Sarbanes-Oxley Testing & Monitoring Services
Our consultants will perform all necessary SOX compliance related tests and identify remediation actions resulting from deficiencies. Also, our consultants will liaise with the business process owners and IT staff. We can assist with all aspects of your Sarbanes-Oxley documentation project and on-going testing including IT general controls, application controls, baseline application testing, and segregation of duties testing.
Our team of experts has experience in leading and performing the documentation and testing for Sarbanes-Oxley (SOX) compliance from both the external audit and internal audit perspectives. Our SOX Group specializes in Sarbanes-Oxley section 404 compliance and documentation, including process narratives, policies and procedures, testing, and remediation. General Masters, Inc provides professional testing based on what the standards require. Our testing will be based on the work that has been done by your SOX Team based on management's documented assertions after careful Risk Assessments. General Masters will work with management to develop a test plan if one does not exist. Specifically, the standards required these key points:
· Internal controls over financial reporting.
· Internal control deficiency.
· COSO control Framework.
· Identifying controls to be tested.
· How much testing is enough.
· Control documentation.
· Identifying significant controls.
· Information Technology (CoBIT Framework).
§ Internal controls over financial reporting: A process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's Board of Directors, management, and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accounting principles and included key controls.
§ Internal control deficiency: A control deficiency exists when the design or operations of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a controls deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles... such that there is more than a remote likelihood that a misstatement of the company's financial statements that is more than inconsequential in amount will not be prevented or detected. Also, the standards also require the testing of Inconsequential misstatement, Material Weakness, Preventive and Detective Controls, and the need to test the effectiveness of Controls.
§ COSO control framework: Management is required to base its assessment of the effectiveness of the Company's internal controls over financial reporting on a suitable, recognized control framework established by a body of experts that follow due-process procedures to develop the framework. In the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission has published internal controls. This is a highly respected Framework. Internal control is a process, effected by an entity's Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in key categories - effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations, and safeguarding of assets.
§ Identifying controls to test: Management must demonstrate that controls covering all five components of internal controls (Control environment, Risk assessment, and Control activities, Information and Communication, Monitoring) are operating effectively relative to all significant accounts, processes, and locations. Also, management should evaluate Control design Effectiveness, Control operating effectively, Timing of control tests, and the Extent of tests of controls.
§ How much testing is enough: The Public Company Accounting Oversight Board (PCAOB) Auditing Standard No 2 does not specify how much testing is enough. It leaves it to the auditor's judgment as to what constitutes a "large portion". However, management must accept responsibility for the company's internal control over financial reporting. Among other things, it must support its evaluation with sufficient evidence, including documentation.
§ Control documentation: Management's documentation should include the design of controls over relevant assertions related to all significant accounts and disclosures in the financial statement to include documentation pertaining to the five components of internal control over financial reporting as discussed in COSO (Control environment, Risk assessment, Control activities, Information & Communication, and Monitoring). Documentation might take many forms of presentation because there is no one required format. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is a deficiency in the company's internal control over financial reporting.
§ Identifying significant controls: The auditor should identify each significant process over each major class of transactions affecting significant accounts. Major classes of transactions are those transactions significant to the company's financial statements.
§ Information Technology (CoBIT Framework): There are different views as to the appropriate extent of required documentation and testing necessary for Information Technology (IT) controls. While the extent of documentation and testing requires the use of judgment, management is expected to document and test relevant general IT controls in addition to appropriate application-level controls that are designed to ensure that financial information generated from a company's application systems can reasonably be relied on. A company's finance and IT departments should interact closely to ensure that the proper IT controls are identified. In establishing the scope of its IT assessment, management should apply reasonable judgment and consider how IT systems impact internal control over financial reporting. Notwithstanding the internal control reporting requirements, companies are required to prepare reliable financial statements following the implementation of the new information systems.
Identifying and Testing Controls
The most effective way to decide what needs to be tested is simply by identifying the organizations' key controls. The key controls are the ones that address your important risks. Once that is done, the rest is simply deciding the level of reliability you need and the size of the sample you intend to use. The key elements of a Testing Plan should focus on the Nature of the test, Extent of the test, and Timing of the tests. General Masters, Inc will test the controls which have been identified by management. General Masters will work with management to develop a test plan if one does not exist. The following is the preview of key points, and the steps for identifying and how General Masters will test the controls as noted below:
· The nature of the test.
· Testing procedures.
· Testing techniques.
· Design effectiveness.
· Operating effectiveness.
· Testing automated controls.
· Testing manual controls.
· Sampling in tests of controls.
· The extent of tests.
· Timing of Tests.
· The nature of the test: The nature of the test refers to the kind of test technique the auditor is planning to execute, whether a judgment-based test, statistical sampling or some combination of approaches. Combining two or more tests can provide greater assurance than using only one test. Inquiry, by itself, does not provide sufficient evidence of controls effectiveness. Generally speaking, re-performance provides the highest degree of assurance.
· Testing procedures: In selecting tests of controls, the auditors consider the risk of material omission and misstatement, as well as the expected effectiveness and efficiency of the specific tests. Consideration should also be made as to the nature and materiality of the items being tested, the kinds and competence of available matter, and the nature of the assurance objective to be achieved. Procedures for evaluating the effectiveness of the design or operation of a control are referred to as tests of controls. Tests are performed on relevant evidence to determine whether the control is working as designed and whether the control is operating effectively.
· Testing techniques: Management should use the most effective testing techniques that offer the level of assurance for operating effectiveness. The acceptable types of control testing techniques are: Inquiry, Observation, Examination/Inspection, and re-performance. Again, it should be noted that GMI believes that re-performance is the best technique.
· Design effectiveness: Tests of controls directed at the effectiveness of the design of a control address whether the control is suitably designed to prevent or detect material omission or misstatements. Test to obtain such evidential matter typically include documentation, and specific evaluation of whether the controls are likely to prevent or detect errors or fraud that could result in misstatements if they are operated by appropriately qualified persons.
· Operating effectiveness: An auditor should evaluate the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Tests should include 1. Inquiry of appropriate personnel, 2. Observation of the company's operations, 3. Inspection of relevant documentation, 4. Re-performance of the control application.
· Testing Automated Controls: The testing technique is usually observation and/or re-performance. The number of tests can be minimal (one to a few) assuming that IT General Controls have been tested and found to be effective.
· Testing manual Controls: Tests should include a mix of testing techniques. Effective testing will usually involve sampling. Sampling carries the risk that a control is not working effectively at all times. An inherent risk with manual controls. Sampling risk increases with the frequency of a control's use. Factors to consider in Manual Testing includes: 1. Complexity of the control, 2. Significance of judgment in the operation of the control, 3. Level of competence necessary to perform the control, 4. Frequency of the operation of the control, 5. Impact of changes in volume and/or personnel performing the control, 6. Importance of the control, 7. When a single manual control provides the sole support for a financial statement assertion, management should increase the sample size/frequency of the test. Testing of manual controls should include a mix of Inquiry, observation, examination, and re-performance. The extent of management's testing is based on its judgment and the level of assurance it expects to derive from the test.
· Sampling in tests of controls: Sampling for tests of controls is generally appropriate when application of the control leaves documentary evidence of performance. However, sampling for tests of controls that do not leave evidence might be appropriate when the auditor is able to plan the sampling procedures early in the audit. For manual processes there should be no variability in sample sizes for initially testing manual processes. However, if 1 error is found in the initial sample of 25, the sample will be expanded to 40; if 2 errors are found the sample will be expanded to 60. If at any point in the sample testing 3 errors are reached, mitigation will be necessary.
· The extent of tests: The extent of the test relates to the sample size and the number of items to be tested, i.e. the depth of the testing. In determining the extent of testing, the auditor should assess the following factors; 1. Number of controls, 2. Frequency of operation, 3. Importance of the control.
· Timing of tests: Timing deals with the scheduling and frequency of testing, the time span that test covers. The timing of controls testing must be sufficient to determine operating effectiveness as the end of the fiscal year. Testing performed earlier in the year generally provides less evidence of effectiveness at the reporting date than testing performed later in the year. Controls over 1 significant non-routine transaction and 1 account or classes of transactions involving subjectivity or judgment should be tested closer to the reporting date. Any testing should allow procedures such as Inquiry, Observation, Walkthroughs, Inspection of relevant sufficient time for any necessary remediation efforts.
· Timing and remediation: When significant changes are made to controls, management must assess the operating effectiveness of the new controls between the time they were implemented and year-end. This period must be sufficient to enable management to obtain adequate evidence of the control's operating effectiveness.
Recommended Test Plans
General Masters, Inc will test the controls which have been identified by management in their test plan. General Masters will work with management to develop a test plan if one does not exist. The following is a summary of what should be contained in a formal SOX test plans as noted below:
· Key controls to be tested.
· Nature of tests to be used.
· Extent of testing.
· Timing of procedures.
· Description of the test.
· Test Administration (Who, When, What evidence will be reviewed, and Where the control is performed).
· Documentation.
Exceptions (How will they be investigated, When will additional testing be performed, Who will be responsible for remediation, Who will monitor and track remediation).
The need to use sampling in the testing of key controls
Although Sampling is not expressly required by PCOAB, General Masters believes that you need to adopt the Sampling guidelines used by your external auditors. You need to establish a close working relationship with your external auditors to avoid preventable future disagreements. In deed, it is a win-win relationship! The adoption of a common sampling methodology is the right move in that regard.
Testing IT controls - SOX testing:
Management must evaluate the effectiveness of information technology general controls to ensure the continuous, effective operations of the automated/information technology dependent controls. The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting. AICPA AU sec 319 Consideration of Internal Control in a Financial Statement Audit, discusses the effect of IT on internal control over financial reporting. Therefore, as part of our SOX testing, the following issues are addressed.
· The extent and nature of IT risks vary depending on the nature and characteristics of the entity's information system.
· The use of IT presents risks, such as the risk that improperly authorized, incorrectly defined, or improperly implemented changes to the system or programs performing calculations, or to related program tables or master files, could result in consistently performing those calculations inaccurately.
· As an entity's operations and systems become more complex and sophisticated, it becomes more likely that the auditor would need to increase his/her understanding of the internal control components to obtain the understanding necessary to design tests of controls.
· Section 404 of the SOX Act requires management to select a control framework for documenting controls.
· COSO is the most widely recognized control framework for documenting internal controls. However, it did not provide sufficient details on IT controls. As a result, CoBIT (Control Objectives for Information and Related Technology) has become the control framework for IT controls.
· CoBIT is a framework that can aid companies in assessing IT controls for SOX 404 compliance.
· CoBIT framework for IT governance has 34 key IT Control Objectives that fall under four broad domains. Only 12 out of the 34 Control Objectives are mapped to SOX compliance testing purposes.
Our professional competence is the cornerstone of our organization. We work hard to provide quality professional services that directly address our clients’ needs. At General Masters, we deliver results. Technology is a major player in Sarbanes-Oxley compliance. General Masters, Inc. is waiting to establish a SOX compliance partnership with your organization.
Management is required to test all SOX internal controls based on its control assertions each year. General Masters, Inc. wants to establish a lasting relationship with you to implement a testing methodology which is acceptable to your organizations and external auditors. General Masters will work with management to develop a test plan if one does not exist. Call us immediately so that we can demonstrate to you that we are your vendor of choice when it comes to SOX testing.
Security Protection and Regulatory Compliance Monitoring Services:
We have partnered with Cyberoam – America for the delivery of proven security appliances as part of our SOX monitoring services to help facilitate proactive compliance. Cyberoam delivers a comprehensive security portfolio that meets both the network and endpoint protection requirements of organizations. With Unified Threat Management (UTM) appliances, Endpoint Data Protection and Cyberoam iView – The Open Source Logging and Reporting Solution, Cyberoam delivers complete visibility and control over user activity.
Cyberoam’s CheckMark Level-5 certified, ICSA firewall-certified UTM appliances are purpose-built for comprehensive network protection. They meet the high performance needs of small, medium and large enterprises with appliances ranging from CR15i to CR1500i.
Available in appliance and software form, Cyberoam iView is a logging and reporting solution that offers visibility into activity within the organization for high levels of security, data confidentiality and regulatory compliance. It provides an organization-wide security picture on a single dashboard through centralized reporting of multiple devices across geographical locations. It also achieves compliance reporting for PCI-DSS, HIPAA, GLBA and SOX and performs forensic analysis to study security breaches through logs and reports.
To obtain more information about our SOX testing, consulting services, and proactive monitoring and reporting services, please complete the following form and select areas of interest. Our staff will contact you shortly with a response.
|
