Control Rationalization – The 8 best practices (October 2008)

Compliance with the Sarbanes Oxley Act (“SOX”) has tested the will of public companies’ internal auditors, advisors and Regulators alike.  In prior compliance years, the tendency has been to air on the side of caution and identify numerous controls related to material processes.  While this has been helpful for firms in understanding and identifying potential control weaknesses in detail, SOX compliance also created cumbersome and overwhelming controls assessment projects that used up valuable employee time and resulted in higher audit fees.  The health of your business requires consideration that a continual over assessment of risks and controls encumbers your resources and leads to unnecessary testing.  External auditors need a business case to justify reducing SOX compliance requirements.  As the business owner closest to the daily processes of your organization, you are in the best position to build this business case.

1. Raise the materiality band. General ledger materiality review - discuss increasing the materiality band relative to other comparable companies in the same industry.
2. Regional Scope – Remove /scope out overseas entities when possible. Subsidiaries in places with traditionally strict regulatory regimes (such as Hong Kong or Japan, for example) may provide enough comfort to auditors due to their diligence in meeting regional regulatory requirements.
3. Parallel and shared processes – Eliminate documentation and testing of duplicate processes within your organization if they operate in substantially the same fashion.  In instances where processes are shared, the same control may be described by two business owners in different terms. Identifying duplication will reduce testing for these controls by 50%.
4. Automation – In places where imbedded IT controls are in place a test sample of one is all that is required.
5. SAS 70 reports – Where substantial reliance is placed on an external service provider, confirm with external audit that controls related to the process should be at least partially documented by the external service provider party through the SAS 70 documentation.  This will give auditors comfort over the process, particularly if the external service provider is also one of their clients.
6. Leverage internal audit’s work.  – Where internal audit within your company has completed testing, discuss the possibility of the SOX project relying on the internal audit findings.
7. Review major business changes in the context of documentation and testing efforts.  In the event of a material business change expected to occur within the next two reporting periods, ensure that external audit is fully aware of the prospective change.  The firm may chose to forgo testing until the change has been implemented.
8. Complete a convergence project – Convergence serves to aggregate the findings of internal audit, SOX project work, management reports, and loss and performance indicators to establish a qualitative rating of overall risk to business lines.  This helps streamline internal audit work to focus on those areas deemed high in overall risk, but it also can help external audit understand which areas are of lower risk and as such do not need as much attention.

Ensuring your organization has strong internal controls is part of the SOX certification process.  We can assist you with the following type of work.

• Drafting mandates, policies and procedures for processes.
• Design and implementation, and testing of internal controls over financial reporting.
• Development and implementation of the initial methodology, framework and procedures for compliance with SOX requirements.
• Implementation and revamping of a current SOX compliance program including materiality assessments, control documentation, design effectiveness evaluation, testing, and control rationalization.
• Assisting management in self-assessment of general entity controls and related corporate governance policies and procedures.
• Assisting in the design and implementation of convergence projects.

Back To All Articles »