls. The point is to keep your auditors updated throughout the process and try to get “buy in” to your approach prior to testing internal controls. Review your key controls with your auditor and get consensus when reducing the number of controls to be tested. Once consensus is achieved, you can concentrate on testing, hopefully with a plan that includes reduced amounts of testing.
Relying on the Work of Others
Discuss your testing strategy with your external auditors. If you are using a competent, independent third-party to perform testing, your external auditors may be able to review the third-party’s qualifications and place reliance on the work performed. If your external auditors can rely on the work of others, perhaps they can reduce their time and costs associated with testing of internal controls.
In year two, your costs will naturally be reduced, since your internal control documentation is complete. If you purchased Sarbanes-Oxley software, you may be a step ahead. If you did not purchase software, you still have time to consider a software solution to assist in reevaluating your internal controls, managing the ongoing testing and controlling the updates to the internal control documentation as well as housing the related testing results. If you did not use such software in year one, you may be surprised that the functionality of available packages has been substantially enhanced over the past several months. Complying with Sarbanes-Oxley is certainly costly, so companies should seek to contain the costs while maximizing return on investment. Embrace the opportunity to constantly evaluate your processes and improve upon them.