What are some risks to be aware of with SOX?
The first is evaluating the design of internal controls. The second is promoting the idea that, in general, the implementation of effective internal controls and/or processes could provide the company with increased processing efficiencies and potential cost savings. Never mind SOX, how much time and money could a company save if management knew they could take proactive steps to implement key controls around significant processes?
In 2004, how many companies had to test the same key controls multiple times before the operation of control appeared effective? How much more time and how many more resources did it take for the company to perform this undertaking?
What effect can SOX have on your existing procedures?
Existing policies and procedures serve as building blocks for SOX process documentation and define employees’ roles and responsibilities. Once you have identified significant SOX processes, documentation begins with evaluating those policies and procedures. The SOX documentation process is the most practical time to recommend ways to update any outdated or inadequate policies and procedures to avoid future pitfalls.
How do the SAS 70 User Control Considerations affect SOX?
User-access reviews, segregation of duties, checklists, policies and procedures, and entity-level controls remain internal to an organization. What happens when a company outsources functions or relies on an outside vendor to provide core and/or support services that management relies on to support the assertion that the financial statements are fairly presented in accordance with GAAP?
Management should consider the activities of any service organization it uses when assessing its own internal controls over financial reporting. These rules are covered in SAS 70, which spells out how an external auditor should assess the internal controls of the service provider used by the company it is auditing. Obtaining a SAS 70 Type II report from the service provider constitutes acceptable documentation and will allow a company to properly evaluate the operating effectiveness of controls at the service organization.
A Type II report includes the external auditor’s opinion on the fairness of the presentation of the service provider’s description of its controls and how well suited the controls are to achieve the specified control objectives. It also includes the auditor’s opinion on whether the controls were operating effectively during the period under review.
The hard part of management’s assessment is an evaluation of recommended user control considerations, which are recommended by the service provider for companies to have in place to support the achievement of the service provider’s control objectives.
Tom Powers, CPA, is the director of assurance and business advisory services at GBQ Partners LLC. Reach him at [email protected] or (614) 947-5215.
