Leveraging

Sarbanes-Oxley
to drive change
and mitigate risk
in small and
medium-sized
entities

Sarbanes-Oxley:

Friend o

22 Sarbanes-Oxley • Disclosures • July/August

or Foe? By Heather Judson, CPA, CMA
I
s the Sarbanes-Oxley Act (SOX) a friend or foe to small and
medium-sized companies (SMEs)? Often, those entities will
answer “foe.”
Status quo may generally be the policy followed by
SMEs, which are those publicly traded companies with
less than $75 million in market capitalization, as defined by the
U.S. Securities and Exchange Commission. Typically, SMEs will
either scramble to document their processes just prior to their
financial audits or will rely on the external auditors to document
their processes for them.
Explaining the status quo
For SMEs, SOX can seem to be an exercise in documenting
what actually occurs. This may seem tedious and without merit.
Each department knows what they do and may wonder why they
need to write a narrative explaining their duties.
Often the answer to this question is “because the auditors
asked for it.” However, SMEs might do better to engage the
various departments and show them how they can benefit from
SOX. The first step to getting department managers on board
Sarbanes-Oxley • Disclosures • July/August 23
is to present top management with the benefits that may be had
from utilizing SOX, such as driving change and mitigating risk.
PCAOB direction
The Public Company Accounting Oversight Board (PCAOB)
instructs external auditors in Auditing Standard No.5 (AS5)
to “evaluate the extent to which he or she will use the work of
others to reduce the work the auditor might otherwise perform
himself or herself.” Further, the PCAOB allows the external au-
ditor to rely on the work of “internal auditors, company person-
nel (in addition to internal auditors), and third parties working
under the direction of management or the audit committee.”
This statement should pique top management’s interest.
Any documentation or procedures that are performed in house
should save money on the overall audit. Top management should
encourage external auditors to utilize any viable internal docu-
mentation. This alone should have management interested in
performing SOX procedures in house.
In AS5, the PCAOB directs the external auditor to ask him or
herself “What could go wrong?” in determining likely sources w
 Table 1: for potential misstatements in the finan-
cials. This is basically asking: “What risks
Examples are present?”
Mitigating risk
of risk Enterprise Risk Management (ERM)
has become the best practice for larger
Strategic risks corporations. The “Enterprise Risk Man-
Higher-level risks mainly external to the agement — Integrated Framework” from
company the Committee of Sponsoring Organiza-
•• Change in interest rates tions (COSO) of the Treadway Commis-
sion, published in 2004, defines ERM as
•• Customer buying behavior change “a process, effected by an entity’s board of
directors, management and other person-
•• Substitutes enter the market
nel, applied in strategy setting and across
•• Technological advances the enterprise, designed to identify poten-
tial events that may affect the entity, and
•• Trade embargos manage risk to be within its risk appetite,
•• No business process improvement to provide reasonable assurance regarding
the achievement of entity objectives.”
Operational risks The article further stratifies the com-
Lower-level risks mainly internal to the pany into four categories susceptible to
company risk: strategic, operations, reporting and
•• Fraud compliance. Strategic risks are those that
affect the company at a high level and
•• Workplace safety tend to be external to the company. Many
strategic risks can be explored through
•• Product flaws
the entity-level assessment performed
•• Business disruption in SOX. Operational risks are those that
affect the company at a lower level in its
•• Damage to physical assets day-to-day operations. Reporting risks
•• System failures are those risks that affect the reliability of
financial reporting, and compliance risks
Reporting risks affect compliance with applicable laws and
Risks relating to the reliability of financial regulations.
reporting Many of the operational, reporting and
•• Transactional errors compliance risks can be examined and ad-
dressed in the various process documents
•• Miscommunication created through SOX. See Table 1 for
more information on risks.
•• Data entry or loading error
•• Accounting error Best practices
Various department heads should
•• Inaccurate external report be encouraged to go through the SOX
•• Missing transactions process of interviews, walkthroughs, gaps
and management action plans. A company
Compliance risks employee documenting processes with a
Risks relating to applicable laws and critical eye and a sense of the big picture
regulations can help the various departments run
•• Changing or new laws and regula- smoother and with less error. Addition-
tions ally, he or she can help the various depart-
ments work together to mitigate risk.
•• Inadequate staff training It’s important to understand best
practices and potential risks before start-
•• Miscommunication
ing the SOX documentation process.
•• Human error Best practices are the current standard.
When researching best practices, you are
endeavoring to learn from the experience
24 Sarbanes-Oxley • Disclosures • July/August
and knowledge of others. You are looking
for the best in the business.
Don’t discount the less than best. The
stories of the less than successful will give
you an idea of the risks that you might
face. For instance, stories of employee
theft can help you to understand the prac-
tices that lead to that risk materializing.
Perhaps the company failed to segregate
duties surrounding cash or failed to physi-
cally secure assets.
Best practices research is usually inex-
pensive. The Internet is a wealth of infor-
mation, and you can find information at
the library. You can network and conduct
research through professional organiza-
tions. Furthermore, once you identify
organizations and people you should talk
to, you can initiate informal chats on the
subject matter.
Interviews
You can begin your organization’s SOX
documentation once you understand the
best practices and key risks surrounding
each process. The first step is to interview
the manager of the process, who can ex-
plain everyone’s role in that area. Addi-
tionally, he or she will be able to provide
you with a bird’s eye view of the process
and its controls. Keep in mind you are fol-
lowing a transaction from its inception to
all the stops it makes along the way prior
to hitting the general ledger.
The interview process should feel like
an informal conversation rather than an
interrogation. The interviewee should
feel comfortable and relaxed. Stay in
control of the conversation and keep the
interviewee on topic. Make sure to use
open-ended questions rather than leading
questions. You want to know who, what,
when, where, how and why. You don’t
want to ask yes or no questions. See Table
2 for question examples.
Keep in mind that silence is a strong
stimulus for conversation. Typically, your
silence is an indicator that the other per-
son should be talking. People tend to want
to fill silence with conversation. Once the
interviewee is responding to the open-
ended questions, you can follow up with
more direct questions to clarify details.
When you understand the process from
start to finish, make sure to repeat the
process back to the interviewee. Make
sure to mention all the key employees’
names. Repeating the information back
to the interviewee ensures that there has
been no miscommunication. Leave the
interview with the possibility of follow-up
questions. Document the interview in a
narrative immediately following the inter-
view while your memory is fresh.
Narratives
You can start the documentation
process by dividing the process into sub-
processes. For cash receipts, this might
be: receive cash, deposit cash, petty
cash, bank reconciliation and collections.
Use titles rather than employee names
throughout the narrative so that updates
are easier. You want to identify key con-
trols and gaps.
In the 2008 “Sarbanes-Oxley Section
404: A Guide for Management by Internal
Controls Practitioners,” the Internal Insti-
tute of Auditors (IIA) defines a key control
as “a control that, if it fails, means there
is at least a reasonable likelihood that a
material error in the financial statements
would not be prevented or detected on a
timely basis. In other words, a key control
is one that is required to provide reason-
able assurance that material errors will be
prevented or timely detected.”
Each key control should have key
information documented as well. The IIA
guide further recommends documentation
“such as identifying who is performing the
control, when the control is operating
and at what frequency, how the control is
performed, what evidence exists that the
control was performed, and which reports
are used in the operation of the control.”
Gaps are missing controls, and best
practices research helps identify these
controls. For example, a gap may be that
the bank deposit is prepared by the same
person who updates customer accounts,
updates the general ledger and reconciles
the bank statement. This would go against
segregation of duties, which is one of the
best practices surrounding cash receipts.
The IIA guide recommends that a nar-
rative “enables a reasonably knowledge-
able individual — this person does not
have to be an expert with experience in
the area, but should have some knowl-
edge of the company or its business — to
understand the process;” and “overall,
enables a reasonable person to have a basis
upon which to assess the design of the
controls: Are the controls identified and
documented sufficiently to either prevent
Sarbanes-Oxley • Disclosures • July/August 25
or detect a material misstatement?” After
completing the narrative process, the next
step is to perform a walkthrough.
Walkthroughs
Sometimes what is perceived as stan-
dard operating procedure isn’t what actu-
ally occurs. A walkthrough will get you
down into learning and testing the details
with the person who performs the day-to-
day transactions.
In AS5, the PCAOB explains that
“some types of tests, by their nature, pro-
duce greater evidence of the effectiveness
of controls than other tests. The following
tests that the auditor might perform are
presented in order of the evidence that
they ordinarily would produce, from least
to most: inquiry, observation, inspection
of relevant documentation, and re-perfor-
mance of a control.”
A walkthrough starts by interviewing
the employees who perform the duties in
the narrative. The interview techniques
described above should be utilized. How-
ever, as the person “walks” through the
process, they should ask “show me” for
each control along the way. For example,
if the employee says that a check log is
maintained, then the evidence of one
day’s check log would be asked for.
Furthermore, if the employee says
that the controller matches the check log
to the day’s deposit slip and initials the
deposit, then the deposit slip related to
the check log observed would be asked
for. If the employee says he or she updates
the accounting system and must use a
password to log in, then re-performance
would be utilized to see the control work.
Through this process, it can be ob-
served if the narrative documented by
management matches the walkthrough.
Sometimes there are additional controls
management may not be aware of, forgot
to mention or didn’t realize were effec-
tive controls. Sometimes the controls
communicated by management are not
being performed correctly or at all. Also,
through the best practices research, miss-
ing key controls can be documented based
on what actually occurs.
Walkthroughs are a great way to un-
derstand how standard operating proce-
dure documentation and narratives match
up to what actually occurs. By asking
for the employee to show each control
through documentation or re-perfor-
mance, the walkthrough can be docu-
mented and management can be updated
accordingly.
Operation improvement
Additionally, employees should be
asked questions in regards to process
improvement:
•• If someone wanted to commit fraud,
how would they do it?
•• If you were to improve this process,
what would you do?
•• Are there redundancies in this process?
How would you make the process more
efficient?
•• Is there any training you wished you
had to help you perform your job?
•• What equipment, programs or assis-
tance do you wish you had?
Asking these types of questions can
help pinpoint areas for improvement and
may help management improve its w
Table 2:
Question this
Leading questions
•• Do you have a check log to record
checks as they are received?
•• Do you segregate duties surround-
ing cash receipts?
•• Do you give numbered receipts to
customers?
•• Do you keep copies of the checks
deposited?
Open-ended questions
•• What’s the first thing that happens
when you receive mail with checks?
•• Who opens the mail? Who updates
customer accounts? Who makes
bank deposits? Who performs the
bank reconciliations?
•• How do you process customer pay-
ments?
•• What records do you maintain?
 Impress the Big Dogs
operations. SOX process documentation
can be leveraged by asking about process
improvement even though this step might
not be required. Suggestions to improve
Nothing impresses management or clients like operations can be provided to manage-
finding anomalies not previously detected. ment.

Gaps and a MAP

Identify control and transaction issues
before they become a problem for
your organization or client with
IDEA® – Data Analysis Software.
Access and analyze large
volumes of data in seconds to:
 Identify errors and detect fraud
 Extend your auditing capabilities
 Meet documentation standards
IDEA is a registered trademark of CaseWare International Inc.
For a free demonstration CD of IDEA,
contact us at audimation.com
or call 888-641-2800.
FOCUS YOUR SEARCH AND GROW.
The new VSCPA Career Center makes
searching for jobs or candidates more efficient,
leaving you more time to focus on growing
your business opportunities. Simply set up an
Agent and receive updates whenever jobs or
resumes matching your criteria are first posted.
(800) 733-8272
WWW.VSCPA.COM
QUALIFIED CANDIDATES
PROFESSIONAL PROFILES
SEARCHABLE PORTFOLIOS
AFFORDABLE JOB POSTINGS
RESUME ACCESS INCLUDED
V S CPA CARE E R CE NTE R
JOB SEEKERS | EMPLOYERS
Virginia Society of
Certified Public
Accountants
After the walkthrough is complete and
documented, and the narrative has been
updated for walkthrough findings, it’s
time to bring management in to discuss
the results. Management should be made
aware of the identified control gaps in the
processes.
Once the gaps have been communicat-
ed to management, it’s up to management
to communicate a management action
plan (MAP) to remedy gaps. Additionally,
they should give a timeframe for imple-
mentation of the MAP.
The risk identified in the gap can be
remediated in various ways. Management
may take the position that the gap presents
a risk that is not material to the financials
and thus does not require any remedia-
tion. Management may transfer the risk
through an insurance policy. Management
may reduce or mitigate the risk through
action.
Changing mindsets
SMEs tend to adopt the philosophy of
only looking at processes to put out fires
— only if something is broken will they
spend time to fix it.
In contrast, Kaizen, the Japanese
philosophy of continuous improvement,
adopts the attitude of “even if it isn’t bro-
ken, it can be done better.” This philoso-
phy encourages businesses to make small
improvements continuously day to day,
and it can certainly be applied to SOX
documentation.
Leveraging SOX can help evaluate and
improve the operations of any business
continuously and over time. 

Heather Judson, CPA,

is a management
accountant at a private
medical manufacturing
company. Contact her
at hljadds@yahoo.com.

26 Sarbanes-Oxley • Disclosures • July/August