8/9/2019 Sarbanes-Oxley -- Friend or Foe?

1/522 Sarbanes-Oxley Disclosures July/August

Leveraging

Sarbanes-Oxley

to drive change

and mitigate riskin small and

medium-sized

entities

Sarbanes-Oxley:

Friend

8/9/2019 Sarbanes-Oxley -- Friend or Foe?

2/5

Sarbanes-Oxley Disclosures July/August 23

By Heather Judson, CPA, CMA

Is the Sarbanes-Oxley Act (SOX) a riend or oe to small andmedium-sized companies (SMEs)? Oten, those entities willanswer oe.

Status quo may generally be the policy ollowed bySMEs, which are those publicly traded companies with

less than $75 million in market capitalization, as dened by theU.S. Securities and Exchange Commission. Typically, SMEs willeither scramble to document their processes just prior to their

nancial audits or will rely on the external auditors to documenttheir processes or them.

Explaining the status quoFor SMEs, SOX can seem to be an exercise in documenting

what actually occurs. This may seem tedious and without merit.Each department knows what they do and may wonder why theyneed to write a narrative explaining their duties.

Oten the answer to this question is because the auditorsasked or it. However, SMEs might do better to engage thevarious departments and show them how they can benet romSOX. The rst step to getting department managers on board

is to present top management with the benets that may be hadrom utilizing SOX, such as driving change and mitigating risk.

PCAOB directionThe Public Company Accounting Oversight Board (PCAOB)

instructs external auditors in Auditing Standard No.5 (AS5)to evaluate the extent to which he or she will use the work oothers to reduce the work the auditor might otherwise perorm

himsel or hersel. Further, the PCAOB allows the external au-ditor to rely on the work o internal auditors, company person-nel (in addition to internal auditors), and third parties workingunder the direction o management or the audit committee.

This statement should pique top managements interest.Any documentation or procedures that are perormed in houseshould save money on the overall audit. Top management shouldencourage external auditors to utilize any viable internal docu-mentation. This alone should have management interested inperorming SOX procedures in house.

In AS5, the PCAOB directs the external auditor to ask him orhersel What could go wrong? in determining likely sourcesw

r Foe?

8/9/2019 Sarbanes-Oxley -- Friend or Foe?

3/5

24 Sarbanes-Oxley Disclosures July/August

orpotential misstatements in the nan-cials. This is basically asking: What risksare present?

Mitigating riskEnterprise Risk Management (ERM)

has become the best practice or largercorporations. The Enterprise Risk Man-

agement Integrated Framework romthe Committee o Sponsoring Organiza-tions (COSO) o the Treadway Commis-sion, published in 2004, denes ERM asa process, eected by an entitys board odirectors, management and other person-nel, applied in strategy setting and acrossthe enterprise, designed to identiy poten-tial events that may aect the entity, andmanage risk to be within its risk appetite,to provide reasonable assurance regardingthe achievement o entity objectives.

The article urther straties the com-

pany into our categories susceptible torisk: strategic, operations, reporting andcompliance. Strategic risks are those thataect the company at a high level andtend to be external to the company. Manystrategic risks can be explored throughthe entity-level assessment perormedin SOX. Operational risks are those thataect the company at a lower level in itsday-to-day operations. Reporting risksare those risks that aect the reliability onancial reporting, and compliance risks

aect compliance with applicable laws andregulations.Many o the operational, reporting and

compliance risks can be examined and ad-dressed in the various process documentscreated through SOX. See Table 1 ormore inormation on risks.

Best practicesVarious department heads should

be encouraged to go through the SOXprocess o interviews, walkthroughs, gapsand management action plans. A company

employee documenting processes with acritical eye and a sense o the big picturecan help the various departments runsmoother and with less error. Addition-ally, he or she can help the various depart-ments work together to mitigate risk.

Its important to understand bestpractices and potential risks beore start-ing the SOX documentation process.Best practices are the current standard.When researching best practices, you areendeavoring to learn rom the experience

and knowledge o others. You are lookingor the best in the business.

Dont discount the less than best. Thestories o the less than successul will giveyou an idea o the risks that you mightace. For instance, stories o employeethet can help you to understand the prac-tices that lead to that risk materializing.

Perhaps the company ailed to segregateduties surrounding cash or ailed to physi-cally secure assets.

Best practices research is usually inex-pensive. The Internet is a wealth o inor-mation, and you can nd inormation atthe library. You can network and conductresearch through proessional organiza-tions. Furthermore, once you identiyorganizations and people you should talkto, you can initiate inormal chats on thesubject matter.

InterviewsYou can begin your organizations SOX

documentation once you understand thebest practices and key risks surroundingeach process. The rst step is to interviewthe manager o the process, who can ex-plain everyones role in that area. Addi-tionally, he or she will be able to provideyou with a birds eye view o the processand its controls. Keep in mind you are ol-lowing a transaction rom its inception toall the stops it makes along the way prior

to hitting the general ledger.The interview process should eel likean inormal conversation rather than aninterrogation. The interviewee shouldeel comortable and relaxed. Stay incontrol o the conversation and keep theinterviewee on topic. Make sure to useopen-ended questions rather than leadingquestions. You want to know who, what,when, where, how and why. You dontwant to ask yes or no questions. See Table2 or question examples.

Keep in mind that silence is a strong

stimulus or conversation. Typically, yoursilence is an indicator that the other per-son should be talking. People tend to wantto ll silence with conversation. Once theinterviewee is responding to the open-ended questions, you can ollow up withmore direct questions to clariy details.

When you understand the process romstart to nish, make sure to repeat theprocess back to the interviewee. Makesure to mention all the key employeesnames. Repeating the inormation back

Table 1:Examplesof riskStrategic risks

Higher-level risks mainly external to thecompany

Change in interest rates

Customer buying behavior change

Substitutes enter the market

Technological advances

Trade embargos

No business process improvement

Operational risks

Lower-level risks mainly internal to thecompany

Fraud

Workplace saety

Product aws

Business disruption

Damage to physical assets

System ailures

Reporting risksRisks relating to the reliability o fnancialreporting

Transactional errors

Miscommunication

Data entry or loading error

Accounting error

Inaccurate external report

Missing transactions

Compliance risksRisks relating to applicable laws andregulations

Changing or new laws and regula-tions

Inadequate sta training

Miscommunication

Human error

8/9/2019 Sarbanes-Oxley -- Friend or Foe?

4/5

Sarbanes-Oxley Disclosures July/August 25

to the interviewee ensures that there hasbeen no miscommunication. Leave theinterview with the possibility o ollow-upquestions. Document the interview in anarrative immediately ollowing the inter-view while your memory is resh.

Narratives

You can start the documentationprocess by dividing the process into sub-processes. For cash receipts, this might

be: receive cash, deposit cash, pettycash, bank reconciliation and collections.Use titles rather than employee namesthroughout the narrative so that updatesare easier. You want to identiy key con-trols and gaps.

In the 2008 Sarbanes-Oxley Section404: A Guide or Management by InternalControls Practitioners, the Internal Insti-tute o Auditors (IIA) denes a key control

as a control that, i it ails, means thereis at least a reasonable likelihood that amaterial error in the nancial statementswould not be prevented or detected on atimely basis. In other words, a key controlis one that is required to provide reason-able assurance that material errors will beprevented or timely detected.

Each key control should have keyinormation documented as well. The IIAguide urther recommends documentationsuch as identiying who is perorming the

control, when the control is operatingand at what requency, how the control isperormed, what evidence exists that thecontrol was perormed, and which reportsare used in the operation o the control.

Gaps are missing controls, and bestpractices research helps identiy thesecontrols. For example, a gap may be thatthe bank deposit is prepared by the sameperson who updates customer accounts,updates the general ledger and reconcilesthe bank statement. This would go againstsegregation o duties, which is one o the

best practices surrounding cash receipts.The IIA guide recommends that a nar-

rative enables a reasonably knowledge-able individual this person does nothave to be an expert with experience inthe area, but should have some knowl-edge o the company or its business tounderstand the process; and overall,enables a reasonable person to have a basisupon which to assess the design o thecontrols: Are the controls identied anddocumented sufciently to either prevent

or detect a material misstatement? Atercompleting the narrative process, the nextstep is to perorm a walkthrough.

WalkthroughsSometimes what is perceived as stan-

dard operating procedure isnt what actu-ally occurs. A walkthrough will get you

down into learning and testing the detailswith the person who perorms the day-to-day transactions.

In AS5, the PCAOB explains thatsome types o tests, by their nature, pro-duce greater evidence o the eectivenesso controls than other tests. The ollowingtests that the auditor might perorm arepresented in order o the evidence thatthey ordinarily would produce, rom leastto most: inquiry, observation, inspectiono relevant documentation, and re-peror-mance o a control.

A walkthrough starts by interviewingthe employees who perorm the duties inthe narrative. The interview techniquesdescribed above should be utilized. How-ever, as the person walks through theprocess, they should ask show me oreach control along the way. For example,i the employee says that a check log ismaintained, then the evidence o onedays check log would be asked or.

Furthermore, i the employee saysthat the controller matches the check log

to the days deposit slip and initials thedeposit, then the deposit slip related tothe check log observed would be askedor. I the employee says he or she updatesthe accounting system and must use apassword to log in, then re-perormancewould be utilized to see the control work.

Through this process, it can be ob-served i the narrative documented bymanagement matches the walkthrough.Sometimes there are additional controlsmanagement may not be aware o, orgotto mention or didnt realize were eec-

tive controls. Sometimes the controlscommunicated by management are not

being perormed correctly or at all. Also,through the best practices research, miss-ing key controls can be documented basedon what actually occurs.

Walkthroughs are a great way to un-derstand how standard operating proce-dure documentation and narratives matchup to what actually occurs. By askingor the employee to show each controlthrough documentation or re-peror-

mance, the walkthrough can be docu-mented and management can be updatedaccordingly.

Operation improvementAdditionally, employees should be

asked questions in regards to processimprovement:

I someone wanted to commit raud,

how would they do it?

I you were to improve this process,what would you do?

Are there redundancies in this process?How would you make the process moreefcient?

Is there any training you wished youhad to help you perorm your job?

What equipment, programs or assis-

tance do you wish you had?Asking these types o questions can

help pinpoint areas or improvement andmay help management improve itsw

Table 2:Question this

Leading questions

Do you have a check log to record

checks as they are received?

Do you segregate duties surround-ing cash receipts?

Do you give numbered receipts tocustomers?

Do you keep copies o the checksdeposited?

Open-ended questions

Whats the rst thing that happens

when you receive mail with checks?

Who opens the mail? Who updatescustomer accounts? Who makesbank deposits? Who perorms thebank reconciliations?

How do you process customer pay-ments?

What records do you maintain?

8/9/2019 Sarbanes-Oxley -- Friend or Foe?

5/5

operations. SOX process documentationcan be leveraged by asking about processimprovement even though this step mightnot be required. Suggestions to improveoperations can be provided to manage-ment.

Gaps and a MAP

Ater the walkthrough is complete anddocumented, and the narrative has beenupdated or walkthrough ndings, itstime to bring management in to discussthe results. Management should be madeaware o the identied control gaps in theprocesses.

Once the gaps have been communicat-ed to management, its up to managementto communicate a management actionplan (MAP) to remedy gaps. Additionally,they should give a timerame or imple-mentation o the MAP.

The risk identied in the gap can beremediated in various ways. Managementmay take the position that the gap presentsa risk that is not material to the nancialsand thus does not require any remedia-tion. Management may transer the riskthrough an insurance policy. Managementmay reduce or mitigate the risk throughaction.

Changing mindsetsSMEs tend to adopt the philosophy o

only looking at processes to put out res only i something is broken will theyspend time to x it.

In contrast, Kaizen, the Japanesephilosophy o continuous improvement,adopts the attitude o even i it isnt bro-ken, it can be done better. This philoso-phy encourages businesses to make smallimprovements continuously day to day,and it can certainly be applied to SOXdocumentation.

Leveraging SOX can help evaluate andimprove the operations o any business

continuously and over time.

26 Sarbanes-Oxley Disclosures July/August

Heather Judson, CPA,

is a management

accountant at a private

medical manufacturing

company. Contact her

at hljadds@yahoo.com.

The new VSCPA Career Center makes

searching for jobs or candidates more efficient,

leaving you more time to focus on growing

your business opportunities. Simply set up an

Agent and receive updates whenever jobs or

resumes matching your criteria are first posted .

SETADIDNACDEIFILAUQ

PROFESSIONAL PROFILES

SEARCHABLE PORTFOLIOS

AFFORDABLE JOB POSTINGS

RESUME ACCESS INCLUDED

VSCPA CAREER CENTERJOB SEEKERS | EMPLOYERS

FOCUS YOUR SEARCH AND GROW.

Virginia Society of

Certified Public

Accountants

(800) 733-8272

WWW.VSCPA.COM