You have probably heard the inspirational quote “Believe you can and you’re halfway there” from Theodore Roosevelt. And because you just believed that you can complete and finish this 11-part tutorial on SOX 404 Auditing Standard 5, the good news is you are half way there! You have now reached Identifying Significant Accounts and Disclosures.

If you need a refresher on the previous segments, you can click on them below.

Part 1 – Integrated Audit Planning
Part 2 – Fraud Risk
Part 3 – Work of Others and Materiality
Part 4 – Top-Down Approach
Part 5 – Entry-Level Controls

Part 6 will cover the following sections:

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

 

Relevant Assertions

In order to identify significant accounts and disclosures and their relevant assertions, paragraph 28 basically talks about the five financial statement assertions:

  1. Existence or Occurrence
  2. Completeness
  3. Valuation or allocation
  4. Rights and obligations
  5. Presentation and disclosure
Five financial statement assertions
Fig. 3 -Five financial statement assertions that could cause misstated

Existence or occurrence is mostly about the assets. Do the assets exist? Did a transaction occur particularly for revenue, for example?

Completeness usually applies to liabilities and that’s because, in most companies, the incentive is not to hide their assets; the incentive is to hide the liabilities. Generally, completeness is more closely relevant to liabilities.

Valuation is about the judgments involved to see if a building or intellectual property is worth $1 million or $2 million. Depending on the current economic circumstances, that valuation can change. In the real estate industry, valuations are very common. The same building that existed the year before could be $1 million, but next year if it’s a hot market, it could double in value. When we experience a recession, that valuation can come down by half. The building hasn’t changed but its valuation has.

Rights usually relate to assets and obligations related to liabilities. Certain times you may have rights like land rights, Intellectual Property rights or they may be obligations. For the biotech industry, you may have certain obligations to pay the outsourced clinical trials vendor a certain amount regardless of the outcome, or you may enter into certain commitments that regardless of the outcome, there is an amount that you will have to pay. These are relevant assertions that may have to be disclosed or put into the financial statements.

significant accounts and disclosures and their assertions
Fig. 4 – A2Q2 significant accounts and disclosures

Presentation and disclosure are the last assertions. This is about how we present it in the financial statements or in the footnotes of the financial statements. A great example is technology companies, software companies, and the revenue line. Some questions to ponder on:

  • Are they focused on net revenue or gross revenue?
  • You sell $1 billion in revenue but really you get 2% of sales and have to pay the vendor 98%.
  • Should you be presenting revenue as net revenue?
  • Do you show gross revenue and show contra revenue (which is a deduction to revenue) or do you show it as an expense?

These are very critical judgments that companies make because that is how companies are evaluated on growth or their valuations are based on how fast revenue is growing. Revenue can grow extremely fast but if you have contra revenue that equals or exceeds it, you really don’t have revenue. That is why the assertions, when you think about significant accounts and their disclosures, help you have context.

The note in paragraph 28 talks about how the auditors have to use their judgment in terms of the types of controls that they select to test.

  • Depending on the significant accounts and the probabilities of incentives, am I more likely to boost assertions?
  • Am I more likely to reduce liabilities?
  • Am I more likely to not disclose certain commitment?

You have to think about the risk or the controls that are relevant for those assertions.

Significant accounts
Fig. 5 – A2Q2 significant accounts and disclosures note

 

Risk Factors

In order to identify the significant accounts, paragraph 29 talks about the risk factors.

Significant accounts and disclosures risk factors
Fig. 6 – Evaluate the qualitative and quantitative risk factors
Significant accounts and disclosures relevant assertions
Fig. 7 – A2q2 Significant accounts and disclosures relevant assertions
  1. Size and composition of the account – Size means if you have an extremely large balance that could be material, while composition means the type of balance like a large cash balance. But if the cash balance is mostly restricted for some reason you have to figure out what’s the incentive to change the balance? Maybe list it as not restricted. You need to think of the incentive or pressure management might have to change it.
  2. Errors or fraud – Next is to start thinking about significant accounts and check how are those accounts susceptible to errors or fraud? What’s the volume of activity, complexity, and homogeneity of the transactions processed?
  3. Volume of activity, complexity, homogeneity – Think of a business-to-commerce company where millions of transactions are paid using PayPal. Another example is Airbnb where it is a business doing business with lots of consumers, so there are lots of credit card transactions. The volume could be millions of transactions.

    In the same example, the complexity of the transactions is not that complex. You just swipe a card or you put in a card number to pay the charge.

    Homogeneity is where most transactions are the same and this is related at the transaction level. Another example is in a large company, Oracle for example, where the volume of activity, isn’t going to be millions and millions of $200 to $500 transactions, but it will be 1,000 and up transactions for $1+ million deals. The volume is a lot less but the dollar amount is a much bigger.

    Since Homogeneity is about how common or similar the transactions are, you have to consider the following in the Oracle example. Even though they’re selling software, maybe one of their transactions is to sell their Oracle ERP. Maybe another transaction is to sell their SaaS solution so there is some carve-out, some VSOE, or some other things that are not homogenous.

  4. Nature of the account or the disclosure – This is sort of self-evident like a cash account versus a prepaid account.
  5. Accounting and reporting complexities – For example, if you have debt or an equity type of transaction, that has high complexity because there are judgments involved.
    • Do you classify it as mezzanine debt between debt and liability, just debt?
    • Which part of it is debt versus equity?
    • What are the assumptions used to value it?
    • Do you have warrants or discounts on it?
    • What assumptions make up that valuation?
    • How much of it do we disclose in the disclosures about this particular transaction?
  6. Exposure to losses – Think of your money market account where it’s pretty “safe”. The cash is there; it’s not earning a lot of interest, but you’re not going to lose it. Another scenario is you could have a portfolio of international stocks or tech stocks that may be very volatile. What’s the potential exposure? If the market goes down, what will be your loss?
  7. Contingent liabilities – Think of recording the transaction on the balance sheet or not because it doesn’t meet certain criteria, then maybe it has to be disclosed instead.
  8. Related party transactions – This can be related to the Enron scandal. Some areas to look at are: Do we know whether related party transactions exist or not? Should they be in the account? Should they be separately disclosed and have highlights?
  9. Changes from the prior period – An example is an account that changed from one quarter to the next quarter. Maybe it’s called prepaids, but you need to consider that last year, prepaids was just standard insurance normal amortizations. And maybe this year, that account has something completely different in it like prepaid for marketing events.
     
    You need to watch out for some changes in that type of account that have to be either accounted for differently or at least be aware of so that it can be disclosed.

As we go along in the risk assessment process, the question we should be asking ourselves and think about significant accounts and disclosures is: What could go wrong within a given a significant account?

SOX 404 risk assessments
Fig. 8 – Risk factors

Paragraph 31 says that the significant accounts and disclosures are relevant for both the audit of financial statements and the audit of internal controls.

 

Consolidated Financial Statements

To explain paragraph 33 further, consider a billion dollar, multi-national company with lots of location or lots of business units, or even if it’s a smaller company, but there are locations that may add up to become significant. Having this in mind, there are consolidated financial statements where this whole assessment will be based on.

SOX audit Consolidating Financial Statement
Fig. 9 – A2Q2 Consolidating Financial Statement

The same paragraph mentions appendix B that will show you how to do scoping in deciding which locations are significant.

Typically, the rule for a significant location or business unit is 5%. This is just the general guideline and there are other qualitative factors that you want to consider as well.

  • If you have ten companies, you don’t have to individually test each one of them because it maybe that 9 of those companies in this big organization doesn’t really matter.
  • It could be that they are just there for legal protection purposes or tax purposes and have no activity.
  • Consider a consolidated basis.

These help you argue with your clients when doing the testing because it will reduce work and increase efficiency as you do not have to test 10 entities.

 
Summary
Again, when doing the audit, you are looking at the significant accounts or disclosure and the significant locations or business units.

To recap on the sections of part 6, click below.

The next part of this series is Understanding Likely Sources of Misstatement.

 

watch video in youtube

 

If you found this post helpful and
want to receive the next segment
sign up for blog