46,99 €
46,99 €
-100%
Sammeln Sie Punkte in unserem Gutscheinprogramm und kaufen Sie E-Books und Hörbücher mit bis zu 100% Rabatt.
Mehr erfahren.
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Sprache: Englisch
Praise for Internal Control Strategies A Mid to Small Business Guide "Internal Control Strategies is an excellent field guide for the implementation and maintenance of efficient and effective internal control systems. The book provides a practical approach to interpreting guidance from oversight agencies and integrating it with industry practice in a real-world environment. This handbook is an essential tool for managers and professionals going through the day-to-day struggle of managing auditor expectations and permitting business to proceed in the most efficient manner." -Michael Rodriguez, former senior manager of finance, Qualcomm Incorporated "Internal Control Strategies is the clearest path forward for middle-market SEC registrants and their independent registered public accounting firms as they streamline the SOX 404 compliance process in 2008 and beyond." -Stephen G. Austin, MBA, CPA, Managing Firm Partner,Swenson Advisors, LLP, Regional PCAOB Accounting Firm "Clearly written and practical, Internal Control Strategies is a must-read for every chief audit, finance, or compliance executive." -Jeff Miller, Partner-in-Charge, Business Risk Services,Squar, Milner, Peterson, Miranda & Williamson, LLP "As a CFO of small to mid-sized publicly traded and privately held companies, one is usually faced with the challenge of developing and implementing the right levels of internal controls and compliance within the restrictions of limited financial and human resources. Internal Control Strategies presents the relevant topics in a clear and concise manner, allowing the reader to understand the internal control framework and specific underlying requirements quickly. The author's vast experience with SOX compliance ensures a targeted and pragmatic approach for the successful implementation of internal controls. Her recommendations are 'to the point' and eliminate some of the guesswork we all have experienced while working towards SOX compliance." -Robert S. Stefanovich, Chief Financial Officer, Novalar Pharmaceuticals, Inc. The SEC requires all publicly traded companies to attest to theeffectiveness of their internal controls. Is your business ready? Internal Control Strategies: A Mid to Small Business Guide clearly explains the latest PCAOB, SEC, and COSO guidance, providing you with an effective tool and reference guide for successful implementation of sections 302 and 404 of the Sarbanes-Oxley Act. Extremely knowledgeable and insightful, author Julie Harrer brings practical clarity to this complex topic, leading you step by step in addressing the challenges associated in bringing your business in compliance with SOX.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 468
Veröffentlichungsjahr: 2008
0,0
Bewertungen werden von Nutzern von Legimi sowie anderen Partner-Webseiten vergeben.
Legimi prüft nicht, ob Rezensionen von Nutzern stammen, die den betreffenden Titel tatsächlich gekauft oder gelesen/gehört haben. Wir entfernen aber gefälschte Rezensionen.
Ähnliche
Table of Contents
Title Page
Copyright Page
Preface
Chapter 1 - Understanding the SEC’s Guidance for Management
PURPOSE OF INTERNAL CONTROL OVER FINANCIAL REPORTING
EVALUATION PROCESS
REPORTING CONSIDERATIONS
RULE AMENDMENTS AND OTHER SEC GUIDANCE RELATED TO INTERNAL CONTROL OVER ...
Chapter 2 - The PCAOB’s Auditing Standard No. 5
EIGHT CONCEPTS TO FOCUS THE AUDIT ON MATTERS MOST IMPORTANT TO INTERNAL CONTROL
NEW EMPHASIS ON ENTITY-LEVEL CONTROLS
IMPORTANCE OF A FRAUD RISK ASSESSMENT
TIPS TO ELIMINATE UNNECESSARY PROCEDURES
SCALING AUDITS FOR SMALLER COMPANIES
Chapter 3 - SEC’s Guidance on a Risk-Based Approach
SEC Roundtable Discussion
SEC Commission Statement
Using a Top-Down and Risk-Based Approach to Narrow Scope
Pointers on Qualitative and Quantitative Factors Involved in Scoping
Staff’s Ideas on Efficiency
When to Use Annual or Quarterly Financial Periods in Analyses
Timing of Tests of Control
Qualitative Factors to Consider in Evaluating Deficiencies
How Financial Statement Restatements Affect an Evaluation of Deficiencies
IT Systems Implementations and Upgrades
Four Principles of the SEC’s Auditor Independence Requirements
SEC’s Nine Categories of Prohibited Services
Chapter 4 - Highlights of the PCAOB’s May 2005 Policy Statement
POLICY STATEMENT HIGHLIGHTS
INTEGRATING THE FINANCIAL AND INTERNAL CONTROL AUDITS
IMPORTANCE OF PROFESSIONAL JUDGMENT
TOP-DOWN APPROACH AND ROLE OF RISK ASSESSMENT
WHEN AUDITORS CAN USE THE WORK OF OTHERS
AUDITORS’ ABILITY TO PROVIDE ADVICE TO AUDIT CLIENTS
HOW THE PCAOB INSPECTIONS HELP DRIVE IMPROVEMENTS
A FINAL COMMENT
Chapter 5 - Starting at the Top: Using Entity-Level Controls to Create Efficiencies
WHAT ARE ENTITY-LEVEL CONTROLS?
HOW STRONG ENTITY-LEVEL CONTROLS CAN REDUCE THE SCOPE OF YOUR PROGRAM
HOW TO APPLY COSO’S RECENT INTERNAL CONTROL GUIDANCE
HOW TO CREATE A WINNING CONTROL ENVIRONMENT
STEPS FOR CREATING A USEFUL RISK ASSESSMENT PROCESS
CONTROL ACTIVITIES
CREATING AN EFFECTIVE INFORMATION AND COMMUNICATION PROGRAM
HOW TO IMPLEMENT SUCCESSFUL MONITORING CONTROLS
HOW TO ASSIGN ROLES AND RESPONSIBILITIES TO ENHANCE INTERNAL CONTROLS
SMALL-COMPANY ISSUES FOR IMPLEMENTING ENTITY-LEVEL CONTROLS
SUMMARY OF COSO’S GUIDANCE FOR SMALLER PUBLIC COMPANIES
Chapter 6 - Minimizing Excess through Proper Scoping and Planning Practices
SCOPING ANALYSIS: EVENT OR PROCESS?
HOW TO DETERMINE MATERIALITY FOR SCOPING PURPOSES
HOW TO USE A TOP-DOWN, RISK-BASED APPROACH TO REDUCE THE SCOPE OF YOUR PROGRAM
METHODS FOR DETERMINING SIGNIFICANT LOCATIONS
SEC Guidance
SPECIFIC AREAS INCLUDED AND EXCLUDED BY THE PCAOB
PCAOB AND SEC GUIDANCE ON OTHER COMMON SCOPING ISSUES
TIPS FOR RESOURCE PLANNING AND DEVELOPING USEFUL TIMELINES
Chapter 7 - Advantageous Project Management Techniques
11 AREAS OF FOCUS FOR THE SECOND YEAR AND BEYOND
HOW TO INCREASE PRODUCTIVITY WITH A SOUND MANAGEMENT APPROACH
AIM FOR THE TARGET INSTEAD OF THE WAY TO GET THERE
MORE PROJECT MANAGEMENT TIPS
STAFFING STRATEGIES
RESTRUCTURING THE ORGANIZATIONAL CHART FOR SUSTAINABILITY
HOW TO COMMUNICATE EFFECTIVELY THROUGH EMAILS, MEETINGS, AND ADVISORIES
TACTICS FOR DEALING WITH BUSINESS CHANGES FOR SECTIONS 302 AND 404 COMPLIANCE
Chapter 8 - Streamlining Documentation
THREE IDEAS TO IMPROVE YOUR OVERALL DOCUMENTATION PROCESS
CLEARING THE CLUTTER: HOW TO CREATE AND MAINTAIN MEANINGFUL CONTROL MATRICES
USING RELEVANT FINANCIAL ASSERTIONS FOR PLANNING PURPOSES
FINANCIAL ASSERTION HELP FOR NONAUDITORS
TECHNIQUES FOR SCRUTINIZING THE NUMBER OF KEY CONTROLS
HOW TO REDUCE AND IMPROVE CONTROLS WITH STANDARDIZATION
PRACTICAL IDEAS FOR DOCUMENTATION AT INTERNATIONAL LOCATIONS
HOW TO CREATE AN EFFECTIVE SPREADSHEET CONTROL PROGRAM
HOW TO CREATE STRONG FINANCIAL REPORTING CONTROLS
TOOLS FOR ASSESSING CONTROL DESIGN
AN ALTERNATIVE TO GAP REMEDIATION
THREE MORE IDEAS FOR IMPROVING DOCUMENTATION
Chapter 9 - Economical Testing Techniques
TESTING CONTROL DESIGN AND OPERATING EFFECTIVENESS
PRACTICAL STEPS TO APPLYING GUIDANCE ON THE NATURE, TIMING, AND EXTENT OF TESTING
SUGGESTIONS FOR TESTING SIGNIFICANT MANUAL AND NONROUTINE TRANSACTIONS
USING UPDATE TESTS TO EASE THE BURDEN OF TESTING AT YEAR-END
FIVE IDEAS FOR THE TIMING OF CONTROL TESTS
TYPES OF CONTROL TESTS AND WHEN TO USE THEM
WHY YOU SHOULD MINIMIZE THE USE OF SELF-ASSESSMENT TESTS
MAXIMIZING YOUR AUDITORS’ RELIANCE ON THE WORK OF OTHERS
MORE INSPIRATION ON EFFICIENT TESTING
Chapter 10 - Methods for Remediation Madness
DO ALL CONTROLS HAVE TO BE REMEDIATED?
FOR-NOW APPROACH TO REMEDIATION
CREATING MEANINGFUL REMEDIATION PLANS
NINE PRACTICE TIPS FOR THE REMEDIATION PHASE
SUFFICIENT PERIODS FOR REMEDIATED CONTROLS
STEPS TO PREPARE FOR RETESTING
PROJECT MANAGEMENT TOOLS FOR REMEDIATION
Chapter 11 - Taking the Mystery Out of Evaluating Deficiencies
DEFICIENCIES DEFINED
ANALYTICAL STEPS FOR EVALUATING DEFICIENCIES
ARE ALL EXCEPTIONS CONSIDERED DEFICIENCIES?
TECHNIQUES FOR AGGREGATING DEFICIENCIES
TYPICAL MATERIAL WEAKNESSES
UNIQUE NATURE OF IT GENERAL CONTROL DEFICIENCIES
MARKET’S REACTION TO PROCESS SPECIFIC VERSUS PERVASIVE MATERIAL WEAKNESSES
HOW TO IMPROVE MATERIAL WEAKNESS DISCLOSURES
AS NO. 4 AND REPORTING WHETHER A PREVIOUSLY REPORTED MATERIAL WEAKNESS STILL EXISTS
SUCCESSFUL COMMUNICATION OF DEFICIENCIES TO MANAGEMENT AND THE AUDIT COMMITTEE
SUGGESTIONS FOR MANAGEMENT’S FINAL ASSESSMENT REPORT
Chapter 12 - Common Areas of Concern and How to Address Them
CONTROL OPTIONS FOR THE USE OF SERVICE ORGANIZATIONS
WHAT TO DO WITH MERGERS AND ACQUISITIONS ACTIVITIES
A UNIQUE SOLUTION FOR MANAGING THE TAX PROCESS
HOW TO MINIMIZE IT DEVELOPER ACCESS TO PRODUCTION ISSUES
WHAT TO DO WHEN YOUR ERP SYSTEM IS NOT COMPATIBLE WITH YOUR ACCESS CONTROLS
TIPS FOR CHANGING ERP SYSTEMS AND STAYING SOX COMPLIANT
PRACTICAL IDEAS FOR DOCUMENT RETENTION REQUIREMENTS
THOUGHTS ON CHANGING ACCOUNTING FIRMS
Appendix A - Simplified Sample Entity-Level Control Matrices
Appendix B - COSO’s Internal Controls Checklist for Entity-Level Controls
Appendix C - Standardized Period-End Process Control Matrix
Appendix D - PCAOB Staff Question-and-Answer Index
Appendix E - SEC Office of the Chief Accountant Frequently Asked Questions Index
Appendix F - Summary of Changes Made to Auditing Standard No. 2 and the Related ...
Index
This book is printed on acid-free paper.
Copyright © 2008 by Hamlet Auditing Corp. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762- 2974, outside the United States at 317-572-3993 or fax 317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
For more information about Wiley products, visit our Web site at http://www.wiley.com.
Library of Congress Cataloging-in-Publication Data
Harrer, Julie, 1966- Internal control strategies : a mid to small business guide/ Julie Harrer. p. cm. Includes index.
eISBN : 978-0-470-43761-2
1. Auditing, Internal. 2. Small business—Auditing. I. Title. HF5667.H338 2008 657’.458—dc22
2008011987
Preface
On February 2, 2004, I was hired by a consulting firm to begin working on a Sarbanes-Oxley (SOX) Section 404 project for a high-tech company with 8,000-plus employees and over $4 billion in revenues. At the time, the company was required to comply with Section 404 for its fiscal year ending September 24, 2004. The team that was already in place had been working on the project for over eight months with minimal progress. There was very little guidance published on SOX compliance, skilled resources were scarce, and the external auditors were stumbling through the project just as much as the company was.
At the end of February, the Securities and Exchange Commission (SEC) announced an extension for accelerated filers complying with Section 404. While most companies cheered the extension, our SOX team was disappointed. We had just started to turn the project around and set new goals, but now the company did not have to comply until the following year. Much to our delight, after a few days of deliberation, the company decided to comply early by filing its attestation for its current fiscal year.
The Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard No. 2 (AS No. 2) in March 2004, and it immediately became our bible for compliance. Although helpful, the auditing standard only scratched the compliance surface and did not clarify the requirements or approach that was needed. In June 2004, the PCAOB issued a set of Staff Questions and Answers, and in July 2004, the Big Four firm that the company used for external audit issued a white paper with guidance for management. All three were instrumental in helping the project progress.
As the weeks passed, more information was published, but each time new information became available, we had to switch gears, causing inefficiencies and more work. There were power struggles and politics in the consulting firm I was working for and challenges with the original project manager, who stepped down but remained on the project.
The best way to describe the project was that it was tripping along, starting, stopping, readjusting then moving forward. Some days I thought we could complete the project on time; other days I thought the repeated setbacks would prevent us from reaching our goal.
As we approached our fiscal year-end with the project on schedule, it became apparent the external auditors did not want to take the risk of allowing the company to comply early. The concern was that new guidance might be issued after the company filed its attestation that would change the requirements. After several discussions, some fist pounding, and many days of waiting, the external auditors received approval from their national office that they could issue their opinions early on the company’s internal controls as of September 24, 2004. We were back on track.
The next few months were a blur of testing, remediation, and rigid schedules. We had to pay a premium to the auditors for complying early in the form of impeccable process and testing documentation, extra analyses, and an ultra-conservative interpretation of AS No. 2. My manager told me we would never make it. On top of all the documentation, testing, and remediation challenges, the company’s policy was to issue its earnings release on the same day it filed its 10-K, 40 days after the close of the fiscal year. At the time, the auditors had to file their opinions on the company’s financial statements and internal controls with the 10-K, which meant the deadlines after the close of the year were remarkable.
But on November 2, 2004, the first company in the world to comply with Section 404 of the Sarbanes-Oxley Act filed its attestation with the SEC along with an unqualified opinion from its auditor. I was the project manager on the job.
Since then, I have managed or been a member of several other Section 404 teams, both internally working for management and as an external auditor. I have seen what works, what is expected, and what went wrong for these projects. The experience I gained over the last few years is the basis for this book.
Much like that first project, I have had to start, stop, and rewrite the information in this book several times because of the constant stream of new guidance. Most recently, the PCAOB published a new auditing standard to supersede AS No. 2 in an attempt to streamline and clarify compliance requirements. The SEC also published the first guidance for management. Now companies have a resource written for management instead of having to interpret guidance meant for their external auditors. Concepts from both of these documents have been incorporated throughout this book and are specifically addressed in Chapters 1 and 2.
While researching this book, I interviewed several people involved in SOX programs from both large and smaller companies and found many companies still struggling with Section 404 compliance. In addition, nonaccelerated filers are now facing the SOX compliance challenge for the first time. This book is meant to be a resource for truly practical ideas that readers can implement into their own programs to cut costs and reduce time. Throughout the book, reference is made to PCAOB standards, the SEC, and the Committee of Sponsoring Organizations’ guidance and industry white papers to substantiate the suggested methods and point you in the right direction, should you need more information to create your own efficiencies.
“Think outside the box” has become a cliché in the business world today, but Section 404 programs can benefit from fresh, outside-the-box perspectives. The goal is to provide support for management’s assessment of the company’s internal controls, and management should be the one driving its program and approach. I sometimes hear comments such as “Our auditors told us we have to do it this way” or “Our auditors won’t let us do that.” These comments have no place in management’s assessment and may be a sign that you need to rethink your approach or presentation to your auditors. Be innovative while still emphasizing quality and implement efficient methods that work for your company. An efficient method supported by guidance is the best defense against any possible argument.
The first company to comply with Section 404 never could have attested early without management’s strong commitment to excellence and the high standards exemplified by its employees. Kudos to the company’s external auditors, who were the front-runner in publishing white papers and guidance for their clients on complying with Section 404 and related topics such as fraud, spreadsheets, and mergers and acquisitions activities.
Since Section 404 is a requirement that all public companies must endure, I challenge you to strive for excellence and help your company get the most out of its internal control program. I hope this book can provide some out-of-the-box solutions for addressing the challenges associated with Section 404 compliance.
1
Understanding the SEC’s Guidance for Management
Key Topics:
• The purpose of internal control over financial reporting
• The SEC’s recommendations for internal control evaluations
• Guidance for management’s reporting considerations
• Rule amendments and other SEC guidance related to internal control over financial reporting
PURPOSE OF INTERNAL CONTROL OVER FINANCIAL REPORTING
As most people involved with Section 404 already know, the overall purpose of internal controls over financial reporting is to prepare reliable, materially accurate financial statements. The rationale of Section 404 is to identify any material weaknesses that have more than a remote likelihood of leading to a material misstatement in a company’s financial statements and ultimately to produce more reliable reporting. Since only material weaknesses need to be disclosed, the focus of Section 404 is on issues that could cause material errors in the financial statements.
Public companies have been required to establish and maintain internal accounting controls since the enactment of the Foreign Corrupt Practices Act of 1977. Now under Section 404 of the Sarbanes-Oxley Act (SOX), public companies must attest to the effectiveness of their internal controls over financial reporting when they file their annual report. Although laws on internal controls are not new, Section 404 was meant to spotlight the connection between strong internal controls and reliable financial statements.
Effective internal controls can also help to deter or detect fraudulent financial reporting practices and perhaps reduce any adverse effects. Internal controls are not meant to prevent or detect every instance of fraud, especially when there is collusion of two or more people. However, Section 404 has increased awareness and put structures in place to help reduce the risk of fraud in financial reporting.
After the Sarbanes-Oxley Act (SOX), including the infamous Section 404, was enacted in 2002, the Securities and Exchange Commission (SEC) adopted final rules implementing the requirements of Section 404(a) in June 2003. The final rules did not prescribe any specific method or set of procedures for management to follow in performing its evaluation of internal control over financial reporting (ICFR). From an optimistic viewpoint, this gave public companies some flexibility for their assessment of internal control. In reality, the lack of guidance caused many companies confusion on what constituted “reasonable support” for their assessments. In the absence of specific guidance, management relied on Auditing Standard No. 2 (AS No. 2) and other guidance for auditors to help guide their own SOX programs.
Finally in June 2007, the SEC issued the first guidance for management in an attempt to enable public companies to conduct a more effective and efficient evaluation of ICFR. Further, under the SEC’s rule amendments, auditors would express only a single opinion on the effectiveness of the company’s internal controls in the attestation report rather than expressing separate opinions on the effectiveness of the company’s ICFR and on management’s assessment.
Also in 2007, the Public Company Accounting Oversight Board (PCAOB) issued a new auditing standard to supersede AS No. 2. Although much more robust, the PCAOB’s new Auditing Standard No. 5 complements the SEC’s guidance for management and supports the SEC amendments.
The SEC gives companies the option to follow its new guidance for compliance with Section 404. Managers may choose to rely on the interpretive guidance as an alternative to what is provided in existing auditing standards for two key reasons:
1. The rule would give managers who follow the interpretive guidance comfort that they have conducted a sufficient ICFR evaluation.
2. Elimination of the auditors’ opinion on management’s assessment in the auditors’ attestation report should significantly lessen the pressures that managers have felt to look to auditing standards for guidance.
The SEC has high hopes for its guidance and rule amendments, believing they will promote competition and capital formation in the U.S. marketplace. The amendments should also increase efficiencies with the effort and resources associated with an evaluation of ICFR, facilitate more efficient allocation of resources within a company, and be scalable depending on the size of the company.
These claims may in fact be true. Although the information in the SEC’s guidance for management is not novel, the SEC states, “The guidance sets forth an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting. An evaluation that complies with this interpretive guidance is one way to satisfy the evaluation requirements.”1 However, the SEC’s guidance for management is very general and may create more confusion that efficiency.
The SEC believes it is impractical to prescribe a single methodology that meets the needs of every company and that management must bring its own experience and informed judgment to bear in order to design an evaluation process that meets company needs and provides reasonable assurance for its assessment. This guidance is intended to allow management the flexibility to design such an evaluation process.
Just as in the PCAOB’s standards, the SEC identified the Internal Control—Integrated Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as an example of a suitable framework on which management can base its assessment of internal control. The SEC also states that while the COSO framework identifies the components and objectives of an effective system of internal control, it does not set forth an approach for management to follow in evaluating the effectiveness of a company’s ICFR. It distinguishes between the COSO framework as a definition of what constitutes an effective system of internal control and guidance on how to evaluate ICFR.
The SEC points out the establishment and maintenance of internal accounting controls has been required of public companies since the enactment of the Foreign Corrupt Practices Act of 1977. Section 404 of SOX reemphasizes the important relationship between the maintenance of effective ICFR and the preparation of reliable financial statements.
The SEC and its staff issued guidance in May 2005 emphasizing that management, not the auditors, is responsible for determining the appropriate nature and form of internal controls for the company as well as their evaluation methods and procedures. Certain concepts from the May 2005 Staff Guidance have been incorporated into this new guidance for management, and the May 2005 Staff Guidance remains relevant. For more information on the May 2005 Guidance from the SEC, see Chapter 3.
The SEC advises management to conduct an evaluation of its internal controls that is sufficient to provide it with a reasonable basis for its annual assessment. Exchange Act Section 13(b)(7) defines “reasonable assurance” and “reasonable detail” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The SEC believes “reasonableness” is not an “absolute standard of exactitude for corporate records.” In addition, the SEC recognizes that “reasonableness” is an objective standard, and there is a range of judgments that an issuer might make as to what is “reasonable” in implementing Section 404. Hence, the term “reasonable” in the context of Section 404 implementation does not imply a single conclusion or methodology, but a full range of appropriate conduct, conclusions, or methodologies upon which an issuer may reasonably base its decisions.
Keeping in line with the PCAOB’s AS No. 5, the SEC’s guidance for management is organized around two broad principles:
1. Management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner.
2. Management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.
This guidance addresses a number of the common areas of concern that have been identified over the past two years by companies of all sizes. For example, the guidance:
• Explains how to vary approaches for gathering evidence to support the evaluation based on risk assessments
• Explains the use of “daily interaction,” self-assessment, and other ongoing monitoring activities as evidence in the evaluation
• Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment
• Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas
• Allows for management and auditors to have different testing approaches
To accomplish these goals, the SEC’s guidance for management is broken into two sections:
1. The Evaluation Process
• Identifying Financial Reporting Risks and Controls
• Evaluating Evidence of the Operating Effectiveness of ICFR
• Multiple Location Considerations
2. Reporting Considerations
• Evaluation of Control Deficiencies
• Expression of Assessment of Effectiveness of ICFR by Management
• Disclosures about Material Weaknesses
• Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on ICFR
• Inability to Assess Certain Aspects of ICFR
EVALUATION PROCESS
The objective of an evaluation of ICFR is to provide management with a reasonable basis for its annual assessment of internal control as of the end of the fiscal year. To meet this objective, management should identify the risks to reliable financial reporting, evaluate whether the controls are designed with a reasonable possibility of addressing those risks, and evaluate evidence about the operation of the controls. The evaluation process will vary from company to company, but the SEC guidance uses the top-down, risk-based approach, which is widely regarded as the most efficient and effective.
Identifying Financial Reporting Risks and Controls
According to the SEC, the identification of financial reporting risks typically begins with evaluating how the requirements of generally accepted accounting principles (GAAP) apply to the company’s business, operations, and transactions. Management should use its knowledge and understanding of the business and its processes to consider the sources and potential likelihood of errors in financial reporting and identify those errors that could result in a material misstatement to the financial statements. Risk factors to consider could include:
• Internal and external risks that impact the business, including the nature and extent of any changes in those risks
• Errors in the initiation, authorization, processing, and recording of transactions and other adjustments that are reflected in financial reporting elements
• The vulnerability of the entity to fraudulent activity (i.e., fraudulent financial reporting, misappropriation of assets, and corruption)
Identifying Controls that Adequately Address Financial Reporting Risks The determination of whether an individual control, or a combination of controls, adequately addresses a financial reporting risk involves judgments about the likelihood and potential magnitude of misstatements that could arise from the risk. Controls are not adequate to address financial reporting risk if they are designed to allow a reasonable possibility that a material misstatement of the company’s financial statements would not be prevented or detected on a timely basis. Judgments about the characteristics of controls, such as the level of expertise needed to operate them or their complexity, will affect the evaluation of risks that controls will fail to operate as designed.
Consideration of Entity-Level Controls Some entity-level controls are designed to operate at the process, transaction, or application level and might adequately prevent or detect a material misstatement in the financial statements. However, some entity-level controls may be designed to identify possible breakdowns in lower-level controls but not in a manner that would, by itself, sufficiently address an identified financial reporting risk. The more indirect the relationship to a financial reporting element, the less effective a control may be in preventing or detecting a misstatement. It is unlikely that management would identify only indirect, entity-level controls as adequately addressing a financial reporting risk identified for a financial reporting element.
Role of General Information Technology Controls Only those general information technology (IT) controls that are necessary to adequately address financial reporting risks should be evaluated for management’s assessment of internal control. Although general IT controls usually would not directly prevent or detect a material misstatement in the financial statements, automated or IT-dependent controls rely on effective general IT controls to operate properly.
Evidential Matter to Support the Assessment As part of its evaluation of ICFR, management is required to maintain reasonable support for its assessment. The form and extent of the documentation will vary depending on the size, nature, and complexity of the company, but should include documentation of the design of the controls management has placed in operation to adequately address the financial reporting risks. Documentation of the design of controls supports other objectives of an effective system of internal control, such as providing evidence that controls and changes to those controls have been identified, communicated to those responsible for their performance, and are capable of being monitored by the company.
Evaluating Evidence of the Operating Effectiveness of ICFR
The SEC states that evidence about the effective operation of controls may be obtained both from direct testing of controls and ongoing monitoring activities. The risk associated with a certain control should dictate the nature, timing, and extent of the evaluation procedures necessary for management to obtain sufficient evidence of the effective operation of that control. In determining whether the evidence obtained is sufficient to provide a reasonable basis for its evaluation of ICFR, management should consider not only the quantity of evidence (i.e., sample size) but also qualitative characteristics of the evidence. Qualitative characteristics of the evidence can include:
• The nature of the evaluation procedures performed
• The period of time to which the evidence relates
• The objectivity of those evaluating the controls
• For monitoring controls, the extent of validation through direct testing of the underlying controls
Different combinations of the nature, timing, and extent of evaluation procedures may provide sufficient evidence for any individual control.
Determining the Evidence Needed to Support the Assessment Management should evaluate the ICFR risk for each control to determine the type of evidence needed to support its assessment. The risk assessment should consider the possibility of the control failing as well as the potential impact the failure could have on the company’s financial statements. This concept is demonstrated in Exhibit 1.1.
As the risks surrounding a certain control increase, management should obtain more evidence that the control is effective. Financial reporting elements generally would have higher risks when they include transactions, account balances, or other supporting information that is prone to misstatement, such as elements that:
• Involve judgment in determining the recorded amounts
• Are susceptible to fraud
• Have complex accounting requirements
• Experience change in the nature or volume of the underlying transactions
• Are subject to environmental factors, such as technological and/or economic developments
Exhibit 1.1 SEC Grid for Determining the Sufficiency of Evidence Based on ICFR Risk
When considering the likelihood that a control might fail to operate effectively, management should consider:
• The type of control (i.e., manual or automated)
• The complexity of the control
• The risk of management override
• The judgment required to operate the control
• The competence of the personnel who performs or monitors the control
• Where there have been changes in key personnel who either perform or monitor the control
• The nature and materiality of misstatements that the control is intended to prevent or detect
• The degree to which the control relies on the effectiveness of other controls (i.e., general IT controls)
• Evidence of the operation of the control in the prior year
Certain financial reporting elements, such as those involving significant accounting estimates, related party transactions, or critical accounting policies, generally would be classified as high risk for both the risk of material misstatement and the risk of control failure. When the controls related to these financial reporting elements are subject to the risk of management override, involve significant judgment, or are complex, they generally should be assessed as having even a higher ICFR risk.
The existence of entity-level controls, such as controls within the control environment, may influence management’s determination of the evidence needed to sufficiently support its assessment. Strong entity-level controls may reduce the sufficiency of evidence needed for a control that normally would be considered high risk. For example, management’s judgment about the likelihood that a control could fail to operate effectively could be influenced by an effective control environment, which reduces the sufficiency of evidence needed for that control. However, a strong control environment would not eliminate the need for some type of testing to determine if the control was effective.
Implementing Procedures to Evaluate Evidence of the Operation of ICFR The evidence management evaluates to determine if its ICFR are effective may come from a combination of ongoing monitoring and direct testing of controls.
Ongoing monitoring includes activities that provide information about the operation of controls and is commonly performed through self-assessment procedures or the analysis of performance measures designed to track the operation of controls. The SEC describes self-assessment procedures in this way:
Self-assessment is a broad term that can refer to different types of procedures performed by individuals with varying degrees of objectivity. It includes assessments made by the personnel who operate the control as well as members of management who are not responsible for operating the control. The evidence provided by self-assessment activities depends on the personnel involved and the manner in which the activities are conducted. For example, evidence from self-assessments performed by personnel responsible for operating the control generally provides less evidence due to the evaluator’s lower degree of objectivity.2
However, the SEC goes on to explain that for situations where a company’s ongoing monitoring uses personnel who are not adequately objective, evidence obtained from the monitoring activities would normally be supplemented with direct control testing by people independent of the controls being tested.
Practice Tip
Although self-assessment procedures can be used as evidence for management to evaluate whether its ICFR controls are effective according to the SEC, the evidence provides low assurance and generally will not be relied on by your auditors. Self-assessment procedures can be time consuming and hard to document as well. Be sure to evaluate whether these types of procedures are truly efficient for your company.
Ongoing monitoring can also be achieved by the evaluation of key performance indicators (KPIs), where management reconciles operating and financial information with its knowledge of the business. If analyzing KPIs can indicate a potential misstatement in a financial reporting element, then the process is relevant for addressing financial reporting risks. However, if KPIs monitor operational results and do not address the effective operation of financial reporting controls, they may not be a useful tool for monitoring ICFR.
Direct tests of controls can be performed periodically to provide evidence as of a point in time and may provide information about the reliability of ongoing monitoring activities. Management can also vary the nature of evidence obtained by adjusting the period of time covered by direct testing. For high-risk areas, management’s evaluation would ordinarily include evidence obtained from direct testing over a reasonable period of time during the year, including the fiscal year-end. For lower-risk areas, management may decide evidence from ongoing monitoring is sufficient and no direct testing is required.
In smaller companies, management’s daily interaction with its financial reporting controls may provide it with sufficient knowledge about their effective operation. However, this can be a tricky situation because knowledge from daily interaction would have to be obtained by those people responsible for evaluating the effectiveness of ICFR (not process owners) through their ongoing direct knowledge and supervision of control operation. Also, management would have to have sufficient evidence of the daily interaction and monitoring to conclude that these controls were effective.
For example, daily interaction may be an effective control when the operation of controls is centralized and the number of personnel involved in their operation is limited. Companies with multiple management reporting layers or operating segments, however, may not be able to rely on daily interaction to provide sufficient evidence because those responsible for assessing the effectiveness of ICFR may not be sufficiently knowledgeable about the operation of the controls. In these situations, management may have to rely on direct testing or ongoing monitoring procedures.
Management should evaluate the evidence it gathers from ongoing monitoring or direct testing to determine whether the operation of a control is effective. This evaluation should consider:
• Whether the control operated as designed
• How the control was applied
• The consistency with which the control was applied
• Whether the person performing the control possesses the necessary authority and competence to perform the control effectively
Evidential Matter to Support the Assessment The SEC believes the nature of the evidential matter that management uses to evaluate its internal controls will vary based on a company’s assessed level of financial reporting risks and other circumstances unique to each company. A company’s evidential matter to support its assessment should include documentation of the methods and procedures used to gather and evaluate evidence. For example, management could document its overall ICFR program in a comprehensive memo describing its evaluation approach, the evaluation procedures, and the basis for its conclusions for each financial reporting element.
The SEC states:
If management determines that the evidential matter within the company’s books and records is sufficient to provide reasonable support for its assessment, it may determine that it is not necessary to separately maintain copies of the evidence it evaluates.3
For example, at a small company where management is relying on its daily interaction with the operation of its controls to provide the basis for its assessment, there may be limited documentation created specifically for the evaluation of ICFR. Management needs to consider the type of reasonable support that would provide sufficient evidence for its assessment and whether reasonable support would include documentation of how its interaction provided it with sufficient evidence. This documentation might include memoranda, emails, and instructions or directions from management to company employees.
Practice Tip
Although the SEC’s guidance on the matter of evidence for management’s daily interactions with financial reporting controls strives to remain open and flexible, it does not imply that a company can have no evidence for these controls. If a company has no evidence that financial reporting controls are monitored daily by those responsible for assessing the company’s internal control, the company may have to implement procedures to create the evidence, such as signoffs, emails, or meeting documentation.
According to the SEC, when management is evaluating the type of supporting evidential matter needed for the operation of controls, it should consider the degree of complexity of the control, the level of judgment required to operate the control, and the risk of material misstatement in the financial statements. As these factors increase, management may determine that it must maintain evidential matter supporting the assessment separately.
If management believes entity-level and other pervasive controls address the elements necessary for an effective system of ICFR, then the evidential matter for reasonable support of management’s assessment should include documentation of how that belief was formed.
Multiple Location Considerations
A company’s overall consideration of its financial reporting risks should include all of its locations or business units. In its evaluation of risks, management may decide that financial reporting risks are adequately addressed by controls operating at a central location. In this case, the company’s approach to its ICFR program would be similar to a business with a single location or business unit. However, when the controls necessary to address financial reporting risks are in place at more than one location or business unit, management has to evaluate evidence of the operation of those controls at the individual locations or business units.
In situations where management determines that the financial reporting risks for controls that operate at individual locations or business units are low, it has more flexibility in its approach for documenting and testing controls at those locations. For example, management may determine that evidence gathered through self-assessment routines or other ongoing monitoring activities, when combined with the evidence derived from a centralized control that monitors the results of operations at individual locations, constitutes sufficient evidence for the evaluation.
When performing its risk evaluation of noncentral locations, management should consider whether location-specific risks may cause a control to not operate effectively. Additionally, there may be pervasive factors at a given location that cause some controls there to be considered higher risk.
When deciding whether the nature and extent of evidence that controls are operating effectively is sufficient, management should consider the risk for each financial reporting element rather than making a single judgment for all controls at a location.
REPORTING CONSIDERATIONS
The objective of the reporting process is to inform investors and other users of financial statements about the status of companies’ internal control over financial reporting. In order to successfully communicate to the market, companies need a strong evaluation process for deficiencies and clear disclosures regarding management’s assessment.
Evaluation of Control Deficiencies
The evaluation of a control deficiency should include both quantitative and qualitative factors. Management can evaluate a deficiency in ICFR by considering whether there is a reasonable possibility that the company’s ICFR will fail to prevent or detect a misstatement of a financial statement amount or disclosure on a timely basis even though an actual misstatement may not have occurred. Management should also consider the magnitude of the potential misstatement that could result from the failed control(s).
Similar to the PCAOB’s approach, the SEC mentions the “prudent official test” and states:
If management determines that the deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then management should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.
Similar again to the PCAOB’s approach, the SEC advises management, when aggregating deficiencies, to evaluate individual control deficiencies that affect the same financial statement amount or disclosure to determine whether they collectively could result in a material weakness. An approach to aggregating individually insignificant control deficiencies was used by the American Institute of Certified Public Accountants (AICPA) in Statement on Auditing Standard No. 112, Communication of Internal Control Related Matters Identified in an Audit.
Management should also evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. The SEC defines compensating controls as controls that serve to accomplish the objective of another control that did not function properly, helping to reduce risk to an acceptable level. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a material misstatement.
The PCAOB and SEC list the same factors to help management (and auditors) evaluate if there is a reasonable possibility of a material misstatement and the potential magnitude of a misstatement for control deficiencies. Additionally, guidance from the PCAOB and SEC list the same four indicators of a material weakness. For more information on these topics, see Chapter 11 on evaluating deficiencies.
Expression of Assessment of Effectiveness of Internal Control over Financial Reporting by Management
Management should clearly disclose its assessment of the effectiveness of the company’s ICFR and should not qualify its assessment by saying the company’s ICFR is effective subject to certain qualifications. For example, management should not state that the company’s controls are effective except for certain material weakness(es) that have been identified. However, management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es). However, management should consider the nature and pervasiveness of the material weakness prior to making this statement. Management may disclose any remediation efforts that it has made or plans to make to the identified material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or General Instruction B of Form 40-F.
Disclosures about Material Weaknesses
Disclosures about material weaknesses will be more useful to investors if management differentiates the potential impact and importance to the financial statements of the identified material weakness(es), including distinguishing those material weaknesses that may have a pervasive impact on ICFR from those that do not. According to the SEC, “The goal underlying all disclosure in this area is to provide an investor with disclosure and analysis beyond the mere existence of a material weakness.” See Chapter 11 on evaluating deficiencies for specific recommendations for disclosing material weaknesses.
Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on Internal Control over Financial Reporting
When a material misstatement in previously issued financial statements is discovered, the SEC requires the company to restate those financial statements. However, the restatement of financial statements does not, by itself, necessitate management to consider the effect of the restatement on the company’s prior conclusion on the effectiveness of its internal control.
While there is no requirement for management to revise its conclusion on the effectiveness of its internal control for the period of restatement, the SEC advises management to consider whether its original disclosures are still appropriate. Management may have to modify or supplement its original disclosures to include other material information that is necessary for the disclosures not to be misleading. For statements concerning ICFR and disclosure controls and procedures, the company may need to report in this context what impact, if any, the restatement has on its original conclusions regarding the effectiveness of ICFR and disclosure controls and procedures.
Inability to Assess Certain Aspects of Internal Control over Financial Reporting
There may be circumstances where management is unable to assess certain aspects of its ICFR. For example, management may outsource a significant process to a service organization and determine that the controls over that process should be evaluated. However, the service organization may be unwilling to provide a Type II Statement on Auditing Standard No. 70 report or provide management access to the controls in place at the service organization for management to assess their effectiveness. Additionally, management may not have compensating controls in place that allow it to conclude in an alternative manner that controls over the outsourced process are effective.
The SEC does not permit management to issue a report on ICFR with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.
RULE AMENDMENTS AND OTHER SEC GUIDANCE RELATED TO INTERNAL CONTROL OVER FINANCIAL REPORTING
According to the SEC, the guidance for management and amendments related to internal control over financial reporting would not limit the ability of management to use its judgment to determine a method of evaluation that is appropriate for each company. The amendments would be similar to a nonexclusive safe harbor in that they would not require management to conduct the evaluation of internal control in accordance with the interpretive guidance but would provide certainty for management that chooses to follow the guidance that it has satisfied its obligation to conduct an evaluation for purposes of the requirements in Rules 13a-15(c) and 15d-15(c).
Newly Public Companies
The SEC’s new rule, RELEASE NOS. 33-8760; 34-54942; File No. S7-06- 03 provides a transition period for newly public companies before they become subject to the ICFR requirements. Under the new rule, a newly public company will not become subject to the ICFR requirements until it either had been required to file an annual report for the prior fiscal year with the SEC or had filed an annual report with the SEC for the prior fiscal year. See Release No. 33-8760 (December 15, 2006) available at www.sec. gov/rules/final/2006/33-8760.pdf.
Revision to the Auditor’s Opinions on Internal Control over Financial Reporting
Because of the feedback the SEC received that auditors’ opinions may not effectively communicate their responsibility in relation to management’s evaluation process, auditors have to express only one opinion directly on the effectiveness of a company’s ICFR.
Previous Staff Guidance and Staff Frequently Asked Questions
The SEC states that its May 2005 guidance remains relevant and has no plans to revise it. However, as of September 2007, the SEC staff reviewed its frequently asked questions as a result of the guidance for management and has updated them as appropriate. See Appendix E for a summary of the SEC’s FAQs.
Cost-Benefit Analysis of the Rule Amendments and Guidance for Management
The SEC is very optimistic about its guidance for management and proposed rule amendments and believes that they will provide many benefits to investors as well as public companies in complying with Section 404. Although there are not many, if any, “new” ideas about complying with Section 404 in the guidance for management, the SEC believes the guidance and rule revisions will provide these benefits:
• Management can choose to follow guidance that is an efficient and effective means of satisfying the evaluation requirement.
• All public companies, especially smaller ones, that choose to follow the guidance would be afforded considerable flexibility to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances.
• Management would have the comfort that an evaluation that complies with the SEC interpretive guidance is one way to satisfy the evaluation required by Exchange Act Rule 13a-15(c) and Exchange Act Rule 15d-15(c). This reduces any second-guessing as to whether management’s process was adequate.
• There may be reduced risk of costly and time-consuming disagreement between auditors and management regarding the extent of documentation and testing needed to satisfy the ICFR evaluation requirement.
• Companies are likely to save money and reduce the amount of effort and resources associated with an evaluation by relying on a set of guidelines that clarifies the nature, timing, and extent of management’s procedures and that recognizes the many different types of evidence-gathering methods available to management (such as direct interaction with control components).
• Management would have greater clarity regarding the SEC’s expectations concerning an evaluation of ICFR.
Some larger public companies may face a transitory increase in compliance costs if they choose to follow the guidance. This is because many larger companies that have already evaluated their internal controls have reported cost reductions, or the anticipation of cost reductions, in the second and subsequent years of compliance with the internal control reporting provisions. The SEC believes that some accelerated and large accelerated filers that have completed one or more evaluations of their ICFR may adjust their evaluation procedures in order to take advantage of the proposed rule amendments, which could lead to an increase in compliance costs. This increase could happen if companies totally revamp their Section 404 programs, but it is unlikely since large companies already are using much of the SEC guidance for management.
In addition, the benefits of the SEC’s guidance for management may be partially offset if the company’s auditors obtain more audit evidence directly rather than using evidence generated by management’s evaluation process; such direct evidence could lead to an increase in audit costs. This offset would certainly be expected if companies began using less sufficient testing methods and evidence for forming an opinion on their internal controls.
Although the methods are not new or innovative, the SEC guidance does reinforce a flexible, risk-based approach to compliance that is tailored to the unique circumstances of each company. Time will tell if the overly broad guidance will help management in their compliance programs. More likely, the SEC’s guidance for management will have the most impact on compliance programs when it is applied in conjunction with the more robust PCAOB Auditing Standard No. 5.
NOTES
1Commission Guidance Regarding Management’s Report on Internal Control over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, by the security and Exchange Commission’s RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06. Summary, p. 1.
2 Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, by the Securities Exchange Commission, RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7- 24-06, pages 28-29.
3 Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, by the Securities Exchange Commission, RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7- 24-06, page 31.
2
The PCAOB’s Auditing Standard No. 5
Key Topics:
• Eight concepts for focusing your audit on the most important matters to internal control
• The new emphasis on entity-level controls
• The importance of a fraud risk assessment
• Tips to eliminate unnecessary procedures in an audit
• Scaling audits for smaller companies
In response to ongoing criticism in the business community that the requirements of Sarbanes-Oxley (SOX) Section 404 are too costly and time consuming and are driving businesses away to foreign markets, the Public Company Accounting Oversight Board (PCAOB) proposed a new auditing standard on internal control over financial reporting (ICFR) in December 2006 to supersede Auditing Standard No. 2 (AS No. 2). At the same time, the PCAOB proposed a new auditing standard on using the work of others, which was meant to supersede interim standard AU sec 322, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements. In May 2007, the PCAOB published the final version of AS No. 5 entitled An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. However, in the final version, the new, separate standard on using the work of others was abandoned and the information was incorporated into AS No. 5.
The PCAOB made a huge effort to avoid the mistakes it made with AS No. 2. It solicited and received many comment letters on the proposed guidance and coordinated its work with the Securities and Exchange Commission (SEC), which proposed its own guidance for management on evaluating internal control. In addition to its role of implementing Section 404, the SEC must approve new PCAOB auditing standards before they become effective. After analyzing the comments received on the new standard and coordinating the PCAOB’s proposal with the SEC’s own guidance, the SEC directed its staff to focus its remaining work in four areas:
1. Aligning the PCAOB’s new auditing standard with the SEC’s proposed new management guidance under Section 404, particularly with regard to prescriptive requirements, definitions, and terms
2. Scaling the 404 audit to account for the particular facts and circumstances of companies, particularly smaller companies
3. Encouraging auditors to use professional judgment in the Section 404 process, particularly in using risk assessment
4. Following a principles-based approach to determining when and to what extent the auditor can use the work of others
This direction from the SEC is good news for public companies and may cure the check-the-box approach that many auditors used in the past for Section 404 audits. Although the PCAOB’s new standard is meant for external auditors, understanding it can help you develop your program to be compatible with that of your auditors. It can also help you know what your auditors will expect and help you keep their procedures (and costs) reasonable and in line with the standard.
The new standard is designed primarily to achieve these objectives:
• Focus the audit on the matters most important to internal control.
• Eliminate unnecessary procedures.
• Scale the audit for smaller companies.
• Make the text of the standard easier to understand.
Although there are many critics of Section 404 and the related regulation, many people believe there are benefits to the focus on internal controls. The challenge has been to increase the return on investment that companies have been required to make in complying with Section 404. As the title suggests, this new guidance is a call for integration, efficiency, and reasonableness. It appears to keep the law intact while still allowing companies the flexibility to implement the standard in a way that works for their own size, business structure, and corporate culture.
EIGHT CONCEPTS TO FOCUS THE AUDIT ON MATTERS MOST IMPORTANT TO INTERNAL CONTROL
The PCAOB believes it can help auditors focus their audits on matters most important to internal control by directing their attention to the critical controls using these eight concepts:
1. Integrating the internal control and financial statement audits
2. Emphasizing the importance of risk assessment
3. Clarifying the role of materiality
4. Using a top-down approach to direct auditors’ attention toward the most important controls
5. Revising the definitions of significant deficiency and material weakness
6. Revising the definitions of the “strong indicators” of a material weakness
7. Clarifying the role of interim materiality in the audit
8. Introducing interim testing in an audit of internal control
Integrating the Internal Control and Financial Statement Audits
The main concept of an integrated audit is for auditors to design their testing of controls to accomplish the objectives of both financial and internal control audits simultaneously. These objectives are to obtain sufficient evidence to support the auditors’ (1) opinion on the company’s internal controls as of year-end and (2) control risk assessment for the financial statement audit.
In theory, if auditors can assess a company’s control risk as below the maximum, they may be able to reduce the nature, timing, or extent of their substantive procedures for the financial statement audit. What better way to thoroughly assess control risk than through an audit of the company’s internal control? Therefore, integrating the two audits should benefit companies by requiring less time to be spent overall, and ultimately should lower audit fees.
In Appendix B of AS No. 5, the PCAOB makes seven points for integrating the audits of internal control and the financial statements:
