Shapi's Summary of PCAOB AS-5
December 20, 2006
So I read the PCAOB's new release last night. Here's what I think are the most noteworthy points:
1) They keep saying (p.6, A1-9)they will look for controls to prevent management override.
2) Company-level controls may be sufficient to address certain WCGWs (p.6 note 10, p. A1-9)
3) Audit procedures should be flexible and dynamic. The auditor should continually adjust his procedures to reflect new information learned (p.7). This includes knowledge based on previous years' work. Such knowledge can allow the auditor to reduce testing in some areas based on the effect this knowledge has on risk assessment (p.19, A1-26)
4) Testing procedures depend on risk. There should be a direct relationship between risk and evidence necessary to confirm controls to mitigate it (p.7, A1-21)
5) When determining the risk related to a given control, the auditor should take into consideration the audit procedures performed in the financial statement audit (p.8)
6) Regarding the new "definition" of MW - a "reasonable possibility": When I heard the PCAOB was coming out with this, I thought it meant something different than the old definition, "a less than remote chance." I was wrong; they both mean the same thing. The new definition is just a clarification of the old one (p.9)
7) "Strong indicators" of MWs are no longer automatically SDs (p.11).
8) SDs that are not remediated timely may or may not be MWs. It depends on why they were not remediated. If the company is not sufficiently committed to remediating SDs then it becomes an MW because it reflects on the control environment, not because of the issue itself (p.12 see also p.A1-30)
9) The same materiality and procedural guidelines for the financial statement audit should be used in the audit of ICFP (pp 13,14, A1-5).
10) There is no longer a requirement for the auditor to provide an opinion on management's assessment of internal controls; auditors only express an opinion on the effectiveness of the internal controls themselves (p. 15,16)
11) Auditors still need to acquire an understanding of management's process to determine the amount of management work they can rely on, as well as other reasons. However, the extent of work that auditors should perform for these purposes should be limited (p.16)
12) The amount of work the auditors can rely on depends on the competence and objectivity of those who performed the work. To determine this, auditors should, among other things, test some work of the individual whose work they want to rely on (p.17, 24, p.A2-4
13) Besides relying on work of management, auditors may also have management assist them in their own work (p.A2-8).
14) Auditors only need to obtain from management information that constitutes evidence about effectiveness of internal controls or potential misstatements. Anything beyond this does not need to be provided to the auditors (p.23, p. A2-3, p. A2-4).
15) Auditors only have to do walkthroughs for each significant process, not for each significant transaction within the process (p.26)
16) Auditors should use individual circumstances to determine specific procedures, based on the Standard's general principles (p.31).
17) Lack of documentation of a control is NOT determinative of the lack of a control. In smaller companies, such documentation is typically lacking. In such cases, inquiry, observation, and other such procedures can suffice for testing (p. A1-8).
18) Testing only should be done when a controls deficiency will violate an assertion to the point of creating a MW (p. A1-11, A1-18 See also p. A1-15).
19) You don't need to identify assertions. Quote: "The auditor may base his or her work on assertions that differ from those in this standard if the auditor has selected and tested controls over the pertinent risks in each significant account and over the representations by management that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated." (p. A1-16).
20) There is no preference for a preventive control over a detective control (p. A1-19)
21) Benchmarking is permitted for automated application controls (p.A1-26, A1-57, A1-58).
1) They keep saying (p.6, A1-9)they will look for controls to prevent management override.
2) Company-level controls may be sufficient to address certain WCGWs (p.6 note 10, p. A1-9)
3) Audit procedures should be flexible and dynamic. The auditor should continually adjust his procedures to reflect new information learned (p.7). This includes knowledge based on previous years' work. Such knowledge can allow the auditor to reduce testing in some areas based on the effect this knowledge has on risk assessment (p.19, A1-26)
4) Testing procedures depend on risk. There should be a direct relationship between risk and evidence necessary to confirm controls to mitigate it (p.7, A1-21)
5) When determining the risk related to a given control, the auditor should take into consideration the audit procedures performed in the financial statement audit (p.8)
6) Regarding the new "definition" of MW - a "reasonable possibility": When I heard the PCAOB was coming out with this, I thought it meant something different than the old definition, "a less than remote chance." I was wrong; they both mean the same thing. The new definition is just a clarification of the old one (p.9)
7) "Strong indicators" of MWs are no longer automatically SDs (p.11).
8) SDs that are not remediated timely may or may not be MWs. It depends on why they were not remediated. If the company is not sufficiently committed to remediating SDs then it becomes an MW because it reflects on the control environment, not because of the issue itself (p.12 see also p.A1-30)
9) The same materiality and procedural guidelines for the financial statement audit should be used in the audit of ICFP (pp 13,14, A1-5).
10) There is no longer a requirement for the auditor to provide an opinion on management's assessment of internal controls; auditors only express an opinion on the effectiveness of the internal controls themselves (p. 15,16)
11) Auditors still need to acquire an understanding of management's process to determine the amount of management work they can rely on, as well as other reasons. However, the extent of work that auditors should perform for these purposes should be limited (p.16)
12) The amount of work the auditors can rely on depends on the competence and objectivity of those who performed the work. To determine this, auditors should, among other things, test some work of the individual whose work they want to rely on (p.17, 24, p.A2-4
13) Besides relying on work of management, auditors may also have management assist them in their own work (p.A2-8).
14) Auditors only need to obtain from management information that constitutes evidence about effectiveness of internal controls or potential misstatements. Anything beyond this does not need to be provided to the auditors (p.23, p. A2-3, p. A2-4).
15) Auditors only have to do walkthroughs for each significant process, not for each significant transaction within the process (p.26)
16) Auditors should use individual circumstances to determine specific procedures, based on the Standard's general principles (p.31).
17) Lack of documentation of a control is NOT determinative of the lack of a control. In smaller companies, such documentation is typically lacking. In such cases, inquiry, observation, and other such procedures can suffice for testing (p. A1-8).
18) Testing only should be done when a controls deficiency will violate an assertion to the point of creating a MW (p. A1-11, A1-18 See also p. A1-15).
19) You don't need to identify assertions. Quote: "The auditor may base his or her work on assertions that differ from those in this standard if the auditor has selected and tested controls over the pertinent risks in each significant account and over the representations by management that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated." (p. A1-16).
20) There is no preference for a preventive control over a detective control (p. A1-19)
21) Benchmarking is permitted for automated application controls (p.A1-26, A1-57, A1-58).
Integration of Duties I
December 15, 2006
Even after two years of struggling to streamline the Sarbanes-Oxley compliance process, particularly in regard to Section 404, much of corporate America believes there is still room for improvement.
The culprit this time is ITGC.
404 requires the identification and testing of key controls that prevent material financial misstatement. But while the effect of routine financial-side controls such as bank recs and rollforwards can be clearly and measurably linked to the financial statements, exactly where, and in what amount, a failed ITGC will impact the financials is not always clear.
And if you don't know if, where, or in what amount your control affects your financial statements, then from a 404 perspective, you do not know whether it is a key control.
Part of the problem is that Internal Audit departments are not prepared for - and certainly not experienced with - this kind of approach. Before SOX, the well-known "pervasive" effect of ITGC on the financial statements was more than enough to warrant the close scrutiny of IT auditors. Hither came SOX, which requires the identification and testing only of key controls that have a material effect on the financial statements. That includes key controls on the IT side, if they have a material effect on the financial statements. The need to tie ITGC to material financial misstatement is new, and auditors do not have an established approach to doing it.
So how have companies been choosing which ITGC are considered key?
By squandering a lot of resources, it seems. The IIA reports:
And from the Institute of Management Accountants:
(to be continued)
______________________
[1] David A. Richards CIA, President, IIA, Response to SEC Release No. 34-54122; File No. S711-06 CONCEPT RELEASE CONCERNING MANAGEMENT’S REPORTS ON INTERNAL CONTROL OVER FINANCIAL REPORTING, September 18, 2006. http://www.sec.gov/comments/s7-11-06/s71106-145.pdf. Examples of companies with the same experience include NASDAQ, whose SVP of Internal Audit, Brian G. O'Mally, commented to the SEC: "Guidance is required to identify the portions of IT frameworks that are specifically applicable to SOX. In the absence of such guidance, the conservative approach taken by many auditors causes the entire framework to be incorporated into SOX compliance efforts". http://www.sec.gov/comments/s7-11-06/s71106-168.pdf. Similarly, Kerry Bailey, SVP Global Operations Cybertrust. Corp writes: To date, the determination of the IT general controls to be tested in a given filer's environment has been a delicate negotiation between the filer and the public accounting partner, with the advantage clearly in favor of the accounting firm. There has been no clear definition of relevant controls, no consensus on the scope of the target environment that produces the financials as a subset of the entire corporate computing environment, and no uniformity in testing methodology. This has contributed greatly to the exorbitant costs of Section 404 compliance for the accelerated filers, and is a source of concern for small and micro-caps. http://www.sec.gov/comments/s7-11-06/s71106-72.pdf . And Jeff Straton, VP US Operations Finance and Corporate Controller at Alcon comments: Based on discussion forums, articles we have read in various publications, and our experience, most companies feel they are spending excessive amounts of time in the testing of controls related to general computer controls and specific controls over applications. By their very nature, automated financial controls are in place to eliminate human errors. Once a base-line for automated financial controls has been set, continued testing is redundant, and should be minimized. http://www.sec.gov/comments/s7-11-06/s71106-64.pdf
[2] http://www.sec.gov/comments/s7-11-06/s71106-106.pdf p.24
[3] http://www.sec.gov/comments/s7-11-06/s71106-75.pdf p.4
[4] Ibid. p.7
The culprit this time is ITGC.
404 requires the identification and testing of key controls that prevent material financial misstatement. But while the effect of routine financial-side controls such as bank recs and rollforwards can be clearly and measurably linked to the financial statements, exactly where, and in what amount, a failed ITGC will impact the financials is not always clear.
And if you don't know if, where, or in what amount your control affects your financial statements, then from a 404 perspective, you do not know whether it is a key control.
Part of the problem is that Internal Audit departments are not prepared for - and certainly not experienced with - this kind of approach. Before SOX, the well-known "pervasive" effect of ITGC on the financial statements was more than enough to warrant the close scrutiny of IT auditors. Hither came SOX, which requires the identification and testing only of key controls that have a material effect on the financial statements. That includes key controls on the IT side, if they have a material effect on the financial statements. The need to tie ITGC to material financial misstatement is new, and auditors do not have an established approach to doing it.
So how have companies been choosing which ITGC are considered key?
By squandering a lot of resources, it seems. The IIA reports:
In the absence of current guidance that enables an identification of specificAnd from Deloitte:
risks, many organizations are performing full IT general controls testing on all
applications involved in financial reporting processes. As we indicated in our
response to the recent SEC Roundtable, we believe that has led to excessive
testing and resource costs among both registrants and their auditors.[1]
[I]t is important to note that many companies, generally speaking, have struggled with conducting the IT portion of their assessments of internal control. For instance, many companies struggled to understand what was required relative to IT controls, and in particular with the issue of identifying which IT controls are indeed relevant to financial reporting. They also struggled in applying a risk-based approach for IT, and as a result, spent time documenting and testing controls in areas of lesser risk. Overall, many companies have tended to document and test IT general controls without a good understanding of how their computer processing environments and the related IT general controls impact the financial reporting process and the associated risks.[2]
And from the Institute of Management Accountants:
[R]egistrants and auditors are spending a significant amount of time documenting
and testing IT general controls (and application controls) even though past experience has shown these controls are effective and pose low risk as it relates to a misstatement of financial reporting. [3]There has been an overemphasis on the area of general computer controls as a result of lack of clarity of the level of testing required, lack of appropriate assessment of risk and companies defaulting to the Control Objectives for Information and related Technology ("COBIT" framework as a supplement to COSO.[4]
(to be continued)
______________________
[1] David A. Richards CIA, President, IIA, Response to SEC Release No. 34-54122; File No. S711-06 CONCEPT RELEASE CONCERNING MANAGEMENT’S REPORTS ON INTERNAL CONTROL OVER FINANCIAL REPORTING, September 18, 2006. http://www.sec.gov/comments/s7-11-06/s71106-145.pdf. Examples of companies with the same experience include NASDAQ, whose SVP of Internal Audit, Brian G. O'Mally, commented to the SEC: "Guidance is required to identify the portions of IT frameworks that are specifically applicable to SOX. In the absence of such guidance, the conservative approach taken by many auditors causes the entire framework to be incorporated into SOX compliance efforts". http://www.sec.gov/comments/s7-11-06/s71106-168.pdf. Similarly, Kerry Bailey, SVP Global Operations Cybertrust. Corp writes: To date, the determination of the IT general controls to be tested in a given filer's environment has been a delicate negotiation between the filer and the public accounting partner, with the advantage clearly in favor of the accounting firm. There has been no clear definition of relevant controls, no consensus on the scope of the target environment that produces the financials as a subset of the entire corporate computing environment, and no uniformity in testing methodology. This has contributed greatly to the exorbitant costs of Section 404 compliance for the accelerated filers, and is a source of concern for small and micro-caps. http://www.sec.gov/comments/s7-11-06/s71106-72.pdf . And Jeff Straton, VP US Operations Finance and Corporate Controller at Alcon comments: Based on discussion forums, articles we have read in various publications, and our experience, most companies feel they are spending excessive amounts of time in the testing of controls related to general computer controls and specific controls over applications. By their very nature, automated financial controls are in place to eliminate human errors. Once a base-line for automated financial controls has been set, continued testing is redundant, and should be minimized. http://www.sec.gov/comments/s7-11-06/s71106-64.pdf
[2] http://www.sec.gov/comments/s7-11-06/s71106-106.pdf p.24
[3] http://www.sec.gov/comments/s7-11-06/s71106-75.pdf p.4
[4] Ibid. p.7
Labels: Identifying Key controls, Integration of Finance and IT, ITGC
SEC Votes to Improve SOX Implementation
December 14, 2006
Here's what they said, short version:
1) Materiality threshold for misstatement is higher: The definition of Material Weakness was changed to from a "more than remote possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner, to a "reasonable possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner. I assume a "reasonable possibility" is greater than a "more than remote possibility".
2) Risk evaluation more customized: Management is allowed to direct their efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. Support for this evaluation can be done in a variety of ways that involve its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities.
3) Documentation requirements are eased (a bit): Documentation of contols and testing can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. Sometimes you can rely on your daily interaction with your controls as a basis for your assessment with no adidtional transaction testing. In such a case, you may have limited documentation created specifically for the testing beyond documentation regarding how its interaction provided you with your comfort that the controls are effective.
For the long version, click here.
1) Materiality threshold for misstatement is higher: The definition of Material Weakness was changed to from a "more than remote possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner, to a "reasonable possibility" that a material misstatement in the financial statements would not be prevented or detected in a timely manner. I assume a "reasonable possibility" is greater than a "more than remote possibility".
2) Risk evaluation more customized: Management is allowed to direct their efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. Support for this evaluation can be done in a variety of ways that involve its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities.
3) Documentation requirements are eased (a bit): Documentation of contols and testing can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. Sometimes you can rely on your daily interaction with your controls as a basis for your assessment with no adidtional transaction testing. In such a case, you may have limited documentation created specifically for the testing beyond documentation regarding how its interaction provided you with your comfort that the controls are effective.
For the long version, click here.