Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Column 2004 number 4
When is a good time to talk about saving money on SOX 404 compliance?

by Matthew Leitch

(This article first appeared under the title "The Matthew Leitch Column: when is a good time to talk about saving money on SOX 404 compliance?" in Emerald Insight's publication "Balance Sheet", volume 12 number 4, 2004.)

A survey by KPMG published in January 2004 showed that companies affected by SOX 404 expected to spend many thousands of hours on compliance activities in the first year. For example, companies with turnover in the range $1bn - $5bn planned an average of 14,000 hours of skilled work. In most cases that is more than their external auditors have ever spent on an annual audit, let alone on the controls part of it.

For most, the main goal in this first year is to comply successfully, at virtually any cost, and the main strategy is to do what the regulators and external auditors seem to want. At some point this will change.

What is the time being spent on?

The effort is going into documenting financial processes and controls, mapping them to 'risks' and testing each control to see if it has operated and seems effective.

The focus on this strategy is so intense you would think the regulations say this is the only thing you can do, or that this is the most efficient way to establish the effectiveness of an internal control system.

Neither is true. The official requirements are that the evidence should include these sources, not be limited to them. The modern approach to auditing controls is risk-based auditing, not wall-to-wall controls documentation and testing. Risk should be taken into account throughout, not just in scoping. At about the time SOX was starting to bite the Institute of Internal Auditors had just decided, officially, that risk based auditing was the approach of the future. Similarly, PricewaterhouseCoopers adopted a deeply risk-based method for external audits some two years before the PCAOB was created.

The key to cutting costs

A general principle of auditing is that the wider you cast your net for evidence the more efficient your audit.

Why? Because 80% of the comfort tends to come from just 20% of the evidence. Consequently, the more types of evidence you consider the easier it is to get all the comfort you need by creaming off the best evidence from each type.

I don't think anyone has ever quantified this effect, but you can see that if your current approach involves grinding through hundreds of details that individually contribute little to the total comfort, then a way to double the range of evidence considered could cut costs dramatically. I'll give an example from my own experience later.

Finding other sources

KPMG point out that including tests of the 'tone at the top' and work on IT controls gives a more efficient audit. But this is just the start. Here are two more areas that most companies could use more:

Evidence of inherent risk. Everyone is using evidence about inherent risk to scope their controls work. What is the materiality of the financial flows? Is there change going on? This information is evidence; it needs to be communicated to the external auditors as clearly as any other evidence.

And you can extend this much further. For example, suppose you have a team looking at controls over changes to software in the financial accounting system, but in fact there have not been any changes. Your team has a choice between documenting and 'testing' controls anyway or getting evidence confirming that there have been no changes. Not a difficult choice you might think, but I have seen well trained, intelligent auditors choose the option of testing the controls anyway, in accordance with the original scoping decisions, the audit programme, and the audit manual of their organisation. Have a look at your own manual and see what it says.

Direct evidence of effectiveness: I've saved the best until last. The richest source is easy to use and so powerful it's worth changing your control methods to use it more. Direct evidence of effectiveness is information on actual errors and backlogs. It is true that there can be no direct evidence of undetected material errors in the financial statements - by definition. However, there are many sources of statistics on errors that were detected and on how people have coped with their workload, particularly error correction. I call these "process health indicators."

I have used this kind of evidence extensively in external audit work. It takes very little time to look at the indicators; it's like taking the patient's pulse. As you get more comfortable with the sources of the indicators their value as evidence increases further.

An example

In late 2002 when SOX compliance was just becoming a big issue I was involved in a project to document internal controls for a global company. My role was to cover their UK operation. Money, it seemed, was no object which is why even rather senior people like me were on site doing interviews and drawing diagrams. Two of us spent two weeks finding and documenting the controls.

After 4 man-weeks of work I could not say if their controls were effective or not. I could have got further in 4 man-days by going first for the evidence that would tell me most. My plan? Chat to the key people about how things are going and what has been changing recently. Find out if managers have enough information to know the health of their own processes. Find out what improvements or changes they're planning. Look at workload and backlogs. Look at key reconciliations to see how messy they are. Check customer complaints for possible billing errors and enquire after financial disagreements with other parties. Look at correcting journals to see why they are happening and how many of them there are.

I'm not saying the whole job could have been done in 4 days, but then neither had we done the whole job in 4 weeks of documenting.

Make a note somewhere you won't forget. "Four weeks or four days?" When the time comes to think about saving time and money on SOX 404 compliance you'll be glad you did.

New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr