Navigation:


DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
Thread Title: Management Oversight: Independent review of internal control testing
Created On Wednesday July 18, 2012 4:22 PM
  Management Oversight: Independent review of internal control testing
  Management Oversight: Independent review of internal control testing


Deke


Posts: 1
Joined: Jul 2012

Wednesday July 18, 2012 4:22 PM

User is offline View thread in raw text format

Working as the Audit Manager for a small public company, I am a one-person SOX internal control function. I am a CIA, CFE, and have over 21 years of work experience. The last 15 years in internal audit and SOX.

We recently received an advisory comment from our external audit firm. It reads as follows:

Management Oversight of the Internal Control Function

Finding
Management is responsible for assessing and maintaining an effective internal control environment over financial reporting. During our procedures, we noted no independent review of the internal control testing was being performed.

QUESTION: Can anyone sight from the PCAOB or other sources that it's an absolute requirement (not just best practice) that an independent review be performed of my SOX controls testing? While I'm in agreement it's a good idea, our personnel and financial resources are limited and would likely require engaging a third party contractor. Any other thoughts, ideas, or suggestions?

Thanks for your feedback.

Reply
Quote
Top
Bottom



Paul_M


Posts: 102
Joined: Apr 2003

Friday July 20, 2012 11:38 AM

User is offline View thread in raw text format

Just as a reminder, the PCAOB monitors the accounting firms. It does not have direct authority over registrants. That is the purview of the SEC. Any rules issued by the PCAOB apply to your auditors, not to you. The SEC issued its interpretive guidance to management in SEC Release No. 33–8810, June 27, 2007. The SEC’s guidance provides a broad framework that allows significant latitude to management in its approach to evaluating internal controls. To quote a few relevant sections from that guidance:

"The Interpretive Guidance reiterates the Commission’s position that management should bring its own experience and informed judgment to bear in order to design an evaluation process that meets the needs of its company and that provides a reasonable basis for its annual assessment of whether ICFR is effective. This allows management sufficient and appropriate flexibility to design such an evaluation process. Smaller public companies, which generally have less complex internal control systems than larger public companies, can use this guidance to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances. We encourage smaller public companies to take advantage of the flexibility and scalability to conduct an evaluation of ICFR that is both efficient and effective at identifying material weaknesses.”

“The nature and extent of procedures implemented to evaluate whether those controls continue to operate effectively can be tailored to the company’s unique circumstances, thereby avoiding unnecessary compliance costs. The guidance assumes management has established and maintains a system of internal accounting controls as required by the FCPA. Further, it is not intended to explain how management should design its ICFR to comply with the control framework management has chosen. To allow appropriate flexibility, the guidance does not provide a checklist of steps management should perform in completing its evaluation.”


Since you’re a one-man operation in a smaller company, I would also recommend the SEC’s SOX Guide for Small Business. Part of that guidance says:

In a smaller company, you may not need to assign any special personnel to the task of gathering evidence on how internal controls are operating. Likewise, the procedures you follow to obtain evidence of operating effectiveness may be integrated with the daily responsibilities of the employees.

The SEC guidance also describes circumstances in which managers can rely on their own knowledge and supervision of controls — a common situation in smaller companies — as a way to limit the additional procedures, if any, that might be needed to gather evidence of operating effectiveness.


So, yes, we all agree that the textbook answer (which the external auditors seem to be pretty good at) is that another person should review your testing. The real world answer (which external auditors are typically not very good at) is that it would be a cost that would provide minimal value to your evaluation process.




Reply
Quote
Top
Bottom

DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org