Emerald Group Publishing Limited
Copyright © 2004, Emerald Group Publishing Limited
When is a good time to talk about saving money on SOX 404 compliance?
Matthew Leitchindependent consultant specializing in internal control systems. He is an accountant and auditor by background, and spent seven years as an internal control specialist with PricewaterhouseCoopers (firstname.lastname@example.org).
A survey by KPMG published in January 2004 showed that companies affected by SOX 404 expected to spend many thousands of hours on compliance activities in the first year. For example, companies with turnover in the range of $1 billion to $5 billion planned an average of 14,000 hours of skilled work. In most cases that is more than their external auditors have ever spent on an annual audit, let alone on the controls part of it.
For most, the main goal in this first year is to comply successfully, at virtually any cost, and the main strategy is to do what the regulators and external auditors seem to want. At some point this will change.
What is the time being spent on?
The effort is going into documenting financial processes and controls, mapping them to "risks" and testing each control to see if it has operated and seems effective.
The focus on this strategy is so intense you would think the regulations say this is the only thing you can do, or that this is the most efficient way to establish the effectiveness of an internal control system.
Neither is true. The official requirements are that the evidence should include these sources, not be limited to them. The modern approach to auditing controls is risk-based auditing, not wall-to-wall controls documentation and testing. Risk should be taken into account throughout, not just in scoping. At about the time SOX was starting to bite the Institute of Internal Auditors had just decided, officially, that risk based auditing was the approach of the future. Similarly, PricewaterhouseCoopers adopted a deeply risk-based method for external audits some two years before the PCAOB was created.
The key to cutting costs
A general principle of auditing is that the wider you cast your net for evidence the more efficient your audit.
Why? Because 80 percent of the comfort tends to come from just 20 percent of the evidence. Consequently, the more types of evidence you consider the easier it is to get all the comfort you need by creaming off the best evidence from each type.
I don't think anyone has ever quantified this effect, but you can see that if your current approach involves grinding through hundreds of details that individually contribute little to the total comfort, then a way to double the range of evidence considered could cut costs dramatically. I'll give an example from my own experience later.
Finding other sources
KPMG point out that including tests of the "tone at the top" and work on IT controls gives a more efficient audit. But this is just the start. Here are two more areas that most companies could use more:
Evidence of inherent risk. Everyone is using evidence about inherent risk to scope their controls work. What is the materiality of the financial flows? Is there change going on? This information is evidence; it needs to be communicated to the external auditors as clearly as any other evidence.
And you can extend this much further. For example, suppose you have a team looking at controls over changes to software in the financial accounting system, but in fact there have not been any changes. Your team has a choice between documenting and "testing" controls anyway or getting evidence confirming that there have been no changes. Not a difficult choice you might think, but I have seen well trained, intelligent auditors choose the option of testing the controls anyway, in accordance with the original scoping decisions, the audit program, and the audit manual of their organization. Have a look at your own manual and see what it says.
Direct evidence of effectiveness. I've saved the best until last. The richest source is easy to use and so powerful it's worth changing your control methods to use it more. Direct evidence of effectiveness is information on actual errors and backlogs. It is true that there can be no direct evidence of undetected material errors in the financial statements – by definition. However, there are many sources of statistics on errors that were detected and on how people have coped with their workload, particularly error correction. I call these "process health indicators".
I have used this kind of evidence extensively in external audit work. It takes very little time to look at the indicators; it's like taking the patient's pulse. As you get more comfortable with the sources of the indicators their value as evidence increases further.
A case study example
In late 2002 when SOX compliance was just becoming a big issue I was involved in a project to document internal controls for a global company. My role was to cover their UK operation. Money, it seemed, was no object which is why even rather senior people like me were on site doing interviews and drawing diagrams. Two of us spent two weeks finding and documenting the controls.
After four man-weeks of work I could not say if their controls were effective or not. I could have got further in four man-days by going first for the evidence that would tell me most. My plan? Chat to the key people about how things are going and what has been changing recently. Find out if managers have enough information to know the health of their own processes. Find out what improvements or changes they're planning. Look at workload and backlogs. Look at key reconciliations to see how messy they are. Check customer complaints for possible billing errors and enquire after financial disagreements with other parties. Look at correcting journals to see why they are happening and how many of them there are.
I'm not saying the whole job could have been done in four days, but then neither had we done the whole job in four weeks of documenting.
Make a note somewhere you won't forget. "Four weeks or four days?" When the time comes to think about saving time and money on SOX 404 compliance you'll be glad you did.