Acquired company and SOX control exceptions 2932



  • We purchased a multi-location company this year. I understand that the management’s assessment of the internal controls for the acquired company can be excluded for this year end. However, the acquired locations have been using the parent company’s systems to post revenue and AP, record inventory, etc which are governed by the corporate SOX controls.
    There has been some errors noted during our audit for these locations. My understanding is that since the acquired locations have rolled into the parent company’s systems and processes, they are included in the populations for testing and the information is subject to audit review and tesing even though the ‘one-free’ pass is in place.
    Since the acquired company is utilizing the parent company processes and systems, would any errors found in an audit review equate to corporate SOX control exceptions? Or should the locations be carved out of the sample population and excluded from audit review?
    Thank you in advance for any comments.



  • I would place reliance on the areas that the parent company controls where the controls are universal to your subsidiaries (primarily systems controls) and scope out any manual controls at the acquired locations for SOX assertion purposes.
    My guess is that any errors are user errors on the part of the acquired subsidiaries as they transitioned to the new systems. These would be what I scope out.
    You would be responsible, however, to ensure that your controls around purchase (acquisition) accounting are in place when valuing assets and liabilities acquired.


Log in to reply