(SOX) compliance. Despite three years of experience with SOX, auditors and enterprises still struggle to achieve a balance between effective compliance, and the high cost to sustaining the SOX initiative. AS5 has added new dimensions to SOX 404 compliance – focusing audits on core matters, eliminating unnecessary procedures, scaling audits for smaller companies, and simplifying compliance requirements. As a result, many finance experts expect AS5 to trim down the costs for SOX 404 compliance.Download a Solution Brief
Most enterprises today continue to feel that substantial resources are being drained on Sarbanes-Oxley (SOX) compliance. Despite three years of experience with SOX, auditors and enterprises still struggle to achieve a balance between effective compliance, and the high cost to sustaining the SOX initiative. Kenneth Wilcox, President and CEO of SVB Financial Group, alleges that his company paid over $20 million to the Big Four accounting firms in 2006 - an increase of more than five times what it paid in 2003. In particular, he says audits today are prolonged, require more personnel, and auditors have an overly broad definition of "materiality", than what is relevant to SOX. The soaring SOX costs have not gone unnoticed by the Public Company Accounting Oversight Board (PCAOB). The PCAOB has seen how the accounting firms have run up huge fees, and forced clients to spend millions of dollars on redundant IT systems and unnecessary controls. In response, on May 24, 2007, the PCAOB adopted a new auditing standard – “An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements” (AS5) - that replaces the relevant guidance in Auditing Standard 2.
AS5 has added new dimensions to SOX 404 compliance – focusing audits on core matters, eliminating unnecessary procedures, scaling audits for smaller companies, and simplifying compliance requirements. As a result, many finance experts expect AS5 to trim down the costs for SOX 404 compliance. “With AS5, we now have clearer, more substantial support for a risk-based approach,” says GRC expert of a leading enterprise, "It will be a catalyst to help auditors rely more on their judgment and that will cut costs.”
Opportunities for the Management: Benefits Outweigh Cost of Compliance
AS5 allows management to take a fresh look at its organization’s compliance process - allowing the organization to focus on the issues likely to pose a greater risk to financial reporting, and reduce the number of controls to be actually tested in performing its evaluation- thus reducing effort and cost. Arnold Hanish, Executive Director, Finance, and CAO at Eli Lilly & Co. and Chairman of FEI’s Committee on Corporate Reporting (CCR), thinks AS5 will bring cost- relief for most multinationals because of reduced testing — based on its new “top-down, risk-based” ethic. He anticipates that the companies will narrow their focus to the high risk areas, achieving a better trade-off between the quality of controls assurance and the cost of compliance.
AS5'S Impact: Streamlined and Less Costly Sox Compliance
As corporations and auditors eagerly await the outcome of the new standards, the question on everyone’s mind is “Did the PCAOB and SEC (Securities and Exchange Commission) meet the goal of a streamlined and economical SOx compliance?” To evaluate this question, let’s breakdown the key elements of AS5 that affect SOX compliance procedure:
Entity Level Controls
Critical component and not after- thoughts
Entity level controls are a critical component of internal controls, and not the after thoughts of a financial misstatement. This concept finds prominent relevance in the AS5 guidelines, which defines the position of entity-level controls within the COSO’s internal control framework, and includes measures like monitoring inherent risks in key accounts and operations, establishing an ethical code of conduct for all employees, maintaining an appropriate tone at the top, developing comprehensive risk management policies especially anti-fraud policies, performing a background check for all new accounting and financial positions, and having an appropriate whistleblower procedure in place.
Compliance Tied to Financial Reporting
Re-evaluating key controls based on financial statement
AS5 requires auditors to tie compliance directly to its impact on financial reporting and eliminate non-financial reporting related controls. As put by one of the PCAOB’s technical policy implementation directors, “If you can’t link something to the financial statements, it’s out of scope. We used to hear people talk about the financial-transaction flows through the system, so the system is brought into scope. Now, you only need to focus on the parts that apply to the risk.” Most enterprises believe that this will result in significant efficiency gains in SOX documentation and testing phases, and reduce overall compliance costs.
Top - Down and Risk - Based Approach
Focus on matters resulting in material weakness
AS5 promotes a top-down, risk-based approach while assessing internal controls of an enterprise - eliminating numerous prescriptive requirements in AS2 that drove overzealous auditing. Companies can now design their evaluation policy and test of controls only on those risks and areas that could cause the financial statements to be misstated. Most financial executives see the new standard leading to fewer checklists and more work in identifying more risk-prone areas of the company. For example, for auditors and management, it means moving away from documenting and testing almost all the controls to focusing instead on the risk -prone areas.
Flexibility in using work of others and walkthroughs
Eliminating unnecessary procedures
AS5 consistently emphasizes the need to eliminate unnecessary audit procedures and higher-than-expected SOX compliance costs. It endorses the use of work of company personnel, other than internal auditors and third parties working under the direction of management, by an external auditor. Recalibrating walkthrough requirements, AS5 gives the auditor flexibility to achieve the objectives of a walkthrough, or to use a client’s internal staff, or other outside resources under the auditor’s supervision to perform the walkthrough. Also, auditor can leverage results of the prior years in assessing risk.
Exercise Judgment, and Knowledge of Relative Risk in Designing Plan
Previously companies were forced to react and align their approaches to those of their external auditors. Now, management can step back, think through, and use more judgment in designing and implementing SOX compliance program, focusing on efficiency in low-risk areas while performing more extensive testing in high risk areas. There is no longer a ‘one-size-fits-all’ approach to SOX implementation.
A large micro-finance institution faced high audit risk levels due to inconsistencies in its cash, inventory and investment statements. When these accounting irregularities and increasing rate of internal threats presented the danger of destabilization, the company felt the need for an automated compliance solution. Traditional audit processes followed by the company provided a limited understanding of risks. The institution opted for MetricStream’s Audit Management Solution to establish a robust audit procedure that would manage risks while effecting compliance. The solution is compatible with AS5, the latest audit standard, and leverages its flexibility for comprehensive reporting. With MetricStream, the enterprise could automate and streamline all the processes associated with certification of its internal control environment, mitigating potential risk situations caused by inaccurate reports. At the end of the audit exercise, the company was able to make a number of process improvements and devise various strategic policies for more efficient operational management. The solution enabled the institution to effectively audit its internal inventory and investment statements and obtain accurate results without spending excess amounts of time and money.Key Benefits Accrued:
- Automated and streamlined the internal processes to comply with AS5.
- Increased the management's confidence in certifying financial and inventory accounts.
- Created an enterprise-wide central repository for all relevant documents.
- Created a platform to manage enterprise risk.
METRICSTREAM SOLUTION: TAKING CONTROL OF SOX COMPLIANCE SYSTEM
Opportunities never come without a price. With Auditing Standard 5 come new compliance definitions, requirements and standards; forcing boards and managers to adopt an integrated approach to risk management as a business enabler and value driver. Amidst this dynamic environment, MetricStream, the provider of next generation GRC solutions, provides a robust technology-driven solution for easier and faster implementation for Sarbanes-Oxley compliance based on the Audit Standard No. 5 (AS5) guidance. It provides a proven end-to-end auditing solution that enables companies of all sizes, including non-accelerated filers, to automate critical compliance guidelines put by AS5 at significantly lower costs. Key components of the solution include:
Closed Loop Methodology
Ensuring Top-Down, Risk-Based Approach
The top-down, risk-based approach, as advocated by AS5, is integral to MetricStream's Closed-Loop methodology for scoping, and allowing the auditor to focus more attention and testing on significant accounts classes of transactions. It supports risk assessment and computations based on configurable methodologies and algorithms, giving a clear view into organizations risk profile. MetricStream’s automated solutions like materiality analyzer, dashboards, risk heat maps and risk calculator enables the managers to identify core areas that present the most significant risk that financial statements could be materially misstated.
Entity Level Controls
Enabling Identification and Tracking of Entity Level Controls
MetricStream’s solution leverages strong entity-level controls that have a positive effect on lower-level controls - allowing management and the independent auditor to identify and document entity level controls within a single framework, and share controls across risks and processes. It supports inquiry, observation and document inspection procedures for surveys and certifications, affirming the strength of the internal controls and monitoring controls across the enterprise; allowing the independent auditor to perform a combination of procedures to track likely sources of potential misstatements over vast database.
Automated Process Level Application Controls and Test Plans
Allowing Auditors to Leverage Work of Others and Maximize Use of Walkthroughs
The MetricStream solution provides an integrated framework that automates process level application controls and test plans, and reports the results for the entire test - including manual and application controls. Ensuring that the documentation of these processes always stay in sync, MetricStream provides complete visibility to the auditors so that they capitalize the number of visits to various company locations to test controls, and utilize the work of others by obtaining evidence and consider results in prior year’s testing to assess risk. The MetricStream solution features some best-in-class features like Web-based dashboards, configurable reporting functions, documentation of processes controls, and test plans for the auditors to use during the audit.
|AS5 Guidance||Tools and Approaches||Benefits|
|Use the work of Others||
|Systematization and On-Going Compliance||
Structured Workflow and Central Content Repository
Enhancing Systematization and Sustaining Compliance
Following AS5’s guidance on systematization and sustained compliance procedures, MetricStream offers automated systemassigned tasks, reminders, and escalations; which create structured workflow, and efficiently manage control hierarchy, testing, and certification. MetricStream’s solution provides a central content repository that archives periodic results (quarterly and annually), and provides comprehensive change control capabilities which establish link to work completed in the past for consistency. A library of customized tests for verifying key financial processes and application level controls within standard ERP systems makes MetricStream a best-in-class solution.
Ensuring Deficiency Evaluation
MetricStream features highly automated tools like Executive dashboards provide enterprise wide visibility into the quality and risk management process, and highlight deficiencies that need to be addressed. The solution has the ability to track deficiencies, identify concentrations or absences of them, address root causes, and support deficiency reporting policies; enabling enterprises to apply uniform criteria for deficiency evaluation to match AS5 and auditors’ requirements.
Automated Audit Management
Reducing Susceptibility to Fraud
MetricStream’s automated audit management module creates a risk profile for the enterprise, customizing internal controls based on the severity and likelihood of occurrence. The Materiality Analyzer module identifies the vulnerable business locations. It harnesses AS5’s flexible rules, allowing companies to create their own risk assessment of locations to determine which should be included in the scope of the audit. Management can assess inherent process risks with the risk calculator and put into place high, medium, and low risk controls. MetricStream’s risk-based methodology is crafted for today’s global business environment where comprehensive risk management is central to corporate strategy.
The PCAOB and SEC have good intentions in developing AS5: more flexibility, more discretion, less cost and the ability for smaller public companies to develop their compliance structure. AS5, if implemented efficiently, should result in a more focused and efficient process. Now is the time for management and auditors to "re-vamp" their SOX 404 compliance framework, and continue to work together to determine if they can realize greater efficiencies and value from their compliance processes. Enterprises have the opportunity to employ automated tools like materiality analyzer, risk calculator, central risk repository, comprehensive reports, and risk dashboards, review and improve their entity-level controls and risk management processes, and reduce compliance costs. In addition, by working with the external audit firm to incorporate this guidance into the audit scope and implementing technology-driven solutions, companies can reap the business benefits that come with improved risk management, including loss reduction, improved credit ratings and enhanced overall organizational performance.
- Quick Implementation
- Seamless Integration
- Built in reporting
- Robust Security