Leveraging Sarbanes-Oxley to drive change and mitigate risk in small and medium-sized entities
Sarbanes-Oxley:
Friend
22
Sarbanes-Oxley • Disclosures • July/August
r Foe? By Heather Judson, CPA, CMA
I
s the Sarbanes-Oxley Act (SOX) a riend or oe to small and medium-sized companies (SMEs)? Oten, those entities will answer “oe.” Status quo may generally be the policy ollowed by SMEs, which are those publicly traded companies with less than $75 million in market capitalization, as dened by the U.S. Securities and Exchange Commission. Typically, SMEs will either scramble to document their processes just prior to their nancial audits or will rely on the external auditors to document their processes or them. Explaining the status quo For SMEs, SOX can seem to be an exercise in documenting what actually occurs. This may seem tedious and without merit. Each department knows what they do and may wonder why they need to write a narrative explaining their duties. Oten the answer to this question is “because the auditors asked or it.” However, SMEs might do better to engage the various departments and show them how they t hey can benet rom SOX. The rst step to getting department managers on board Sarbanes-Oxley Sarbanes-Oxle y • Disclosures • July/August
is to present top management with the benets that may be had rom utilizing SOX, such as driving change and mitigating risk. PCAOB direction The Public Company Accounting Oversight Board (PCAOB) instructs external auditors in Auditing Standard No.5 (AS5) to “evaluate the extent to which he or she will use the work o others to reduce the work the auditor might otherwise perorm himsel or hersel.” Further, the PCAOB allows the external auditor to rely on the work o “internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction o management or the audit committee.” This statement should pique top management’s interest. Any documentation or procedures that are perormed in house should save money on the overall audit. Top management should encourage external auditors to utilize any viable internal documentation. This alone should have management interested in perorming SOX procedures in house. In AS5, the PCAOB directs the external auditor to ask him or hersel “What could go wrong?” in determining likely sources w 23
Table 1: Examples of risk Strategic risks Higher-level risks mainly external to the company •
Change in interest rates
•
Customer buying behavior change
•
Substitutes enter the market
•
Technological advances
•
Trade embargos
•
No business process improvement
Operationall risks Operationa Lower-level risks mainly internal to the company •
Fraud
•
Workplace saety
•
Product aws
•
Business disruption
•
Damage to physical assets
•
System ailures
Reporting risks Risks relating to the reliability o fnancial reporting •
Transactional errors er rors
•
Miscommunication
•
Data entry or loading error
•
Accounting error
•
Inaccurate external report
•
Missing transactions
Compliance Complianc e risks Risks relating to applicable laws and regulations •
Changing or new laws and regulations
•
Inadequate sta training
•
Miscommunication
•
Human error
24
or potential misstatements in the nancials. This is basically asking: “What risks are present?”
and knowledge o others. You are looking or the best in the business. Don’t discount the less than best. The stories o the less than successul will give you an idea o the risks that you might ace. For instance, stories o employee thet can help you to understand the practices that lead to that risk materializing. Perhaps the company ailed to segregate duties surrounding cash or ailed to physically secure assets. Best practices research is usually inexpensive. The Internet is a wealth o inormation, and you can nd inormation at the library. You can network and conduct research through proessional organizations. Furthermore, once you identiy organizations and people you should talk to, you can initiate inormal chats on the subject matter.
Mitigating risk Enterprise Risk Management (ERM) has become the best practice or larger corporations. The “Enterprise Risk Management — Integrated Framework” rom the Committee o Sponsoring Organizations (COSO) o the Treadway Commission, published in 2004, denes ERM as “a process, eected by an entity’s board o directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identiy potential events that may aect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement o entity objectives.” The article urther straties the company into our categories susceptible to Interviews risk: strategic, operations, reporting and You can begin your organization’s SOX compliance. Strategic risks are those that documentation once you understand the aect the company at a high level and best practices and key risks surrounding tend to be external to the company. Many each process. The rst step is to interview strategic risks can be explored through the manager o the process, who can exthe entity-level assessment perormed plain everyone’s role in that area. Addiin SOX. Operational risks are those that tionally, he or she will be able to provide aect the company at a lower level in its you with a bird’s eye view o the process day-to-day operations. Reporting risks and its controls. Keep in mind you are olare those risks that aect the reliability o lowing a transaction rom its inception to nancial reporting, and compliance risks all the stops it makes along the way prior aect compliance with applicable laws and to hitting the general ledger. regulations. The interview process should eel like Many o the operational, reporting and an inormal conversation rather than an compliance risks can be examined and adinterrogation. The interviewee should dressed in the various process documents eel comortable and relaxed. Stay in created through SOX. See Table 1 or control o the conversation and keep the more inormation on risks. interviewee on topic. Make sure to use open-ended questions rather than leading Best practices questions. You want to know who, what, Various department heads should when, where, how and why. You don’t be encouraged to go through the SOX want to ask yes or no questions. See Table process o interviews, walkthroughs, gaps 2 or question examples. and management action plans. A company Keep in mind that silence is a strong employee documenting processes with a stimulus or conversation. Typically, your critical eye and a sense o the big picture silence is an indicator that the other percan help the various departments run son should be talking. People tend to want smoother and with less error. Additionto ll silence with conversation. Once the ally, he or she can help the various depart- interviewee is responding to the openments work together to mitigate risk. ended questions, you can ollow up with It’s important to understand best more direct questions to clariy details. practices and potential risks beore startWhen you understand the process rom ing the SOX documentation process. start to nish, make sure to repeat the Best practices are the current standard. process back to the interviewee. Make When researching best practices, you are sure to mention all the key employees’ endeavoring to learn rom the experience names. Repeating the inormation back Sarbanes-Oxley • Disclosures • July/August • July/August
to the interviewee ensures that there has been no miscommunication. Leave the interview with the possibility o ollow-up questions. Document the interview in a narrative immediately ollowing the interview while your memory is resh.
or detect a material misstatement?” Ater completing the narrative process, the next step is to perorm a walkthrough.
Walkthroughs Sometimes what is perceived as standard operating procedure isn’t what actuNarratives ally occurs. A walkthrough will get you You can start the documentation down into learning and testing the details process by dividing the process into subwith the person who perorms the day-toprocesses. For cash receipts, this might day transactions. be: receive cash, deposit cash, petty In AS5, the PCAOB explains that cash, bank reconciliation and collections. “some types o tests, by their nature, proUse titles rather than employee names duce greater evidence o the eectiveness throughout the narrative so that updates o controls than other tests. The ollowing are easier. You want to identiy key contests that the auditor might perorm are trols and gaps. presented in order o the evidence that In the 2008 “Sarbanes-Oxle “Sarbanes-Oxleyy Section they ordinarily would produce, rom least 404: A Guide or Management by Internal to most: inquiry, observation, inspection Controls Practitioners,” the Internal Insti- o relevant documentation, and re-perortute o Auditors (IIA) denes a key control mance o a control.” as “a control that, i it ails, means there A walkthrough starts by interviewing is at least a reasonable likelihood that a the employees who perorm the duties in material error in the nancial statements the narrative. The interview techniques would not be prevented or detected on a described above should be utilized. Howtimely basis. In other words, a key control ever, as the person “walks” through the is one that is required to provide reasonprocess, they should ask “show me” or able assurance that material errors will be each control along the way. For example, prevented or timely detected.” i the employee says that a check log is Each key control should have key maintained, then the evidence o one inormation documented as well. The IIA day’s check log would be asked or. guide urther recommends documentation Furthermore, i the employee says “such as identiying who is perorming the that the controller matches the check log control, when the control is operating to the day’s deposit slip and initials the and at what requency, how the control is deposit, then the deposit slip related to perormed, what evidence exists that the the check log observed would be asked control was perormed, and which reports or. I the employee says he or she updates are used in the operation o the control.” the accounting system and must use a Gaps are missing controls, and best password to log in, then re-perorm re-perormance ance practices research helps identiy these would be utilized to see the control work. controls. For example, a gap may be that Through this process, it can be obthe bank deposit is prepared by the same served i the narrative documented by person who updates customer accounts, management matches the walkthrough. updates the general ledger and reconciles Sometimes there are additional controls the bank statement. This would go against management may not be aware o, orgot segregation o duties, which is one o the to mention or didn’t realize were eec best practices surrounding cash receipts. tive controls. Sometimes the controls The IIA guide recommends that a narcommunicated by management are not rative “enables a reasonably knowledge being perormed correctly correctly or at all. Also, able individual — this person does not through the best practices research, misshave to be an expert with experience in ing key controls can be documented based the area, but should have some knowlon what actually occurs. edge o the company or its business — to Walkthroughs are a great way to ununderstand the process;” and “overall, derstand how standard operating proceenables a reasonable person to have a basis dure documentation and narratives match upon which to assess the design o the up to what actually occurs. By asking controls: Are the controls identied and or the employee to show each control documented sufciently to either prevent through documentation or re-perorSarbanes-Oxley • Disclosures • July/August • July/August
mance, the walkthrough can be documented and management can be updated accordingly. Operation improvement Additionally, employees should be asked questions in regards to process improvement: I someone wanted to commit raud, how would they do it? •
•
I you were to improve this process, what would you do?
•
Are there redundancies in this process? How would you make the process more efcient?
•
Is there any training you wished you had to help you perorm your job?
What equipment, programs or assistance do you wish you had? Asking these types o questions can help pinpoint areas or improvement and may help management improve its w •
Table 2: Question this Leading questions •
Do you have a check log to record checks as they are received?
•
Do you segregate duties surrounding cash receipts?
•
Do you give numbered receipts to customers?
•
Do you keep copies o the checks deposited?
Open-ended questions •
•
What’s the rst thing that happens when you receive mail with checks? Who opens the mail? Who Who updates customer accounts? Who Who makes bank deposits? Who perorms the bank reconciliations?
•
How do you process customer payments?
•
What records do you maintain?
25
operations. SOX process documentation can be leveraged by asking about process improvement even though this step might not be required. Suggestions to improve operations can be provided to management. Gaps and a MAP Ater the walkthrough is complete and documented, and the narrative has been updated or walkthrough ndings, it’s time to bring management in to discuss the results. Management should be made aware o the identied control gaps in the processes. Once the gaps have been communicated to management, it’s up to management to communicate a management action plan (MAP) to remedy gaps. Additionally, they should give a timerame or implementation o the MAP. The risk identied in the gap can be remediated in various ways. Management may take the position that the gap presents a risk that is not material to the nancials and thus does not require any remediation. Management may transer the risk through an insurance policy. Management may reduce or mitigate the risk through action. QUALIFIED CANDIDATES
FOCUS YOUR SEARCH AND GROW GROW..
The new VSCPA Career Center makes searching for jobs or candidates more efficient,
PROFESSIONAL PROFILES SEARCHABLE PORTFOLIOS
leaving you more time to focus on growing
AFFORDABLE JOB POSTINGS
your business opportunities. Simply set up an
RESUME ACCESS INCLUDED
Agent and receive updates whenever jobs or resumes matching your criteria are first posted.
VSCPA CAREER CENTER JOB SEEKERS | EMPLOYERS
(800) 733-8272 WWW.VSCPA.COM
Virginia Society of Certified Public Accountants
Changing mindsets SMEs tend to adopt the philosophy o only looking at processes to put out res — only i something is broken will they spend time to x it. In contrast, Kaizen, the Japanese philosophy o continuous improvement, adopts the attitude o “even i it isn’t broken, it can be done better.” This philosophy encourages businesses to make small improvements continuously day to day, and it can certainly be applied to SOX documentation. Leveraging SOX can help evaluate and improve the operations o any business continuously and over time.
Heather Judson , CPA ,
is a management accountant at a private medical manufacturing company. Contact her at
[email protected].
26
Sarbanes-Oxley • Disclosures • July/August • July/August