the great _sox_ caper

8/14/2019 The Great _SOX_ Caper

1/13

The Great SOX Caper

By

James J. Finn, MBA, CISA, and CIA

Independent Consultant

James J. Finn, is the founder of an independent Financial, IT, and ICFRconsulting business, and has worked as a CFO, program manager (PMO),

internal auditor, and compliance consultant for small, medium and large public companies as well as for MutualInsurance Companies. Mr. Finn holds a BSBA degree in Finance with Honors, and an MBA from NortheasternUniversity, Boston Massachusetts. Through the years, Mr. Finn has acquired over 25 years of hands-onexperience at various financial positions ranging from Management Trainee at the First National Bank of Boston, to CFO and VP of Finance at a commercial printer, Dynagraf Inc. Also, as a qualified, CIA, and

CISA, he has focused on internal controls and compliance programs for Sarbanes Oxley, since 2004.

Prior to authoring this White Paper, he has written comments to the SEC on Sarbanes Oxley relatedissues, and was the editor for a comprehensive accounting policy and procedures guideline for DigitalEquipment Corporations worldwide internal Product Line Management Accounting system. He has alsoauthored a statistical guideline Sampling for Internal Audit SOX , MAR Compliance Testing.

Version 1.60, 2/21/10

While this document is believed to contain correct information, the author, James J. Finn doesnot make any warranty, express or implied, or assume any legal responsibility for its accuracy,

completeness, or usefulness. Reference herein to any specific product or publication does notnecessarily constitute or imply its endorsement, recommendation, or favoring by the author. Theviews and opinions are those of the author.

Copyright 2009 by James J. Finn, Finn Consulting LLC All rights reserved. For information about theprocedure for requesting permission to make copies of any part of this work, please contact the author at [email protected] or call him at 781 307 7857.

2010

Finn Consulting LLC

SOX; AS-2 Too Early, and SEC Guidance Too Late
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/13

Page | 2Preliminary, Draft; For discussion purposes only.

Foundation:

Management at many companies responded to Sarbanes Oxley by focusing on the practical objective of getting a clean audit opinion, and, in an effort to anticipate their audit needs, drove their SOX programsusing the PCAOB s AS-2 auditing standard as a company guideline. Unfortunately, managementsrequirements for compliance with SOX section 404 had almost nothing to do with the AS-2 auditingstandard. Simply stated, AS-2 was designed specifically for auditors, not for companies.

Also unfortunate was the fact that AS-2 was unprecedented in its requirement for skilled professionallabor. This excessive labor requirement was partially driven by the AS-2 requirement for mandatorywalkthro ughs to collect financial transaction processing information. In order to be done effectively,this usually required an auditing background. However, companies frequently used employees that werenot trained in auditing; and, as a result, incurred unnecessarily high labor costs to perform thewalkthroughs. Also, when the demanding requirements of AS- 2 were combined with a companys

insufficient workflow and procedures documentation, it dramatically increased the overall confusion andcosts for a SOX compliance effort. Employees who were not trained auditors (and probably should not have been assigned to an AS-2 based SOX project) made mistakes when establishing the document foundation for SOX testing and control design . This frequently resulted in a recipe for disaster. Thisrecipe for disaster (i.e. the AS-2 standard, untrained staff, and poor documentation ) could occur evenwhen audit firms were engaged to assist companies with their SOX efforts, but for a different reason.Although auditors were familiar with the AS-2 auditing standard, they were not necessarily familiar withthe companys workflows and procedures. As a result, they had to rely on the documentation that thecompany had established in order to plan walkthroughs and control testing; and the walkthroughs wereonly as good as the documentation and the stability of the processing workflows and procedures. Also,walkthroughs did not work as well in practice as they could in theory because transactions are not

Routers in that not all transact ions contain all Branches of a process required for recording a journalentry to the general ledger. If the transaction selected for the walkthrough does not hit all the steps andcontrols in a process, the information is incomplete or incorrect. ??? This could become more of aproblem that one would first think since walkthroughs are recommended in the AS-5 auditing standardparagraph 37 as the correct approach for understanding likely sources of misstatements.

37. Performing Walkthroughs.Performing walkthroughs will frequently be the most effective way of achieving theobjectives in paragraph 34. In performing a walkthrough, the auditor follows atransaction from origination through the company's processes, including informationsystems, until it is reflected in the company's financial records, using the same

documents and information technology that company personnel use. Walkthroughprocedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls. 1

In either case, AS-2 was frequently forced to work with inadequate workflow and proceduresdocumentation, and with company employees who had very little training in AS-2 auditing. In addition, acompanys learning curves for AS-2 and its need for walkthroughs were exacerbated by the fact that

1 PCAOB Release 2007-005; May 24, 2007; Page A1 19 Standard


3/13


documentation for financial reporting workflows was usually inadequate or out of date. In manycompanies, the resources and costs related to efforts to comply with AS-2 were out of control because thecompany couldnt provide sufficient ICFR workflow and process documentation to minimize the learningcurves, or to reduce walkthrough labor requirements. The AS in AS -2 stands for Auditing Standard,not corporate guidance. Management should have stopped and seriously thought about this fact, because YESit did make a difference.

The underlying theme for actual SOX problems, and the substance for this analysis and presentation,is the fact that management and the auditors were from two different worlds in terms of their SOXsection 404 responsibilities, but never appeared to realize it. In addition, they did not share a commondatabase or source of financial reporting workflow and procedures information that could serve as acentral information source to synchronize their compliance efforts. Communication and mutualunderstanding was rarely, if ever, achieved because management generally accepted the auditors AS-2 asthe compliance model for SOX without any real understanding of its implications or underlyingprinciples. This is especially true when it comes down to AS-2 risk and control auditing conceptsincluding walkthroughs and control attribute testing methodologies. In reality, each partys SOXresponsibility was based on different risk requirements and objectives yet they tried to standardize onAS2 as the common point of agreement and compliance guidance. The almost complete lack of attentionto the real differences contained in an accurate interpretation of section 404 requirements reminds me of the Twilight Zone TV episode titled To Serve Man. In which interpretation of a key document (a book)was wrong, and the consequences of decisions made on the basis of this wrong interpretation werecatastrophic. As in the case of both the TV show and SOX compliance, there is no Rosetta Stone totranslate each partys Role and responsibility. That is, to translate the core differences betweenmanagements assessment requirements and the auditors AS -2 auditing standards. However, once thedifferences are understood, it is clear to me that there is no imaginable reason for a company to be usingAS-2 or AS-5 as a SOX compliance guideline . The companies legal and practical responsibility is toestablish and assess internal control and financial reporting procedures for misstatements in theirfinancial reports, not to assess for misstatements to the AS-2 standards for financial reporting. Thismakes a big difference! Just like misinterpreting the Book in the Twilight Zone episo

de made a bigdifference. 2 The validity of the position that there are significant differences between the auditorsresponsibilities under AS-2, and managements assessment requirement , is supported by the SECinterpretative guidance (Federal Register June 2007 3).

SOX history:

Most SOX programs failed to meet managements expectations in terms of cost, scheduling, predictability,and integration with the companies daily procedures. In addition, at some companies control testing wasfull of surprises and disrupted the continuity and scheduling of SOX programs. These surprises occurredpartially because the sampling methodology used for testing the effectiveness of internal controls was

based on an auditing approach for control acceptance sampling whic h could produce unexplainable,unreliable or unrepeatable results when used without adequate training and understanding. Thisauthoritative sampling methodology used by most companies was based on the minimum acceptableauditing sampling plans, and used small sample sizes. These sampling plans were more useful to auditorsthan they were to management since AS-2 allows auditors to increase their confidence in testing resultsby cross applying financial audit substantive testing to support their internal control evaluations;

2 The episode can be viewed off the internet at http://www.imdb.com/video/cbs/vi54853657/ after a minute commercial.3 The Federal Register version can be seen on the internet at http://www.sec.gov/rules/interp/2007/33-8810fr.pdf
http://www.imdb.com/video/cbs/vi54853657/http://www.imdb.com/video/cbs/vi54853657/http://www.imdb.com/video/cbs/vi54853657/http://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.imdb.com/video/cbs/vi54853657/


4/13


unfortunately, most management SOX teams did not have that advantage. Also, for auditors, the samplingplan is only one of many considerations used to form an opinion, whereas companies had a tendency torely exclusively on the test results to reach conclusions. Drawing conclusions using these sampling plansrequires experience and judgment not necessarily available to companies using employees for testing.

Eventually, an authoritative guidance for companies was provided by the SEC (June 2007) whichrecognized both the differences and the common elements of the auditors and the companies SOXassessment responsibilities. This is referred to as the SEC interpretative guidance 4 and is focused on anSEC acceptable methodology for a company to perform an assessment of ICFR. In many respects, this wastoo late because, prior to this guidance, project managers and informal SMEs with an ac counting orauditing background used their experience in walkthroughs to collect process information (usually forprocesses that were not stable or documented), and to create Risk Control Matrices (RCM) for controldocumentation. Because of the alignment of these procedures and RCMs to the auditing requirements of AS-2, I consider this approach ineffective for managements assessment ; however these proceduresbecame the norm at many companies and could not be dislodged easily. Employees who applied thesetechniques to comply with the AS- 2 model for SOX compliance usually created a program that wasunacceptably expensive because - without process flow documentation - they were working in the dark.In many cases, this resulted in control and testing over -kill to eliminate any perceived risk. Thisphenomenon of trying to produce a Zero -Risk internal co ntrol system occurred partially becausecompanies could not provide the basic total process workflow and procedures documentation andpartially because of uncertainties and anxieties by employees trying to comply with AS-2. In addition,company personnel were confused and misdirected by AS-2, and usually did not understand what theywere doing or what was expected from them.

In retrospect, I now believe that fully documenting the workflows and procedures first, and allowing orfacilitating employees to analyze and resolve SOX compliance issues as they were discovered would havebeen a more productive and less costly approach for companies. As a result, my approach is to doprecisely that by first determining up front what the total financial reporting process looks like, and

then determining what each employee contributes to the process. This is designed to decentralize theworkload to the most qualified people for process documentation (the actual employee doing the job).Once the workflows and employee procedures have been documented; the significant risks can beevaluated and necessary controls developed in context with other controls by using pre -designed workflow models. In my opinion, it doesnt matter when this workflow and procedures mapping p rocessis completed. What really matters is that it must be completed; only when it has been completed can thecontrols and risks be viewed in context. After this is done, then, and only then, do I recommend auditingand testing the process controls for effectiveness? Premature testing can be a disaster that has happened.

SOX also resulted in a paradigm shift in auditor and management responsibilities that disrupted theirexisting Roles in financial reporting. The change in the auditors focus from auditi ng the end results

(financial reports) to auditing the management controlled internal workflows in a more comprehensivemanner minimized the auditing firms ability to deliver inexpensive solutions to problems or issues that were found during the audit. Prior to SOX, auditing issues could be resolved with inexpensive accountingentries that were usually provided by the auditors. However, the paradigm shift in responsibilityeliminated the auditors capability to provide management with this low cost solut ion. Accounting entriescould not solve internal control (workflow) problems, and the cost of remediating internal controldeficiencies (which was deferred until after the audit) fell back on company management. This surprise

4 The Federal Register version can be seen on the internet at http://www.sec.gov/rules/interp/2007/33-8810fr.pdf
http://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdf


5/13


and the resulting remediation expenses were not planned for. As a result, remediation reaction time wastoo slow, decisions were not made, and managements compliance objectives were at risk. In someinstances, full SOX remediation was still not completed even after four or five years of patchwork andband aid fixes. In addition, company SOX compliance teams usually couldnt get much assistance fromtheir auditors during the first few years because the auditors were focusing on solving their own AS-2SOX problems in order to comply with SOX Title I section 103, in addition to section 404. Consequently,the auditors were not focusing on, or (in many cases) even willing to discuss, the companys complianceissues.

Defaulting to the PCAOBs AS -2 or AS-5 auditing standards for guidance created a major problem formany companies, and eventually misdirected the companies resources and personnel into performingauditing work rather than strengthening and documenting the companys internal procedures andcontrol workflows. Management paid a very high price for allowing the PCAOB AS-2 auditing standard todrive their SOX compliance programs. In fact, using AS- 2 and a checklist approach is recognized as thecause of many expensive and unsustainable SOX programs. The checklist approach, which is usuallybased on the AS -2 auditing standard , put at least as much emphasis on auditing risks as it did on thecompanys financial reporting assessment risks. This did not focus sufficient attention on establishing anddocumenting financial reporting workflows and procedures or leave sufficient funds for companies toprovide supporting documentation for auditors to perform inexpensive walkthroughs in accordance withAS-2. In addition, since there is a substantial element of subjective interpretation involved in using AS-2as a company guideline, it was extremely difficult if not impossible (in many cases) to reconcile year toyear control descriptions, narrative wording, and test plans to each other.

This inability to effectively compare an earlier years control and documentation wording to the current years wording exacerbated existing communication issues with external auditors since they usuallypreferred to begin a new years audit with the documentation, control wording, and testing results fromthe previous year. However, many companies changed wording during the year as the result of discovering discrepancies or inaccurate workflow and procedures documentation. This problem was

compounded when contractors were used to make midyear changes which were not documented, orwhere remediation projects reorganized a companys workflows and internal controls, or made majorchanges to information systems involved in the financial reporting process.

This could become a serious source of compliance proje ct delay or audit panic when auditors wanted totrack changes in wording from one year to the next because monitoring and documenting thesechanges was:

1.) Usually not expected, and the requirement wasnt known until after the fact.2.) Extremely lab or and cost intensive without a system in place to track changes.

In many cases companies could not explain specific changes because of employee turnover on the project,unmanaged changes in definitions, and revisions or updates of control attributes. Also, control rationalizing programs frequently combined controls which resulted in rewording an existing controlmultiple times, or eliminated portions of a control description or completely re-wrote a workflow orprocess walkthrough narrative.


6/13


This created irreconcilable changes in documentation when performed without a SOX changemanagement process. Also, when remediation took more than a year , it could create new processdocumentation that could not be reconciled or compared to the old documentation.

At an extreme, new wording could not be reconciled, and could stop a SOX audit. This could result in allrelated documentation for the old processes being replaced by new documentation then re-tested andre -audited from scratch . However, as costly as this could be, I believe the greatest cost was that theunrealistic effort to reconcile wording created compliance inertia in the respect that e veryone becameunwilling to change anything. As a result, efforts to correct errors could come to a halt because it waseasier to leave things the same and Rinse and repeat the previous years tests.

In my opinion, the most obvious area of avoidable compliance cost (walkthroughs) was a result of theunnecessary attempt, by companies, to comply with the AS-2 auditing standards combined with a lack of

overall financial reporting workflow and procedures documentation. Not having accurate andcomprehensive financial reporting workflow and procedures documentation forced an unexpected andexpensive reliance on multiple redos which required additional skilled labor to provide iterativewalkthroughs just to collect basic information on the financial reporting processes. The economicseverity of this problem is reflected in the fact that the auditing walkthrough requirements weredeclawed from AS -2 to AS- 5 from mandatory to as needed after negotiations between the SEC, thePCAOB, and corporations. Walkthroughs are an expensive SOX AS-2 auditing procedure; but, from anauditors point of view, someone had to do it because it is difficult to opine on something if you do not have a clear understanding of what that something is.


7/13


However, the relevant question that has to be asked is: Did companies have to become auditors andadopt AS-2 as an internal SOX guideline????

Unfortunately many companies never created and documented an accurate overall Business Model orMap of the financial reporting workflows to support a cost effective walkthrough. In my opinion thiscost companies dearly, and will continue to do so until each company completes a workflow model. Thisis because workflows and procedures are the foundation for effective walkthroughs, and contain all thetransaction processing activities that comprise internal control. Even years after SOX became effective;many companies still do not have an overall dynamic model of their financial reporting process.Consequently, because this foundation is essential to understanding and working with a companiesfinancial reporting processes, I recommend that companies take the critical first step in a SOX recovery program, and use a vetted process modeling methodology such as IDEF0 to create a financialreporting production model to serve as the foundation for future efforts.

Obviously, I have an interest in doing this type of work.

In order to create an authoritative and legal basis for management to rely on for SOX 404 compliance, thePCAOB, the SEC, and other interested stakeholders negotiated for years to find an effective alternative(solution) to the inappropriate use by companies of the AS-2 auditing standard and checklists. However,while these negotiations were being conducted, companies were still committing major funds to financeSOX compliance projects based on AS-2, and, as a result, AS-2 became deeply entrenched as the companycompliance standard. Consequently, a lot of unnecessary or redundant controls were baked into manycompanies SOX compliance documentation and testing programs. The SEC and the PCAOB did eventuallypresent a joint theme for SOX compliance that consisted of two components. One component wasdesigned and intended to apply only to the auditing community. This was finalized as the PCAOBs AS -5auditing standard, and established requirements for auditors in a format that addressed theirresponsibilities in both financial and internal control auditing. AS-5 was never intended to apply tocompanies, and, in my opin ion, is not an economically viable guideline for a companys SOX compliance

program. At about the same time that AS-5 was finalized (June 2007), the SEC released its own SOXcompliance guideline for companies. This was referred to as the SEC Interpretati ve Guidance, and wasdesigned to provide companies with a comprehensive guideline covering managements SOX section 404responsibility for an assessment of internal control while at the same time reducing excessive costs that had resulted from the checklist approach. The guidance also provided guidelines to reduce the rigiddocumentation and walkthrough requirements of AS -2. In addition, since this guidance is somewhat based on the con cept of Information Asymmetry, it holds management to a higher level of understanding and responsibility for internal control assessment than that expected from auditors.

Both the PCAOB AS-5 auditing standard and the SEC interpretative guidance focus on a Top Down risk analysis; but, each refers to a different set of risks. The companies risks are for financial reporting

risks inherent in producing the financial reports themselves; that is, quality control over the productionworkflows and procedures for producing their financial reports. On the other hand, the ext ernal auditorsresponsibility is to evaluate risks to financial reporting in accordance with the requirements of AS-5. Boththe SEC interpretative guidance and the PCAOB AS-5 refer to risks as being the drivers f or an ICFRevaluation, but, AS-5 requires a prescriptive , structured, approach focused on auditing; whereas theinterpretative guidance is based more on a situational awareness of management for their financialreporting procedures and their effectiveness at controlling risks of a misstatement in the actual financialreports. Beyond that, there are other differences in documentation and evaluation requirements that canprovide sufficient financial justification for a company to discard the use of the AS-5 auditing standard


8/13


and focus on investing in a workflow modeling and documentation project while applying the SECguidance for the assessment of internal control. The interpretative guidances instructions related todocumentation are centered on managements information availability and to ols to addressmisstatements in financial reports while still providing basic documentation for the auditors to support their need to audit for misstatements according to AS-5 . This addresses and demonstrates themanagement vs. auditor information asymm etry point of view of the SEC.

The duality and separation of SOX compliance responsibility is highlighted by the laws original focus onincreasing auditor oversight and their independence from management. In accordance with theseparation of responsibility indicated by paragraph (a) and (b) of section 404, the SEC recognized theneed for a formal second guidance document in addition to AS-5 that applies specifically to the companysmanagement assessment. The increased regulatory focus on managements int ernal financial reportingprocedures and workflow responsibility will tend to increase costs for companies trying to maintain boththe AS-5 auditing standard, and the development of their own improved workflows, procedures,assessments, and financial reporting documentation. This can further increase the economic distancebetween companies and their auditors since, in the final analysis; someone has to pay for the auditors toaudit based on the AS-5 standard. The key to working both issues is to build the compliance anddocumentation requirements into the companys daily operations as an investment in workflows,procedures, and documentation using pre-designed formats. In fact, the existing separate requirementsfor management and auditors provides an impetus for management to look at SOX compliance as adividing line or point of separation transforming the old world of accounting and auditing based on theindividual contributing professional approach - to a remodeled internal corporate productionworkflow where internal control is maintained with monitoring and self assessment . This could result in a financial reporting production -line and quality control approach.

The workflows, procedures , documentation, and automated audit reporting software that I havedeveloped into a remodeling package for financial reporting ICFR compliance moves a company in that direction by offering an investment based automated option as a present and future compliance

solution. In my opinion it is not a question of if financial reporting will become a production process

with automated monitoring and audit trails, but, rather a question of how soon can it be done ?, andwhat is available for pre designed workflows and procedures. Migrating away from the AS audit ingstandards provides an opportunity for a company to establish its own internal workflow model of financial reporting and truly invest in a dynamic process approach rather than a Rinse and Repeatauditing test and retest approach to ICFR compliance. The resulting financial reporting businessmodel and documentation would serve to keep the auditors and the companies assumptions andconclusions synch ronized . This results in significantly lower costs.

However, since one fundamental problem is that a comprehensive financial reporting workflow modeland documentation may not exist at many companies, the first priority for a cleanup program is to build

that foundation through a discrete Project designed for that single purpose. I believe it would be best done by a discrete project team that is independent and separate from both the company and theirauditors since its intent is to further separate the auditors responsibility from managementsresponsibility. The deliverable would be a common, shared, comprehensive financial reporting workflowdocumentation database available for both parties to use in performing their separate compliance tasks.

A company cannot make effective and financially sound decisions regarding the appropriateness ornecessity of an internal control without putting the risk to be mitigated and the control or controlsrelated to mitigating the risk in context with all other financial reporting controls and mitigating


9/13


procedures. Ignoring this reality was, and, in my opinion, still is, the primary sources of cost, confusion,conflicts, and wasted money in SOX compliance programs. The most effective long term investment forcontrolling present and future compliance costs is to build an accurate and dynamic sustainableworkflow model, and document the corresponding procedures covering the complete financial reportingprocess. In addition to supporting external auditing needs, this structured documentation foundationprovides the necessary information for an assessment based on the SEC interpretative guidance. Thepurpose of the SEC interpretative guidance was to address problems and cost issues that companies werehaving as a result of efforts to comply with AS-2, and the auditing checklist approach which is why it isthe only authoritative document that declares that it is one way for companies to legally comply witha companies internal control reporting requirements of the SEC as modified by SOX.

An evaluation that complies with this interpretive guidance is one way to satisfy theevaluation requirements of Rules 13a 15(c) and 15d 15(c) under the Securities Exchange Act of 1934. 5

See Below Best available solution:

FinancialReporting

Operations

Control &Compliance External

Audit

A S - 5 , I n t e r n a l C

o n t r o l A u d i t i n g

S t a n d a r d s

S E C

I n t e r p r

e t a t i v

e G u i d

a n c e A

s s e s

s m e n

t

F R P o l i c

y , P r o c e

d u r e s

a n d W

o r k f l o

w

Docum en tation for AS -5 &SOX Sect ion 103 QC C om pliance

5 The Federal Register version can be seen on the internet at http://www.sec.gov/rules/interp/2007/33-8810fr.pdf
http://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdfhttp://www.sec.gov/rules/interp/2007/33-8810fr.pdf


10/13


The above illustration shows the final SEC and PCAOB resolutions that defined which authoritativeguidance and standards applied to management versus those that applied to the external auditors fordocumentation and SOX compliance. In order to work efficiently and cost effectively, a suitablecentralized and separate Control and Compliance group is essential to provide the professional andclerical support not economically available in the financial reporting operating groups or from theexternal auditors. This group should not be biased toward the finance department or any otherindividual department. The best organizational solution I have seen is the one that establishes an ongoingSOX program reporting to a steering committee consisting of all CXOs and chaired by the CEO, or a BODaudit committee member. This is also recommended in OMB A-123.

Probably for many reasons, but, primarily because of sunk costs , the above separation of the SECs andthe PCAOB s authoritative guidance was never put into effect at many companies. As a result, the AS-2 orAS-5 auditing stan dard that was force fit into many companies is still the dominant guideline andauthoritative reference ; and many companies have not even evaluated the benefit of a change!The Normal result I observed is as follows:

FinancialReporting

Operations

Control &Compliance

ExternalAudit

A S - 5 , I n t e r n a l C

o n t r o l A u d i t i n g S t a n d

a r d s

D o c u m e n t a t i o n f o r A S

- 5 &

S O X S e c t i o n 1 0 3 Q C C o m p l i a n c e

FR , NARR ATIVES , WALK THROU GHS, a n dRCM docum e ntatio n for A u ditor c o mplia n ce

Many companies are too financially committed to AS- 5 to even consider a switch to the SECsinterpretative guidance. This is unfortunate since the approach supports developing computerizedworkflow monitoring and self assessment procedures that could substantially reduce the annualexpense related to assessment and auditing by incorporating compliance requirements into workflowsand procedures that would be a one -time investment that could be cost effective for years and remainapplicable under increasing regulatory pressures for financial reporting process controls.In any case, as a consequence of the confusion and deadlines that sealed corporate acceptance of the AS -5 auditing standard , a desirable balance was never achieved at many companies. The result is as


11/13


12/13


the companies really needed a discrete project approach with the infrastructure and resources requiredto change or repair the internal controls as needed rather than just auditing them. Internal controlchange management projects are infrastructure intense projects that require leve raging sophisticatedstatistical sampling techniques as well as information systems technology and SME level knowledge tomaximize the value of labor resources. The auditing approach resulted in too little focus on thecompanies workflows and procedures, and too much focus on auditing and control testing. In addition,internal and outside auditors involved in the project had to follow auditing standards for maintainingindependence related to the processes they audited which restricted them from becoming activeparticipants in solving problems when remediation was required. This problem was compounded by thefact that many auditors did not have the actual operations management background and experiencerequired to contribute effectively to the problem resolution process. A realistic compliance project shouldbe viewed as a full scale process evaluation and reengineering project that can be broken into four majorobjectives.

These are:

1. Determine and document what presently exists for actual financial reporting transactionprocessing workflows, procedures and internal controls.

2. Determine what workflows and procedures should exist based on a risk analysis and developcontrols designed in context with the workflows, procedures, and documentation developed in #1 above.

3. Implement and test the workflows, internal controls and financial reporting proceduresdeveloped in #2, in an iterative manner, until they are effective.

4. Fully document and maintain the results of the above efforts.

Many SOX progr ams also became mired in uncertainty because SOX compliance teams had difficultydefining who Management was for Section 404 responsibility. The teams wasted resources onfragmented efforts caused by b eing torn between focusing on consolidated top le vel financial reportingvs. local process and activity level reporting. In addition, after the first year, senior executives wereunwilling to repeat the expense of the surge of professional labor required to maintain both the AS2auditor requirements an d the companys internal control and procedures requirement. SOX compliancemanagers were strongly pulled in different directions by the conflict between the auditors needs andmanagements needs when allocating scarce labor and limited skill sets.

In addition, in an effort to cover every possible activity where employees or auditors thought there maybe an AS- 2 financial reporting risk, there was an aggressive case of control over -kill and aninappropriate overly sensitive identification of control needs (especially during the first few years). Inlater years most programs went through a control reduction, or control rationalization processintended to reduce redundant or unnecessary controls implemented in year one. Success varied fromcompany to company, however, in some cases new holes were created in the control environment based

on erroneous assumptions regarding coverage elsewhere in the reporting workflow that may have beenchanged.

Because of unexpected setbacks and expense overruns in SOX implementation, as well as other wellpublicized poor project results, the negative impact on employee morale and management frustrationwas unprecedented. SOX projects resulted in resource conflicts, damaged management relations, andunnecessary collateral damage to employee confidence and program involvement. This collateraldamage usually resulted from employee confusion, misdirection, and uncertainty on what to do, how todo it and when it was required to be delivered. In many cases, project costs were out of control, and


13/13

the great _sox_ caper

Documents