This question came to my mind after hearing multiple companies state it is a Sarbanes-Oxley requirement that they perform a recovery audit every one, two, or three years. As a company that provides recovery audit services and solutions, you would think this would put a smile on my face. But many years ago I was also an external auditor and CPA. So, it got me thinking about Sarbanes-Oxley, the COSO framework, and the overall spirit of SOX.
After considering it for several weeks, it is my assertion that a recovery audit is NOT a Sarbanes-Oxley requirement. You may find it a bit weird that this has been rattling around in my head and I would have to agree with you. But it has, so I figured I would blog about my thought process around it.
The SOX section 404 procedure is at the heart of the question. It basically requires the management of a public company and the external auditor to report on the adequacy of the company”s internal control over financial reporting. In order for management to report on the adequacy of the internal control environment, it needs to test the controls. I believe the reason some companies interpret a recovery audit engagement as a SOX requirement is because it does test the control environment, in a manner of speaking. Recovery audits do identify breakdowns in business process such as duplicate payments, overpayments, unrecorded returned products, incorrect pricing, etc, but I do not feel that the procedures and tests performed by a recovery audit are the same type of testing that a traditional control audit would perform. These types of tests are typically performed in most public organizations by the company’s internal audit group and are more in keeping with the original intent of the requirement than the analysis performed by a recovery audit firm. Lastly, I do not know of any recovery audit company that performs the engagement as an attest engagement. Recovery audit companies are not attesting to the control environment or the value of Accounts Payable at a certain time.
I personally believe that recovery audits are a best practice and every company should do one; But I do not believe it is a SOX requirement. It appears to me that most companies that view a recovery audit as a SOX requirement do so because of one of three things.
1. They include “recovery audit“as part of the internal control environment and therefore it must be performed.
2. It’s internal audit’s way to ensure A/P actually performs a recovery audit. I have found many times that Internal Audit is the driving force behind the recovery audit, not the A/P organization. Some A/P organizations dislike recovery audits as they feel it could reflect badly upon them.
3. The company interprets SOX regulations differently than I do. It is quite common to find two SOX experts who regularly disagree on SOX requirements.
I am curious… Does your organization feel that a recovery audit is a SOX requirement?
Thanks for reading,