At the request of subscribers, Compliance Week has launched a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week's editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
THE QUESTION
Anonymous —
Is it important to keep FDICIA defined control documents separate from SOX ones? We were thinking the following: since many of the FDICIA control documents slid over to become SOX control documents, would it not be efficient to have those responsible attest to both sets of documents, rather than keeping documents that would be redundant within FDICIA for SOX? I hope that isn't too confusing; I'm just trying to make sure of that even though the control has been identified as a SOX and a FDICIA control. If it was first in FDICIA and now it falls more under a SOX category, why not eliminate that specific FDICIA Caf and just have the SOX one. Likewise, if a SOX Caf becomes questionable for its existence then the question should be raised: Does it still exist as a FDICIA control? If yes, then it just changes the category of importance; if not, then it totally goes away. Does that sound right?
ANSWER
Kathleen Blanchard, Enterprise Financial Consulting —
There is no requirement to maintain FDICIA control documentation separately from or in addition to SOX documentation. A risk assessment can be conducted and risks and controls can be designated as SOX or FDICIA controls, perhaps by flags within your tracking program or database, with one set of documentation maintained..
Both SOX and FDICIA are concerned with accuracy of financial reporting. FDICIA also has safety and soundness and compliance requirements. Additionally, regulators are frequently requiring banks to conduct bank wide risk assessments of all risks and controls and to use these assessments to support banks' strategic plans. It is common now for new or revised regulations to require that policies and procedures be “risk based”, with a documented risk assessment part of the expected output.
A control calling for separation of duties can mitigate risks to financial statement accuracy, internal fraud, and safety and soundness, covering SOX, FDICIA and an enterprise risk assessment. Documentation should adequately demonstrate how the control protects against the various risks, eliminating any need for maintaining separate sets of documentation.
Conducting these various risk assessments individually can lead to a great deal of overlap, duplication and inefficiency. It makes sense for banks to step back and inventory the various risk assessments being performed to identify overlap and eliminate duplication wherever possible.
Maintaining separate documentation for SOX, FDICIA and other purposes could lead to version control problems when all need to be updated as processes change. One master set of documentation eliminates that potential problem saves work and saves space on servers.
If controls are coded as applying to SOX or FDICIA or an enterprise risk assessment, separate reports could be readily obtained as needed. This can be done by business line and roll up to a corporate consolidated report. This would satisfy any need of management, external auditors or regulators for separate reporting.
Note: Compliance Week's Remediation Center is an information service only. Answers to questions should not be construed to be legal guidance. Consult with your auditors, internal counsel, and external counsel on all critical compliance and governance matters.
Click here to submit an anonymous question in Compliance Week's Remediation Center.
No comments yet