If you have been following either of my blogs (hopefully both, here and at normanmarks.wordpress.com), you know that I frequently call out so-called expert guidance that is anything but expert.
Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.
Instead, I will share some suggestions of my own:
- Make sure you are focused on financial reporting risk! The scope should include controls required to provide reasonable assurance that material errors or omissions will be either prevented or detected. That means that the likelihood is more than a reasonable possibility. That means more than simply a theoretical possibility, and the error or omission has to be material to the consolidated financial statements.
- Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.
- Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are present and functioning (as defined by COSO, a defect would not be a major deficiency).
- Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) Interpretive Guidance and SEC/PCAOB staff guidance.
- Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.
- Read The IIA's updated guidance (my book): Management's Guide to Sarbanes-Oxley Section 404, 4th Edition. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)
I welcome your thoughts.