SOX Management Review ControlsPublished November 4, 2019 • 5 min read
The Sarbanes-Oxley Act of 2002 (SOX) designates management review controls (MRCs) as one of the required internal controls. MRCs are the reviews of key financial information conducted by a company’s management to assess its reasonableness and accuracy. They are a key aspect of a public company’s internal control over financial reporting (ICFR).
Examples of these SOX management reviews include:
- Review of reconciliations
- Review of journal entries
- Trigger events
- The work supporting an estimate
- Budget to actual variances
Management review controls are more complex than other controls since they require the examination of combined results as opposed to individual transactions. They involve comparisons of recorded amounts with associated projections based on knowledge and experience related to the business. This is the case because conclusions during the review are often based on historical documents and reporting that provide the necessary context to the reviewer. Being more than a simple yes or no confirmation means this type of internal control is more subjective and less clear cut. Consequently, a simple signoff by management after a review is no longer sufficient documentation to satisfy an internal audit or one performed by an external auditor.
In fact, due to the risk involved, the Public Company Accounting Oversight Board (PCAOB) requires detailed documentation of each MRC. Such documentation enables auditors to understand what historical information was evaluated, and what was discussed or considered to arrive at an approval. The level of detail required by auditors and PCAOB inspectors has become a point of contention by companies. Of course, companies want to avoid a material misstatement, especially in financial statements submitted to the Securities and Exchange Commission. But how much documentation is enough?
An example situation
Let’s look at bank account reconciliation performed by an accounting clerk as an example. They see the account balance on the general ledger and the balance on the bank statement are different because there’s activity that happens between month-end and when the bank statement arrives. The clerk must reconcile the difference between the two.
The review portion of the control is when the corporate controller reviews that bank reconciliation and approves it. It used to be enough for the controller to simply initial or sign off on it as reconciled. Now, since the management review control evolved, a simple signature isn’t sufficient. Documentation for this MRC must dive into the details of the review process and how the controller decided to approve it.
The documentation is supposed to guide a third party, an auditor, through the same process as the controller to reach the same conclusion. The challenge is trying to document the detailed activities that lead to the conclusion that everything is okay. Or if it’s not okay, documenting the rejection process as well as the resolution process. It’s somewhat like analyzing what a person’s approval and signature actually mean.
A more complex situation
A tax provision is another example, adding a bit more complexity. The books are closed and everything is complete. Then the tax team goes in to do a provision for income taxes. They figure out how much the state, local and federal tax estimates should be. They discuss their confidence in the estimates and all the things they’ve done to resolve it. Then there’s a meeting to review and sign off on it, where the VP of Taxes approves the final journal entry to book the provision for taxes.
In the past, that journal entry with the VP’s signature was sufficient documentation of the review. But today, MRCs require meeting minutes. These minutes must include the topics discussed, any potential conflicts or disagreements as well as how they were resolved and how they arrived at the approval conclusion.
Financial accountants don’t particularly like auditors reviewing the details of their thought processes around something like a tax provision because there is judgment involved. It’s the disclosure of their entire thought process and how they arrived at the acceptable tax numbers.
Typically, the data is confidential and they must expose the reasoning behind considering option A versus option B. Auditors might not agree with their decision. That’s the dilemma with MRCs—they often involve judgment calls. Providing the auditors with the details of the thought process and the activity so they reach the same conclusion of approval or rejection: that’s the real challenge.
Presenting these details allows auditors almost to be a fly on the wall, sitting and watching over someone’s shoulder so they understand what transpired during the meeting to draw their final conclusions.
Plus, auditing isn’t even part of the MRCs. This documentation is prepared so the auditors have some frame of reference to understand how approval decisions are made. This is why accounting and management don’t like it. They believe that these meetings are confidential, where judgments are discussed that auditors may not agree with.
The last thing they want is to have auditors in those meetings. Of course, a lot of this depends on the audit firm too. Some of them push to sit in on one of these meetings, in person, to actually witness the process. Because, although there are meeting minutes, probably with enough information, they may not include every single detail. And when an auditor sits in, the openness in the meeting is often dialed back.
It’s a balancing act
So, providing all these details to auditors around how these judgments are made creates a lot of conflict and anxiety. The anxiety of how much to document to satisfy the auditors so they can see a detailed process exists, that a signature isn’t simply being put on the dotted line. This, as opposed to being completely transparent, which may not be in the best interest of the company. It’s a real balancing act!
Why documentation of MRCs is required
Of course, the reason detailed documentation of MRCs is required is because of situations where there is actually no process in place. For example, imagine a corporate controller signing off on people’s permissions to access the entire accounting system so they can do their jobs.
The problem is they have access to do everything, including processes they don’t need to do their job. This makes it easy for them to create delusion and fraud if desired. When an auditor asks the controller about signing off on all these approvals, it becomes evident they haven’t been reviewing the need for employees to have all this access—the controller feels it’s too much information to review.
In this case, the controller’s signature is more like a rubber stamp that could be used by anyone. This is an example where there is no control activity, just the appearance of one.
So, what if an incident occurs in this case? The controller would say they approved it and followed the letter of the law. But, they didn’t follow the spirit of the law. That creates risk for an auditor who’s given an opinion that everything is fine and then says that the control activity is working appropriately.
When something bad happens, like somebody committing fraud or stealing millions of dollars from the company, this control failed. That reflects badly on the auditors, as well as the company, and creates audit risk, because investors expect the audit opinion to be valid. There’s conflict and anxiety here from both sides, and you can see why.
Anytime you’re dealing with financial information, building a system to reconcile and approve things certainly reduces the burden of documentation. Systematizing the process allows you to automatically document all actions taken, making it easier for an auditor to retrace the steps taken and confirm the control works. However, there will always be judgment involved in MRCs because of the nature of the information and processes being approved. Automation helps ensure the accuracy of financial information used to formulate these judgments while saving time for everyone involved.