This training gives context to SOX 404 requirements. This is meant to be easy to understand, especially for those with first time exposure to SOX 404.
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
This table of contents came directly out of Auditing Standard No. 5 from the PCAOB website. I’ve just broke it into chunks so that it’s easier to understand and follow.
Selecting Controls to Test
Paragraph 39 talks about testing the controls that are important. Remember in Auditing Standard 2, there were lots of controls that people are testing. They tested anything that was called a control. AS 5 narrowed it down to testing controls that are important or key. Paragraph 40 says that it’s not necessary to test all the controls for relevant assertions or to duplicate certain controls unless redundancy is the key objective. AS 5 is more focused on key controls.
What is considered a key control? If it addresses the risk of a material misstatement, it is a key control. It doesn’t matter what you label the control. You can call it entity-level control, monitoring control, control activity or preventive or detective control. What’s important is if it fits your objective.
Testing Design Effectiveness
In the previous segment on walkthroughs, we talked about understanding the sources of potential misstatements. When we do the test of design, (this is where you will hear the term TOD) the question we ask is “Is this control designed in a way that would prevent or detect an error or fraud?” If you described or explained to someone the 10 steps on how to do this control and that person (who is fairly competent) followed it, would the control prevent or detect an error or fraud? If it does, then it’s designed effectively.
An example of a control being designed well is journal entry recording and approval. If we set up the rule that one person prepares a journal entry and then someone independent must review and approve it. That is a good design. Whether the people actually follow that rule, is a different matter but control is effectively designed.
The note in Paragraph 42 on less complex companies is saying that if you have fewer employees, maybe you don’t have enough people for proper segregation of duties. But you can have compensating controls and could design alternative controls that can still make your operation effective. A small company may not have have segregation of duties but can still design controls to prevent or detect errors or fraud.
To see if a control is designed well, here’s a combination of test procedures that you can do. You can use a combination of asking questions, observing people do it and inspecting it. And performing a walkthrough includes a combination of these procedures:
- Inquire – ask appropriate people
- Observe – watch them do the operation or do the particular steps
- Inspect relevant documents – get a copy of the report, look through the pages or items and the comments that the reviewer made
Testing Operating Effectiveness
In Testing Operating Effectiveness you will sometimes hear the term TOE (Test of Effectiveness). Remember, we can plan and have the best design but if people are not performing the control as it was designed or if the person doing the control doesn’t have the authority or competency then it is not operating effectively.
Let’s go back to the example of the journal entry control. We have a control that says one person prepares the journal entry and another person has to independently review the journal entry. The person who reviews the journal entry has to have the appropriate authority and has to understand what he or she is reviewing.
Having two people who are clueless do the job doesn’t make your control better just because you have two people performing it. You have to have a combination of understanding to probe and ask the right questions and make sure the review is effective. You have to have the authority because maybe the person who is doing the review is at a lower level so they don’t have all the necessary information to evaluate the journal entry.
The note in Paragraph 44 says that smaller companies can outsource parts of their accounting operations as long as the auditor can assess the competence of the person or the company that the activity has been outsourced to.
As an example, outsourcing parts of the equity process is very typical of our smaller public companies. Smaller finance teams usually don’t need a full-time person for stock option administration or stock option accounting because they don’t much activity. But those skills are highly specialized. You only need a person for a day or two during the quarter-end when you are recording stock based compensation expense or recording all of stock option grants and activities. As long as you have outsourced it to a competent person, the auditor can say that the control is operating effectively.
The test procedures to see if the control is operating effectively are similar to Test of Design. You can:
- Inquire about it,
- Observe someone doing it,
- Inspect the relevant documentation, and
- Re-perform the control — gathering all the materials that the control owner collected and re-do the steps. Did you get the same results when you took similar steps they have taken? If yes, then the re-performance was successful.
A lot of times as SOX auditors, when we are doing the tests of operating effectiveness, we border on the line of inspection plus re-performance. Sometimes we get the reports from our clients and we add up a couple of columns or pages, look at the subtotals and see if it makes sense. For our comfort level, we do a little more than the inspection but little less than re-performance.
To recap, in this post, we focused on the following:
- Selecting Controls to Test – what are key controls?
- Testing Design Effectiveness – what test procedures we use to test design effectiveness
- Testing Operating Effectiveness – what test procedures we us to test operating effectiveness