Governance Responsibilities Imposed by Sarbanes-Oxley
Typical examples of the difficulties that face senior management to ensure they support SOX are the following issues related to internal control over financial reporting of public companies and also in relation to judgments and estimates:
"Management is required to document the system of internal control over financial reporting. As required by the Sarbanes-Oxley Act of 2002 (SOX), section 404 (Management Assessment of Internal Controls), management will be required to assess the effectiveness of these controls. The ASB [Auditing Standards Board] believes that the evidence management uses to support its assertion about the effectiveness of its internal control also should be documented. The ASB believes that a failure to document the system of controls or the evidence used in making the assessment should be considered a weakness in internal control."
"Management must recognize that judgments and estimates are subject to second-guessing, and an assessment can change in a subsequent period if new information becomes available. As a result, the system of internal control over estimates is particularly sensitive because the auditor or a regulator might conclude that the internal control system was either not appropriate or not functioning because it allowed an inappropriate estimate to be booked in the first place. This will be true for any account or control where there is a greater degree of subjectivity."2
The internal controls that are required will vary from enterprise to enterprise. They will need to be tailored to the relevant industry (or industries) within which the organization operates; they are also typically unique for each enterprise. They are determined by its business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise uses for financial and other reporting.
For example, a simple test that can be applied in an organization is to ask staff why they carry out a specific business process, financial or otherwise. This is a question that may be asked by an auditor to determine whether internal controls referenced by management do actually work. The question, "why do you do that process?" often elicits the response: "because we have always done it that way." This answer indicates that the reasons -- even if they were once known -- have become lost to history, and it is a warning signal to the auditor and to management that the internal controls are not working in that particular case.
Another example of some of the questions that auditors must ensure are adequately addressed is shown in Figure 1, in relation to multilocation testing considerations.3
Figure 1: Multilocation Testing Considerations
The questions in Figure 1 relate to business units and locations and are generally tested first by auditors. They should be easy for most enterprises to answer. Difficulty in answering these simple questions may indicate more serious deficiencies in internal controls. This can lead the auditor to pose more difficult questions where the detail of the answers is less important to the auditor than the demonstrated fact that senior management does have relevant answers available.
Typical Internal Control Questions
For complete satisfaction that internal controls have not only been implemented but also work in practice throughout the enterprise, senior management needs to show that answers are available for each of the following management and audit questions. Questions should be able to be answered in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers should be available that show how resources relate to strategic and tactical business plans that have been defined by management, such as:
- For Data: What does the data represent? How is the data processed? Where is it used? Who is responsible for the data? When is the data used? Why is the data needed? Does this data support the strategic and tactical business plans?
- For Processes: How do we execute them? What data do they use? Where are they processed? Who is responsible for the processes? When are these processes used? Why are the processes needed? Do they support strategic and tactical business plans?
- For Locations: What data does the location need? How are processes executed in the location? Who is responsible for the location? When is the location involved in key events? Why does the location exist for the enterprise? Do the business plans for each location support the strategic and tactical business plans?
- For Business Units and People: What data do the business units need? How are key processes executed in each business unit? Where is each business unit located? Who is responsible for the business unit? When is the business unit involved in key events? Why does each business unit exist? Do the business plans for each business unit support the strategic and tactical business plans?
- For Business Events: What data does each business event need? Which processes are initiated by each business event? Where do business events occur? Who is responsible for these business events? When do they occur? Why do they occur? Do the business events support the strategic and tactical business plans?
- For Business Plans: What data do the business plans need? How do processes support the business plans? Which locations do the business plans apply to? Who is responsible for these business plans? When does each event that supports the business plans occur? Why do the business plans exist? Do tactical and operational business plans support the strategic plans?
Be the first to comment on this post using the section below.