Posts Tagged SOX Testing
AS5 gave public company management license to “optimize” their control environments. The top-down, risk-based approach directed management to lift their gaze from the maze of process level controls and, instead, ensure that the controls they were testing actually mattered when it came to getting reported financial balances right. The way to do that was to match relevant financial statement assertions to material balances for in-scope locations. Most companies were already getting the materiality calculation right, but what about the assertions? What are assertions, exactly, and how can a refinement of the assertion list aid management in avoiding “over-optimization” and exposing themselves to a potential restatement of financial results?
Financial assertions have always existed but they tended to be implicit in nature. For instance, reported Cash balances implicitly Existed and were adequately Safeguarded and Complete. Proper Cut-Off ensured that all transactions were reported in the proper period and management appropriately Authorized those transactions. Management possessed Rights to the asset and, if pledged or otherwise restricted, that fact was fully Disclosed.
However, due to the myriad financial reporting scandals – Enron, Worldcom, Adelphia, Tyco, ad nauseum – that occurred during the early part of this decade, Congress enacted Sarbanes-Oxley (SOX) which, among other things, requires senior management (CEO and CFO) to explicitly assert to the reported balances. As a result, Assertions have recently received much more attention.
In my experience, companies typically utilize five assertions: Existence/Occurrence, Completeness, Valuation/Allocation, Rights/Obligations, Presentation/Disclosure. The Risk and Control Matrices I’ve encountered generally have an abudance of check marks – usually over-associating controls and assertions – leading me to conclude that a lack of understanding of the basic definitions exists. I’ve found that splitting those five into a broader list of thirteen assertions generally leads to a better understanding of what management is attempting to achieve with each control:
- Existence – Balance Sheet focused – Assets, Liabilities and Ownership Interests (Equity) exist as of the statement date and balances have a real world counterpart (i.e. customers, suppliers, employees, banks, etc).
- Safeguard Assets – Access to assets and critical documents that control their movement are suitably restricted to authorized personnel. Often covered as part of Segregation of Duties review.
- Occurrence – Income Statement focused – Transactions and events that have been recorded actually occurred and pertain to the entity.
- Completeness – All transactions and events that should have been recorded have been recorded.
- Cut-Off – Transactions and events have been recorded in the proper period.
- Valuation – Amounts based on estimates and judgementsare in accordance with US GAAP
- Allocation – Costs are allocated from the Balance Sheet to the Income Statement in the proper period (e.g. depreciation and amortization).
- Accuracy – Amounts recorded are mathematically accurate.
- Rights – The entity holds the rights to the assets.
- Authorization – Transactions are executed in accordance with management’s general and specific authority.
- Obligations – Liabilities recorded are the obligation of the entity.
- Classification – financial statement focused – transactions and events have been recorded in the proper accounts.
- Understanding – disclosure driven (generally footnotes) - financial information is appropriately described and understandable to users.
While this may initially seem like an esoteric exercise, splitting the five into thirteen actually achieves two things:
- Reduce the overall amount of time needed to test the control environment. Risk focused testing means the nature of the testing (Inquiry/Observation, Examination, Reperformance) can vary for two different controls providing assurance over two different assertions. For instance, Completeness becomes Completeness and Cutoff and, consequently two different assertion risk scores. If we combine the two, then the testing must satisfy the riskiest of the two.
- Prevent over-reliance on a control. An intersection of account/control/assertion on the Risk and Control Matrix could lead to incorrect conclusions regarding the assurance provided. Once again utilizing Completeness as our example, it is possible that we would need two different controls to achieve assurance that all transactions have been recorded and that they have been recorded in the correct period. If we do not adequately delineate between Completeness and Cut-Off, then we could inappropriately assume that a control mapped to the account/assertion intersection would enable management to explicity assert that the risk of misstatement has been mitigated.
The first point is important and, I believe as a result of AS5, has been seized upon by management to reduce the time required to test key SOX controls and make the process more efficient. However, my concern is that the second point is often overlooked. In the rush to “optimize” their control environment, management may inadvertantly “over-optimize” or fail to identify and test a control that will enable them to certify that all subsections of a particular assertion have been covered and, consequently, expose the organization to the arguably greater risk for restatement of reported financial results. Therefore, management should consider the evaluation of accounts at the greater granularity of thirteen assertions to obtain an ”insurance policy” of sorts to reduce the risk of misstatement.
In an effort to reduce overall SOX compliance costs, companies must find a way to reduce external audit fees by increasing the amount of reliance the auditors place on management’s testing of its control environment. In a 2006 comment letter to the SEC/PCAOB, a group of controllers and CFOs made several recommendations including the following:
53% of companies (*see attribution below) indicate that auditor reliance on management testing is their primary discussion issue with their external auditors. We believe that auditors should have more flexibility to rely on management’s work, including process owners, for areas that are not considered to be at high risk. For example, automated transaction controls or controls over routine processes involve lower risk and can be tested by process owners. It is important that process owners are accountable for effective controls, but auditors believe that AS2 prevents them from relying on process owner assessments. This causes duplicate testing and is disruptive to operations. Auditors should be allowed to rely on the quality of managements’ overall compliance approach, including the presence of a robust compliance environment and entity- level controls, rather than focusing on individual assessor independence.
We are therefore recommending that external auditors be required to rely on management’s work in testing (irrespective of entity performing the testing) for a mutually-agreed upon universe of low-risk controls.”
Submission of Comments to the SEC/PCAOB Roundtable, May 10 2006
- *Corporate Executive Board research; http://www.executiveboard.com
AS5 addressed this concern by specifically directing auditors to rely more on the work of others. However, more than 40% of the 257 companies, which participated in a September 2007 poll taken by the Institute of Internal Auditors, indicated their external auditors relied on less than 25% of the testing work performed by management. Clearly, gains can be made – but what can be done to change the minds of auditors? The first, and perhaps most important, step is for management to demonstrate an understanding of its environment via a robust assessment of the risks to accurate financial reporting.
Whether the assessment is the traditional “likelihood and impact” approach for each of the identified risks, or management chooses to utilize the risk factors identified by the PCAOB/SEC, or some other method entirely, the point of the exercise is to give external auditors a view into management’s evaluation of what could go wrong. Ranking the relative risk of the resulting misstatements, and the controls that mitigate those risks, then provides a tool for framing the “reliance” discussion. In year one, auditors may then be more comfortable relying on management’s testing of those controls that mitigate low level risks. As time progresses and the risk discussion matures, management and auditors may achieve a balance of reperformance and reliance resulting in reduced cost of compliance.