The Sarbanes Oxley Act of 2002 in the United States and its Canadian counterpart Bill-198 has placed a much greater emphasis on internal controls and providing tangible proof to stakeholders that the financial statements and disclosures are correct – by way of documentation of processes / key controls, testing the effectiveness of controls CEO and CFO certifications. In Canada, anyone with access to the internet can browse SEDAR’s web-site, and review the certifications (look for the 52-109 certifications for the CEO and CFO). Whenever senior officers sign those certifications, they are personally standing behind the information, so you can rest assured that they have a very keen interest in knowing that the internal controls underlying business processes are designed and operating effectively – in such a way to ensure that the financial statements are accurate (read free of material errors). The implications for officers if there is a material error are quite serious (fines / imprisonment, not to mention damage to career and reputation), which in turn has driven companies in Canada and the USA to error on the side of caution and make sure the compliance projects are done very thoroughly.
Now that we have several years of and C-SOX and SOX work behind us, I thought it would be useful to identify some best practices that have emerged in recent months and years. The best practices aim to strike the correct balance between providing stakeholders with reasonable assurance that material errors have been detected, and “over investing” in compliance, such that the financials are very accurate but costs outweigh the benefits to the company. Here are a few that I have to share that are the result of personal experiences on these projects, and discussions with other financial professionals:
1. Top down risk assessment – start at the top of the organization with consolidated financials and identify the major risks at that level. Eliminate those processes that are either extremely unlikely to occur, or will not have a significant impact if they do occur. Companies that do this will save a great deal of time and effort. Auditing Standard # 5 in the USA also speaks to this.
2. Entity Level Controls – controls exist at the corporate level which usually involve divisions that provide key information to corporate. These processes form part of the overall control framework, and should be included as part of the overall assessment. Then, focus on the risks that remain after taking into consideration ELC’s. Once again, Auditing Standard # 5 in the USA alludes to this.
3. Effectiveness Testing:
a. Consistency in test design – a standard template should exist that has been vetted and approved by process owners, and senior management. This will ensure that the tests are done in a consistent manner, and testers can be interchanged with relative ease.
b. Self testing – there may be some processes that lend themselves to being tested by the employees involved within the process. This would save time for internal auditors, or others that would otherwise do the testing. This has the additional benefit of shifting ownership and responsibility to operating staff. A good example is in the area of IT General controls – testing access to update various systems. Of course the results need to be shared with Accounting.
c. Imbedded tests – these are tests that can be built into the ongoing operations of a particular department. An example would be a list of reconciliations, date of completion, and date of review / approval.
Doing these as you proceed through the year provides more assurance that the controls are effective, and saves testing time and money.
d. Compliance testing – essentially this is a peer review. For some processes, it is best to have someone independent review the work, and in these situations, if it is possible, it may be beneficial for other departments to get involved. For example, to enhance cross-training and learning.
e. Third Party testing – quite often independence and time constraints requires the use of independent testers – with the requisite skills and experience.
f. Test Documentation – make clear the expectations for test documentation. In some tests where the sample sizes are quite large, it is acceptable and advisable to restrict documentation only to any exceptions that are noted. If no exceptions are noted, then only a copy of the baseline documents to assist the next round of testing is required. Properly assembled and collated test results continue to be required.
4. Information Repository – C-SOX and SOX projects generate a great deal of information that needs to be stored in an organized way, and made available for review on a regular basis. The review of information can be the result of requests from the CEO or CFO, compliance managers, process owners, and even external auditors who may wish to tailor their audit scope if the company’s internal controls framework is strong and reliable. Most large companies are investing in software that allows them to centralize the information, and provide reporting as required. The software can be quite expensive, so the size and complexity of the operations would need to be assessed. Even large companies that have invested in this type of software, continue to use word processing (process documentation) and spreadsheets (test designs and results) to support the project.
Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.
All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.