Responses to ACSPC Request for Public Input
SOX Section 404/Internal Controls
Question 11. Do you believe that at least some SOX Section 404 internal controls for smaller companies can be appropriately assessed less often than every year? If so, what SOX Section 404 internal controls do you think need to be assessed by management every year?
a) What controls do you think need to be assessed at least every two years?
b) What controls do you think could be assessed only once every three years?
The following answers have been received:
08/02/2005 13:57:44 Yes, much less often. And for some smaller companies, like small bank holding companies that are regulated and examined by federal banking agencies, 404 controls are generally duplicative and wasteful.
08/02/2005 17:44:12 Loss and fraud
08/03/2005 01:39:17 Modifying this process by tinkering with the timing of, in our case 2,500 controls, is not the answer. This entire process is terribly flawed in concept. A company cannot manage with this many controls. The number have to be cut dramatically. The so-called "key controls" have to be reduced to a very few.
08/03/2005 07:01:34 n/a
08/03/2005 08:58:39 We are already regulated. SOX should be for unregulated companies.
08/03/2005 10:40:26 The high risk areas have been assessed every year by external loan review personnel, external auditors, internal auditors, and regulators. This should and will continue to be the process.
08/03/2005 11:03:25 In our industry (banking) our internal controls are already closely monitored by Federal examiners, state examiners, and our internal and external auditors. Controls in place are tested and are working well for an organization of our size.
08/03/2005 12:17:58 yes.
08/03/2005 15:01:40 Important internal controls should be tested at least annually if they are relied upon by outside auditors for accuracy of financial reports. If internal controls have not changed then they do not need to be assessed.
08/03/2005 15:22:49 I can only address the financial services industry and strongly feel that all banking companies should be totally exempted from SOX since we already are heavily regulated.
08/03/2005 16:58:51 Entity level controls are vital. However, if no changes, we shouldn't have to do to much in terms of documentation and/or audit. Any changes should be documented and tested and audited.
08/03/2005 18:01:35 Please look into item no 29
08/03/2005 18:30:29 x
08/03/2005 19:54:33 I have no opinion on this question.
08/03/2005 19:55:50 ALL SOX SECTION 404 INTERNAL CONTROLS NEED TO BE ASSESSED EVERY YEAR!
08/04/2005 09:17:19 Financials need to be assessed every year.
08/04/2005 09:37:56 Of course - and they should be - the new rules were a political knee jerk and are not based in reality
08/04/2005 09:39:15 No. Quite to the contrary. Small companies have the ability to change their business and the processes they use to account/report the business much quicker than large companies. Therefore, small companies internal controls are often less standardized and change very frequently. For example, if ExxonMobile wants to change its invoicing process, that would take 12 to 18 months to implement. However, if Joe's Radiator wants to change the way it invoices customers that can happen in 1 month. Furthermore, accounting staff at small companies tend to be much lower quality than at large companies. Therefore if a large company changes its control environment the change has more than likely been looked at from every angle and every situation. If a small company changes a process there is a strong chance only one person has analyzed the change and an even stronger chance that that one person does not understand financial reporting very well.
08/04/2005 10:40:16 I think the whole assessment issue is unwarranted for small companies, especially an industry as heavily regulated as banking.
08/04/2005 12:09:05 Allowance for losses
08/04/2005 13:38:24 We rated the controls as being either primary or secondary. The primary controls need to be tested annually, but the secondary controls don't.
08/04/2005 14:20:27 I will have our CFO give his opinion here.
08/05/2005 10:54:31 Possibly but I beleive that almost all controls should be assessed at least annually.
08/05/2005 12:38:34 No!
08/05/2005 15:34:53 Internal controls are necessary in a bank on an on-going basis. The depth of documentation that was required by the accounting industry in 2004 is too much, even annually. I think any account that comprises over 25% of the balance sheet or 25% revenue should be required to be assessed by management every year.
08/05/2005 15:43:46 Not really. Once the assessment has been made, annual testing is not that difficult and is a good (best) business practice. The issue now is the degree of documentation that APPEARS to be expected when the auditors (external and internal) and examiners have been dealing with these systems for years. AS 2 & 3 are driving the 404 issues in small banks as between the client and the auditor. The bank understands the auditor's problem but the cost falls on the bank.
08/05/2005 16:45:38 Anything that would be a chnge in 404 policies must be addressed at the time of such chnage to be effective. If you did not assess this annually, someone will use that change to break the public trust. I find it pitiable that such controls have to be there, but the result without controls has not bene positive. Thank Enron, Worldcom, Tyco, Arthur Andersen, AIG and others for that fact.
08/05/2005 19:33:08 Most internal control issues should be assessed by the company annually but not necessarly by outside auditors. Failure to meet all of the requiements should only require a notice in the 10KSB without penalty.
08/06/2005 13:52:06 Yes. If they have not changed, assessment need not be redone as long as it is established that there is no significant change.
08/08/2005 11:10:11 it can be every year but SOX needs to be pared way back to a justifiable level of controls based on a company's size.
08/08/2005 11:39:29 The assessment of internal controls for most companies should not change year to year unless their is an sale or purchase of a new company, a major change in the companies balance sheet or income statement, or exceptional growth.
08/08/2005 14:06:10 IT can be assessed every three years. Management control, i.e., the tone at the top, should be assessed every year. Certain account balance testing items should be looked at on a case by case basis and be left to the judgement of management and the auditors as to how often those controls need to be tested.
08/08/2005 15:43:24 Entity level controls Financial report controls and staffing Key financial reporting controls areas which may result in a material mistatement of earnings.
08/08/2005 21:39:10 The answer to this question depends on what guidance is provided to public companies and their auditors as to what are appropriate internal controls for smaller companies.
08/09/2005 09:30:31 Yes. Annually assess critical controls and other operational controls where staff or procedures have changed significantly.
08/09/2005 16:26:34 I don't see how you can check the controls less frequently than once a year...if your have the control requirements, they need to be checked. Either the system goes away or controls must be reviewed and documented based upon the risk.
08/09/2005 17:25:10 No need for SOX or its reporting requirements. Normal reviews and audits are enough.
08/10/2005 09:04:41 no comment
08/10/2005 13:44:39 We are early in the process, I haven't looked at the that closely at this time.
08/10/2005 16:00:18 NONE! We're small enough that we pull reports off of our mainframe system and walk across the hall and talk about it and verify it's accuracy and what we need to fix, if anything, without having to create reams of paper and additional audit fees.
08/10/2005 17:18:15 Yes - only general entity controls, IT controls, capital/equity, anti-fraud programs and management review of results (e.g. budget comparisons, financial reviews, reconciliation of accounts) need to be reviewed and tested annually.
08/10/2005 22:09:27 SOX section 404 should be eliminated for whatever could be defined as small companies. Before SOX we were a lilly white company and with Sox we were still a lilly white company, sometimes being referred to as "boy scout accounting" pertaining to honesty. All SOX did was to incease our accounting cost four fold, at least. So the answer is do what we were doing. I think inventories and inventory values and depreciation are always at risk and I personally watched that very closely.
08/11/2005 08:35:22 A quarterly assessment of systems access controls is required to protect against fraud. An annual review of all payment processes should also be conducted.
08/11/2005 20:27:22 All companies need an internal control structure. I don't believe SOX Section 404 and the way its been interpeted provides the best solution. Prior to SOX, most smaller companies had control structures that fit their needs. With SOX that approach no longer is available.
08/12/2005 13:12:10 No opinion.
08/12/2005 14:46:45 All companies should be assessed every year. The key is to limit the number of controls tested to those that are extremey critical to the financial welfare of a company. I negotiated continously with the external auditors to limit assessment testing to the "Key Control". At a minimum all companies should make an attestion to corporate governance and general corporate controls every year.
08/12/2005 16:35:01 I believe the current rules are adequate and SOX is overkill.
08/13/2005 12:39:43 No
08/15/2005 14:27:30 The real problem with 404 and small companies was that it radically changed accounting standards actually applied to smaller companies and largely did so without warning or an opportunity to make a smooth transition. In the end, I think 404 will result in a modest cost increase and modestly improved financial information, most of which will be more useful to business managers than to the investing public. The problem in 2004-5 was that the rules (or their practical application) were being made in many cases after the fact and in a pathalogically defensive environment. The cost (in money, opportunity and focus, and spurious litigation) is both very large and, in hindsight, unnecessary.
08/15/2005 14:33:20 I would say only about 10% needs to be looked at every year. The rest can be on cycles.
08/15/2005 15:10:05 Only after the first intitial 404 evaluation and there wno significant deficiencies or material weaknesses existed, then it could go to a bi-annual cycle where 1/2 were reviewed in 1st year and 1/2 in second year.
08/15/2005 15:13:01 Again, look at the number one risk associated with the company. If it's cash, most of the controls around cash should be tested annually (locked checks, proper signoffs, bank reconciliation, etc.) The ancillary controls like who stuffs checks in the mail probably don't need to be checked as frequently.
08/15/2005 15:14:45 Haven't thought about it.
08/15/2005 16:33:43 non-routine transactions which were reviewed in detail before 404 was put in place anyway. Inventory and receivable collectability or valuation. Bank reconciliations.
08/15/2005 16:41:14 No
08/16/2005 09:51:21 If we are going to do the work, I do believe that an annual test is appropriate.
08/16/2005 10:10:36 No. The issue is the number of "key" controls, not the frequency of audit. Many key controls are identified and required that are in fact, not key.
08/16/2005 10:13:05 Yes, internal controls for small companies can be assessed less often than every year.
08/16/2005 10:21:17 No.
08/16/2005 10:26:28 key controls only, materiality should be used to help define this
08/16/2005 10:42:02 This question does not make sense. SOX Section 404 does not prescribe any internal controls, so what is a 404 internal control vs a "non 404 internal control"?
08/16/2005 10:44:16 Definitely controls over significant and critical areas need to be addressed annually. Also areas of moderate risk, in my opinion. Low risk areas may be appropropriately addressed less frequently. CFO and CEO need to decide frequency needed to satisfy themselves controls are adequate.
08/16/2005 11:18:54 No opinion
08/16/2005 11:41:07 Yes.
08/16/2005 11:52:16 Yes. Most of them.
08/16/2005 12:14:10 Some have limited applicaiton and a breakdown would have a small impact. Certainly there is nothing magical about reviewing these every year
08/16/2005 12:40:54 No
08/16/2005 12:42:56 Yes, every control except the critical ones. Furthermore, it is imperative that IT not be arbitrarily made critical, as it currently always is.
08/16/2005 13:04:14 Since I am not yet familiar with what 404 internal controls are, we are non-accelerated filers, I have no opinion. However, since the CEO and I both sign quarterly statements on internal control effectiveness, we need to assess controls each quarter.
08/16/2005 13:12:04 The answer is yes but we are just not far enough into 404 to be helpful based on experience here; the deadline on 404 has been extened for smaller entities and we are only about 60% through the project.
08/16/2005 13:19:29 Absolutely, although that may vary by industry. As a bank, we may easily go years with very limited if any structural change in our internal controls for financial reporting. In our internal controls, we distinguish between the formality of audit and a less formal monitoring/limited scale internal review. In my mind, it should be left up to the company and its CPAs to determine what controls are appropriate to be rveiewed annually versus every two or three years. Those not reviewed annually should be monitored rather than audited.
08/16/2005 13:20:23 I dont think that the annual requirement is too much of a burden. All risk areas should be addressed annually in my opinion to reflect changed circumstances
08/16/2005 13:25:32 I believe that the environment of honesty and integrity of a company should be continually assessed, that the procedures and review for the appropriateness of public disclosure should receive the same treatment. Control of critical accounting policies and procedures (income recognition, deferrals, capitalization policies, intangibles, whatever is significant to a business) should be assessed at least annually. But we do not need to pay our auditors to do this.
08/16/2005 13:27:00 If you have a system to document and test controls all "significant" controls should be tested each year. However, a better definition of "significant" is needed. Under SOX we identified over 200 "significant" controls in accordance with SOX guidelines. I believe that there are really less than 20 "significant" controls. I believe the SOX definition needs to be revised and then those controls that truly are significant should be tested each year/quarter. A more common sense approach is needed. Currently, controls that are not that significant are treated the same as controls that really are significant.
08/16/2005 13:30:33 Those relating to revenue, inventory reserves and cash.
08/16/2005 14:08:05 Revenue related controls seem to carry the heaviest weight.
08/16/2005 14:23:10 I believe that the SOX 404 controls need to be assessed regularly. The issue is the level of documention, evidence, and cost vs value of the process. The cost more apparent at the smaller companies but it exists at all companies. I believe it needs to be fixed for all companies.
08/16/2005 15:15:12 I believe the frequency of control assessment is not the issue. Whether you test every year or every three years matters little. The need to test at all is where its at. For many if not most small companies the benefits of SOX are dubious, so any testing whether is be every three years or every month doesn't matter.
08/16/2005 16:16:04 Existing annual 302 and 906 certifications are sufficient.
08/16/2005 16:45:09 High risk errors should be evaluated annually. Low risk errors should be evaluated when the risk profile changes materially or every two or three years.
08/16/2005 18:35:41 Yes, I believe some should be assessed less often than annually. Controls that should be assessed annually included those susceptible to judgment (see 10. above).
08/17/2005 06:57:10 I think it's reasonable to categorize certain controls as critical and assess them every year while others are done on a "rotating basis." Also, the definition of "significant process and significant account" should be relaxed somewhat.
08/17/2005 12:28:22 Unsure of the answer to this.
08/17/2005 12:36:00 I think a documentation system could be set up so that changes to systems are reviewed only as needed. As such, much of the transactional testing should be conducted only upon changes in the procedures or the system.
08/17/2005 12:48:33 Don't know.
08/17/2005 16:18:39 The review procedures prior to SOX were adequate to assess internal controls. The auditors made recommendations with respect to enhancing internal controls. Those procedures were effective. SOX was an over-reaction to frauds that occurred at Enron, Worldcom and Tyco. No control procedures would prevent the actions that occurred at those companies. Even if SOX had been in effect, those frauds would not have been prevented. People with integrity will not commit frauds. People without integrity will find a way around any control system.
08/17/2005 18:49:20 If there is a strong baseline year where all key controls are tested, then in subsequent years the following controls should be tested every year (entity level, IT, estimates and impairments, non-routine transactions, safeguarding of assets, fraud programs. As long as the risk assessment is updated annually, more transaction level controls can be cycled year to year for testing.
08/17/2005 18:49:27 my view is that they should be assessed (against the materiality standard) annually by a CFO certification and audited externally once every three or five years
08/17/2005 21:27:12 Yes. I think 404 is a waste of time and money. It documents and evaluates internal controls but does little prevent major intentional frauds of the Enron and Worldcom type.
08/17/2005 22:55:14 Yes, I do believe some SOX 404 internal controls can be appropriately assessed less often than annually. I think the financial reporting process, revenue recognition, inventory management and general security controls should be assessed every year.
08/18/2005 08:03:31 To check for fraud consistently.
08/18/2005 14:30:38 Yes. Board level controls and top level management controls - over buisness planning, busines authorizatiOn and approvals and analytical analysis of operating results.
08/19/2005 02:56:12 Absolutesly. As noted earlier, we found virtually no control issues. As VP Controller for a larger small company, I know which parts of the business are at greatest risk. Why test all parts all years when a better and more cost effective approach would be to test high risk areas annually and all other areas on a rotating basis. That we used to do before SOX and it worked well (as evidenced by so few deficiencies). Annual assessments should be made for enterprise level controls, general computer controls for high risk or high level processing centers, business cycles that comprise more than 40% of a company's revenues, joint ventures, unusual transactions, technical skills of the key finance management, controls over cash/wires/ACH's, and areas that have had prior significant or material deficiencies.
08/19/2005 11:44:44 Those controls over critical items in the financial statement within a particular industry should be assessed annually.
08/19/2005 12:28:03 Yes there is at least that possibility.
08/19/2005 13:49:01 Yes, there are Section 404 internal controls that do not require review and assessment every year, however, they will vary with each company. In a company where there are large numbers of fixed asset purchases the assessment may have to be done annually, whereas in a company with only minor fixed asset purchases the assessment may need to be done only once every four to five years. The need to assess controls over fixed asset purchases would be made based on a review of all such purchases.
08/19/2005 14:40:28 Definitely. The Institute of Internal Auditors has developed Practice Advisories for preparing an effective audit plan for internal controls. One of the basis premises of the PA is that controls can be tested less often if there is not a significant event that would trigger a higher risk to that control. For example, if the Controller is responsible for many review and monitoring controls and there is turnover within this position in a given audit period -- the controls should be retested. If there is not turnover within the given audit period, and the controls were operating effectively in the prior audit period, consideration should be given as to whether there is a current need to re-test these controls or limit the testing of these controls.
08/19/2005 14:50:07 As a small public thrift, our internal controls are examined annually by our regulators and outside auditors. Should the former find material weaknesses, we would be subject supervisory action. Material weakensses by the latter could result in a qualified opinion. Taken together, this level of third-party oversight should be more than sufficient.
08/19/2005 17:03:28 These should be assessed annually: Cash receipts Cash disbursements Payroll Authorizing and posting journal entries
08/21/2005 22:19:50 Yes. Those directy related to the preparation of financial statements and footnotes, should be tested every year.
08/22/2005 15:20:23 This is a difficult question because I believe it would vary significantly from company to company.
08/22/2005 15:47:02 Revenue cycle, purchasing cycle
08/22/2005 17:54:28 The most difficult areas are those which require judgment, such as revenue recognition and inventory. These require annual review.
08/22/2005 17:56:59 No
08/22/2005 19:27:18 Yes. Concentrate on entity level controls year-to-year and a more detail assesment every three years.
08/22/2005 20:10:17 My feeling is not so much that it should not be done every year, but that 404 is not a one size fits all program. Small companies need a 404 compliance guide that would not require as much redudancy or manager to employee documentation. In a small company with 10 employees, we have 2 managers and 8 hired employees. There is no way we can comply with 404 the same way Ford Motor Company can. Perhaps there needs to be various compliance guides based on revenues, staff size, or other legitimate qualifier that would make a 404 compliance for a small company fit the operations.
08/23/2005 00:42:38 all controls should be considered every time they come into place by the person responsible for the functioning of the control. this should be a part of the day-to-day functioning of a company/accounting department. Management relies on its employees to properly provide controls.
08/23/2005 15:56:30 I believe self assessment should be allowed and that attestation should just involve a review of company procedures used to come to its internal conclusions. Self assessment should be annually as well as the limited scope attestations.
08/23/2005 16:49:34 Probably - but annual financials are a must.
08/23/2005 18:10:00 Yes.
08/23/2005 21:11:03 It is less a condition of frequency and more of "why do it at all". The basics over internal financial reporting controls should still be assessed every year but ONLY if the external auditors can perform integrated audits and ONLY if the basic compliance requirements are standardized.
08/24/2005 08:50:18 Once a year is fine and works - the quarterly certifications are over the top.
08/24/2005 10:14:02 See item 10 response. Reviews of internal controls should still be conducted as part of the annual financial audits and filings...but the scope should be limited.
08/24/2005 12:24:07 No, should be less onerous but annual.
08/24/2005 14:30:13 Yes, such as income taxes could be done less frequently. For smaller companies, this is not usually a critical area especially in a loss position and building NOL's. You could cycle testing of certain areas over years as long as there were not material changes in the process or internal controls.
08/24/2005 16:19:27 Get rid of 404. It is a waste of our time and money. Try every 10 years.
08/24/2005 16:26:56 We believe company level and information technology general controls are most important for smaller companies, which may have limited ability to provide for segregation of duties or multiple levels of review of processes or transactions. We believe the tone at the top of smaller companies can mitigate other control weaknesses. The frequency with which other controls need to be assessed is highly dependent on the circumstances of each company, which should be the subject of management´s assessment, in consultation with the company´s independent accountants. We do not believe that it is appropriate to prescribe the frequency of control assessment equally across companies in different industries.
08/25/2005 13:39:06 It seems to me that if the public accounting firms are doing their job, then SOX should not be required.
08/25/2005 15:23:41 Normal day-to-day transactions. Areas listed above.
08/25/2005 16:04:36 All key controls (and only key controls) should be assessed annually. The problem is, many companies have too many key controls and their external auditors are all too content to keep testing excessive controls. Our SOXlite clients enjoy adequate financial statement assertion coverage over their significant accounts and their external auditors agree.
08/25/2005 16:26:29 Yes - controls over outsourcing (SAS 70 Reports), IS controls if no major program or software changes.
08/25/2005 17:02:43 Annually would be fine as long as it is focused on higher risk areas.
08/26/2005 12:41:42 SOX 404 for smaller companies should concentrate on a limited number of key controls for significant business cycles. If it is kept simple there will be no problem performing on an annual basis.
08/26/2005 13:07:22 Because we are a non accelerated filer we've yet to address this in enough detail to respond.
08/26/2005 15:31:29 The entity assessment/tone at the top is critical to the entire 404 initiative and should be updated annually. As well as major account reconciliations and major assumptions.
08/26/2005 16:22:08 I believe if its going to be done, it needs to be once a year.
08/27/2005 11:21:03 Yes - controls over financial statement reporting should be tested less often than annually. Controls over reporting of compensation and related parties should be annual.
08/29/2005 07:07:37 Yes, but I am not into specifics.
08/29/2005 10:21:15 Assuming the need for full environment formal assessments, which we believe to be costly and unnecessary, we believe that much of the assessments should be less often than annually. The only controls that we feel would be beneficial for every year testing would be entity-level controls due to their effect on the tone and role in material irregularities in most companies with such problems.
08/29/2005 10:21:25 Assuming the need for full environment formal assessments, which we believe to be costly and unnecessary, we believe that much of the assessments should be less often than annually. The only controls that we feel would be beneficial for every year testing would be entity-level controls due to their effect on the tone and role in material irregularities in most companies with such problems.
08/29/2005 11:21:29 Yes, key controls should be assessed every year. But should not internal audit assess these key internal controls anyways
08/29/2005 14:18:47 I don´t believe that any SOX Section 404 internal controls for smaller companies can be assessed appropriately less often than every year. Shareholders rely on internal controls to preserve their interests every year; proper functioning only every other year is not sufficient. The only way to tell if it´s functioning properly is if it´s tested every year. Furthermore, less frequent audit testing poses interesting questions for an auditor. How should it be handled if the auditor tests a control every other year and finds out the control was deficient in the year that wasn´t tested - and there´s already an audit opinion in the public domain stating a clean opinion in the internal control system as a whole?
08/29/2005 14:53:30 No. Any control worth having should be assessed regularly and changed if it is not productive.
08/29/2005 15:31:21 Those controls that directly impact the accuracy of financial data, whether they be manual or automated controls should be tested annually. For example, internal controls that impact accurate loan input and maintenance are critical in that they directly impact the way loan information is captured and reported. These are critical controls and should be tested annually.
08/29/2005 16:10:53 Of course---Also those companies with outside Federal regulators should be excempt from 404c. What changes each year? Your system, your methods or your procedures? Not in most companies.
08/29/2005 17:09:27 Yes. As a federally insured financial institution, we are already subject to annual examinations by the FDIC, OTS, and State of Illinois.
08/29/2005 17:12:26 Yes I think some could be assessed more often than yearly, but I don't have an opinion yet of which ones.
08/29/2005 17:12:43 I think that entity-level controls should be examined every year. Non-standard journal entries (manual) should also be reviewed. Fraud questionnaires should be distributed down to a lower level of employee.
08/29/2005 17:36:32 Un able to comment
08/29/2005 19:02:32 None need to be assessed each year automatically. When outside accountants arrive to do an audit, they could submit a list of areas of concern to management.
08/29/2005 19:05:24 Yes. Tone at the top should be evaluated every year. All other controls should be evaluated on a three year rotational basis.
08/29/2005 21:00:01 As I stated above - I think it is industry specific. For biotech companies revenue recognition, cash and payroll would definitely need to be assessed every year. However, intellectual property could be less often than every year.
08/29/2005 22:40:58 The only control that should be assessed on a regular basis are entity level controls, that include the "tone at the top" for management and the board of directors.
08/30/2005 15:04:16 Yes, entity level controls for every company should be assessed annually; however the nature of an organization should dictate the areas of risk and controls tested accordingly. Controls surrounding inherent risk accounts should be assessed annually and other controls can be assessed on a rotational basis.
08/30/2005 15:07:00 None. I would assess once every two years the company's systems of internal controls. I would limit those tests to truly sigificant areas such as revenue recognition.
08/30/2005 17:08:46 Yes, SOX Section 404 internal controls for smaller companies can be appropriately assessed less frequently than once every year. We believe that governance controls and controls that have been noted as significant/material weakness in past three years should be assessed annually.
08/30/2005 18:26:14 Entity level controls, antifraud programs, and controls on which other controls are dependent (e.g. computer controls) should be assessed every year.
08/30/2005 18:48:02 N/A -- Really need a CPA to answer this one.
08/30/2005 19:47:16 If the company's operations and processes are not changing, it is not necessary to assess them every year. Entity level controls should be reviewed every year.
08/30/2005 21:07:56 Yes, ie: annual - monitoring; bi-annual - control environment
08/30/2005 21:39:41 We believe that at least some SOX Section 404 internal controls can be assessed less often than every year. Reporting and disclosure controls should be assessed every year.
08/30/2005 23:57:28 No comment
08/31/2005 08:31:59 Financial reporting by reviewing "what has changed" from year to year.
08/31/2005 10:19:14 Yes. Business processs controls, financial close / reports controls.
08/31/2005 10:21:37 a) Controls over accounts with lower materiality and volatility. In our case fixed assets is a good example.
08/31/2005 14:00:12 I don't see how an every "blank" year approach works. If such an approach were attemted, the controls tested most frequently should be the overall control environment.
08/31/2005 14:12:37 Absolutely. Many companies (large and small) have processes for routine transactions that change very little from year to year. Further, SOX 404 testing and internal/external audits have proved the effectiveness of these controls. We believe that controls related to routine transactions (including IT general controls) could be assessed by management every other year and only the highest risk controls (such as those whose individual failure could result in a significant deficiency) be tested every year.
08/31/2005 14:25:37 With the regulation and examination that banks ow have there is no need for SOX whatsoever. Our bank has had an internal risk assessment committee for three years. All bank regulators are doing a risk assessment each time they examine a bank.
08/31/2005 14:32:46 An annual review of all controls is probably necessary. Process changes, employee turnover, etc. can have a quick effect on systems working or failing. Long-term employees may try to find ways to circumvent the system to speed up areas of their workload. An annual review of everything should keep a company going in the right direction.
08/31/2005 15:19:27 Yes, critical cycles need to be addressed every year such as financial closing and reporting and IT and many of your detective controls.
08/31/2005 16:05:33 Once internal controls are put into place and are proven to be effective annual audits from independent auditors could be less frequent then on a yearly basis to cut expenses.
08/31/2005 16:16:33 11. Controls that are assessed as little as once every three years should not be considered key controls. One of the problems with the initial SOX implementation was the large number of controls that were considered key controls. In the 2nd year of implementation, we were able to hone in on certain key controls that were truly important. Other controls, that were not considered key controls, were removed from the evaluation. At the end of the assessment, there are only a few controls per process that every company should have, whether they are a large company or a small company. Processes should be evaluated at least annually, though certain controls could be tested less often based on a sampling technique. This is where the PCAOB could help standardize the controls and evaluation periods under normal circumstances. The testing requirement should be directly related to the risk of the processes.
08/31/2005 16:29:59 yes, review documentation
08/31/2005 17:16:33 I was unaware that the SEC had specific guidance on 404. The only statements I have seen are that maybe the big four have gone too far. Why wouldn't they? they have to protect themselves. I think the whole concept of 404 was rushed into and that a one brush paints all approach is the result.
08/31/2005 18:22:30 We suggest that all controls identified as key controls be assessed annually. However, this assessment, and the extent of testing of these controls in the current year for operating effectiveness, could be based on the results of prior year testing, identified changes in the controls and in entity-level controls, changes in personnel or systems, and other factors impacting the risk that the effectiveness of controls may have changed. Some controls at any size of company can be assessed less often than each year, and SAS No. 55 provides guidance to the auditor. Smaller companies are typically simpler, with fewer transactions, fewer types of transactions, fewer complicated transactions, less employee turnover, and so on, thus it is very likely that smaller companies need less monitoring than a large company and have a greater likelihood of being able to use a rotational approach to controls than a larger company.
08/31/2005 18:23:08 Entity Level Controls (Management Override), IT General Controls. For annual items, important to keep it focused on what´s important
the KEY controls.
08/31/2005 19:16:05 11. The answer to this question is no. A company either has a working internal control system or it doesn´t. If a control is not important enough to monitor every day, then it is not a control. Assessing the control is not the critical task, enforcing it is.
09/01/2005 00:55:31 Control environment, anti-fraud program, key controls over significant accounts with much subjectivity or judgment (i.e. allowance for loan losses, goodwill, income txes, etc) and any changes to key controls.
09/01/2005 11:40:19 Yes, company level controls and high risk areas.
09/01/2005 14:30:54 Most controls could be assessed on a rotating basis every two years, however depending on the type of business, controls over revenue recognition should be assessed annually. The majority of accounting irregularities seem to stem from the timing of a fraudulent reporting of revenue.
09/01/2005 17:12:34 Every year assessment needs to include general control environment perhaps IT controls. I am skeptical that a small company would really benefit from less often than once a year. Given the current structure I think management should assess the effectiveness of internal controls every year. If it is less often the control environment might slip as significant events happen in a small company. On the othre hand if the audit could happen less frequently that would eliminate some audit fees which would be good.
09/04/2005 07:42:16 No. Annual assessment is adequate.