Overseeing Subsidiaries’ Internal Controls for SOX

At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.

DETAILS

Gramm

Brian Gramm is managing partner of Milo Belle Consultants, a governance, risk, and compliance firm with several locations throughout the country.

Gramm, a CPA and MBA, has guided several large, multi-national firms through SOX compliance, as well as several small non-traded companies. Milo Belle’s expertise in the execution of information technology audits has lead the firm to significant growth during the recent down economy, and is assisting the firm’s growth into several new markets in 2009.

Gramm may be reached via e-mail at brian.gramm@milobelle.com.

Remediation Center

Click Here to Return to the Remediation Center

Submit a Question to the Remediation Center

Warning, Disclosure

Compliance Week’s Remediation Center is an information service only. Answers to questions should not be construed to be legal guidance. Consult with your auditors, internal counsel, external counsel, and/or other securities experts on all critical compliance and governance matters.

Specialists are solicited by the editor to answer Remediation Center questions based on their knowledge of the subject matter and their ability to provide commentary in their particular area of expertise. In some cases, the experts who answer questions in the Remediation Center may also be Compliance Week subscribers, or may work at firms that advertise in Compliance Week.

QUESTION

I work in accounting and Sarbanes-Oxley compliance for a major aerospace manufacturer, with multiple subsidiaries and operations around the globe. If your company has subsidiaries—especially foreign, but also local—who otherwise fall below your thresholds for full SOX compliance, under what circumstances would you still want some level of comfort that these subs have a sound internal control environment? How would you ask them to document that comfort level?

ANSWER

Great question, and a common one. I’ll go into some detail based on the specifics of what we recommend with our clients, knowing that I am making some assumptions for the sake of the response.

First, it should be noted that many CFOs are not comfortable simply ignoring the subsidiaries that fall outside the scope for SOX. There are many reasons for their concern, and specific audit plans can be written to make sure those concerns are directly addressed.

Second, your company needs to address the extent to which Auditing Standard No. 5 and its risk-based approach is being followed (versus, say, the more exacting approach required under the old Auditing Standard No. 2). That is key to determine the extent to which qualitative risk factors are considered when judging what should be in scope or not.

Now, to the heart of your question. We recommend a tiered approach to ensure that no major issues are floating around a “minor” subsidiary. In Year 1, a good approach is to have the non-SOX subsidiaries do a directed self- assessment. In a directed self-assessment, the subsidiaries’ staff draft what they believe to be the major issues, processes, and opportunities, and submit those write-ups to your internal auditing department.

IA then reviews the write-ups and drafts a series of questions to get a deeper understanding of the breadth and depth of the items noted. These questions are to seek understanding—they are not intended to be “test scripts.” The subsidiaries then self-assess again in response to the questionnaires, and the responses are again reviewed by IA. Often, any significant issues addressed during this process are scoped into SOX through the qualitative assessment. That typically wraps up the first year.

In Year 2, you want to move away from self-assessment as the internal auditing department becomes more involved. Using the sum of the write-ups and questionnaires accumulated in Year 1, IA sets a prioritized list of subsidiaries to be audited. The ranking of the list should be a combination of risk-based considerations and ease of execution (which helps keep budgets in line). Then, the subsidiaries are scheduled for audit on a rotational basis.

At this point, test scripts are written for the subsidiaries that are to be audited in Year 2. The basis of the test scripts are the write-ups and the questionnaires, but remember that these documents often need a fair amount of “scrubbing,” since they were neither written by internal audit professionals, nor written for the purpose of testing. The level of testing is less invasive than done for SOX, and usually can be done in less than two weeks, depending on the size of your internal auditing team.

In Year 2, and all years going forward, an evaluation of the issues found is in order. Often, the findings will cause the specific process at a subsidiary to be pulled into the SOX project. Otherwise, it simply becomes a rotational audit schedule for the subsidiaries.

Hope that helps. Good luck!