2013 PCAOB Report - Important SOX Update

Important SOX Update

Understanding the Impact of the

PCAOB Report on ICFR Audits

1

Session brought to you by

&

Les Sussman Senior Practice Leader,

Governance Risk and Compliance RGP

Please welcome our presenters

Jason Chiang CPA, CIA

Auditor and Risk Manager RGP Consultant

2

1. Recognize the likely impact to companies of the PCAOB inspections and associated report

2. Identify and reference key sources for managing or auditing using a top-down, risk-based approach

3. Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment

4. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ

Following this session, you will be able to:

3

Polling Question

4

Do you have Financial Statement auditing experience?

Yes

No

If so, you are probably familiar with much of what is

presented here. We aim to help all of our colleagues to

land on the same page as we approach SOX compliance

and auditing in the post-PCAOB Inspection Report

environment.

Timeline

Sarbanes Oxley Act signed by President Bush (2002)

Auditing Standard 2 released (2004)

AS 2 guidance issued by the SEC & PCAOB (2005)

SEC Management Guidance and AS 5 released (2007)

PCAOB Inspection Report (2012)

5

http://creative.gettyimages.com/source/Search/11','11','1','

http://creative.gettyimages.com/source/Search/16','16','1','

“PCAOB Issues Report on

Inspection Observations Related

to Audits of Internal Control over

Financial Reporting”

PCAOB Inspection Report

6

1. Key findings

2. Deficiencies that led to findings

3. Root cause of deficiencies

PCAOB Inspection Report

7

Key Findings of Inspection Report

46/309 firms failed to obtain sufficient audit evidence to support its audit opinion on the effectiveness of internal control

8

39 of those 46 firms also failed to obtains sufficient audit evidence to support the financial statement audit opinion


9

In 50 of 309 inspections, evidence of deficiencies in some firms’ systems of quality control were observed


10

Common Deficiencies

Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or obtain evidence of procedures performed

11

Common Deficiencies

For example, firms failed to test the controls used to monitor the results of

1. monthly comparisons of budget and actual results to forecasts for revenues and expenses

2. comparisons of other metrics, such as profit margins and certain expenses as a percentage of sales

3. quarterly balance sheet reviews

4. system generated data

5. procedures regarding the use of work of others

6. evaluation of control deficiencies

12

What can our clients expect?

13

Generally, MORE WORK!


• More detailed evidence will be required

• More testing and re-performance of procedures will be required

14



• More detailed evidence will be required

• More testing and re-performance of procedures will be required

15


The way that companies document and test their

controls will need to include more detail. Document

your thresholds. Document what you are doing as

you go along!

Root Causes of Deficiencies

1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5;

2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures;

3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and

4. Ineffective communication with firm's information system specialists on the engagement team.

16





Root Causes of Deficiencies

17

Three of the four root causes

relate to improvements that

need to be made by the firms.

This first root cause is one that

management can address directly.

What can go wrong?

What is a top-down, risk-based approach?

18

Companies often start with…

What can go wrong?


19

This often results in the documentation of Operational Risks

What can go wrong?


20

That is NOT representative of a top-down approach

What can go wrong?


21

A top-down approach focuses on…

What can go wrong?


22


…with

All Company Risks

What can go wrong?


23

…with

Financial Statement Risks



24

Why do financial statements matter?


25


This is what financial readers really care about.


26



From the MD&A: Will the FDA approve?


27



From the MD&A: Will the FDA approve?

Are they shifting money from one company to another?

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


28

In a recent post on the IIA blog, he gave his assessment of a widely distributed guide that discusses the role of IT Risks and Controls in SOX. He said…


29

“I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.”

-Norman Marks


30

“I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.”

-Norman Marks


31

Polling Question

32

What model do you think your approach follows?

a) top down

b) bottom up

c) middle down

d) not sure

Required Recommended Reading

It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach.

33


It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach.

34

Jason Chiang cautions that there’s no short-cut to the approach. He urges risk and audit professionals to follow the guidance.


• Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx

• SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf

• STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf

• The External Auditing Firm’s Guidance

• COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm

• COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf

35

http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx



http://www.sec.gov/rules/interp/2007/33-8810.pdf







http://www.coso.org/ICFR-GuidanceforSPCs.htm



http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf


Applying Auditing Standard No. 5 Approach

36

Jason suggests starting with this…


http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx

37

Read AS5.

Specifically, paragraphs 21-41 which focus on

“Using a Top-Down Approach”

Review Financial Statements, understanding risks to ICFR

Examine entity-level controls, significant accounts, disclosures and their relevant assertions

Understand risks in processes, select for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion


38

The first paragraph of the section walks through three broad processes for applying AS5:

Risk Assessment

39

Let’s walk through the approach at a high level…

Risk Assessment

Which Financial Statement Accounts are significant?

40

Risk Assessment


41

Determine the risk factors you will assess

Risk Assessment


42

Decide how each factor will weigh into the overall rating

Risk Assessment


43

Choose a rating scale for the assessment

Risk Assessment


44

Assess impact or likelihood, whatever the case may be, of each risk factor for each account

Risk Assessment


45

Determine the calculated Risk and consider whether this matches your judgment of the risk. This exercise can be used to validate your judgment of what is significant. If you find great discrepancy, examine why that is.

Risk Assessment

Which Financial Statement Assertions are relevant?

46

Risk Assessment

Identify relevant assertions for each significant account

Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.

Completeness – All transactions and accounts that should be presented in the financial statements are so included.

Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.

Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.

Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.

47

These are the assertions recognized by the

PCAOB (with definitions pulled from AS15).

Risk Assessment







48






Risk Assessment


49

Step back from the academic exercise and consider the real world motivations of companies…






Risk Assessment


50

Management wants the company to look good. It is natural to want to overstate assets/cash and to understate liabilities/expenses. Think about how this relates to the assertions…






Risk Assessment


51

If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”






Risk Assessment


52

In other words, does that cash or do those assets actually exist?

If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”






Risk Assessment


53

If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”






Risk Assessment


54

What if, in January, the auditor observes a bill for legal fees that were incurred on December 28th? Is the debt liability really complete?

If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”






Risk Assessment


55

Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand.






Risk Assessment


56

Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand.

Jason recommends creating a cheat sheet that includes the definitions and an example for each assertion.

Risk Assessment

What is the level of risk for each assertion?

57

Next, determine…

Risk Assessment


58

This generally results in another High-Medium-Low rating for each assertion.

Risk Assessment


59

And it is another of the determinations made by risk and audit professionals that is largely based on judgment.

Risk Assessment

ID Significant Accounts ID Financial Statement Risk and Risk level

Determine relevant assertions for those significant accounts

Statement of Risk

based on

application of

assertion to account

60

Work through this process for each financial statement line item.

Risk Assessment

Examples

61

Risk Assessment

Balance Sheet Example: Accounts Receivable

Accounts Receivable

62

Often, the line item determined to be significant will then be tagged or mapped to a process.

Risk Assessment


Accounts Receivable

What can go wrong?

63

Next, companies often go to the process and ask, “what can go wrong in the process?”

Risk Assessment


Accounts Receivable

What can go wrong?

64

It is tempting to get dragged into an operational view of risks again.

Risk Assessment


Accounts Receivable

What can go wrong?

65

Instead, consider…

Risk Assessment


Accounts Receivable

What can go wrong?

What are the relevant assertions? Existence or occurrence

Completeness

Valuation or allocation

Rights and obligations

Presentation and disclosure 66

Risk Assessment


Accounts Receivable

Valuation Risk –All uncollectible customer balances may not be properly written off.

Control – On at least an quarterly basis, the Controller reviews the Accounts Receivable Aging (including the ICS A/R reports) for uncollectible accounts to determine the necessity for and/or adequacy of an allowance for doubtful accounts. The calculation is reviewed and approved by the CFO.

R

C

67

Risk Assessment

Income Statement Example: Salary Expense

Salary Expense

What are the relevant assertions? Existence or occurrence

Completeness

Valuation or allocation

Rights and obligations

Presentation and disclosure

68

Risk Assessment

Income Statement Example: Salary Expense

Salary Expense

Occurrence Risk – Did the expense that you put on your books occur? That is, does it represent the exchange of employees’ services with cash or other consideration?

Control – The Controller reviews the payroll supporting documentation (including timecards, the timecard tracking spreadsheet and the approved Time-Off Request Forms for vacation/sick/personal time off use) to ensure the completeness and accuracy of the hours entered into payroll system.

R

C

69

Questions

70

What has your experience been? Do you see the company focusing on those assertions that are relevant for each significant account or falling back on process or operational risks?

ELC FSA C

Review Controls

C

C

C C

C FSA

C FSA

C FSA

ELC FSA

C

C FSA

71

C C

C

C

C

Following identification of the relevant assertions and risks to financial statements…

ELC FSA C

Review Controls

C

C

C C

C FSA

C FSA

C FSA

ELC FSA

C

C FSA

72

C C

C

C

C

Following identification of the relevant assertions and risks to financial statements…

…determine which controls a company might establish to address those risks.

ELC FSA

Review Controls

C

C FSA

C FSA

C FSA

ELC FSA

C FSA

C

The guidance says to start with identification and evaluation of the Financial Statement Close process or Entity Level Controls

73

ELC FSA C

Review Controls

C

C

C C

C FSA

C FSA

C FSA

ELC FSA

C

C FSA C

C

C

C

C

Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach.

74

ELC FSA C

Review Controls

C

C

C C

C FSA

C FSA

C FSA

ELC FSA

C

C FSA C

C

C

C

C

Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach. Starting at the top, evaluating Entity Level Controls, may greatly reduce the overall amount of work required for testing.

75

Apply precision to Entity Level Controls

Review Controls

76

This is another key point discussed in the guidance.

“What is the client’s expectation?”

Review Controls

77

Review Controls

78

“What is the client’s expectation?” Start by determining the thresholds.

Review Controls

79

The company judges what amount would matter to readers of financial statements.

“What is the client’s expectation?” Start by determining the thresholds.

For example, 5% or 3%.

Review Controls

80

CC Image Courtesy of http://www.flickr.com/photos/danmoyle/

At a high level, the client recognizes that a portion of the audience will not pay…

For example

CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/

Review Controls

81

CC Image Courtesy of http://www.flickr.com/photos/danmoyle/

…and they’ll choose to maintain that percentage in reserves.


Review Controls

82

If this is considered an Entity Level Control, …how can precision be applied?


Review Controls

83

Understand the process for coming up with this plan so that it can be quantified and tested.


Review Controls

84

Understand the process for coming up with this plan so that it can be quantified and tested. The process must reflect what is actually being done.


+/- 5%

Review Controls

85

If the control is

Okay, precise enough.


+/- 5%

Review Controls

86

If the control is

+/- 20%

you conclude that it must be more precise


+/- 5%

Review Controls

87

If the control is

+/- 20%

you conclude that it must be more precise

We need to get to the process level to test the control and better estimate what the actual provision should be.

Questions

88

Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False

Questions

89

Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False

This is why you start with Entity Level Controls. They can reduce the total number of controls and testing required.

Automate the process

90


91

Employ a tool to help bring automation, time and cost savings to the entire process.

From my experience, policyIQ is the most cost-effective tool out there for companies to use to manage their content and workflow, which comes in handy for SOX compliance. policyIQ was designed to be intuitive and flexible. The policyIQ support team is top-notch, and will help subscribers implement the system.

-Jason Chiang


92

S

Significant Account / Disclosure

P

Process Narrative

R Management

Assertion (Risk)

C Key Control

T

Test

D

Deficiency

W General

Workpaper

R

Report

F Findings

policyIQ is customizable—you can use it to track the full scope of documentation, manage workflow, and take advantage of the reporting features to more easily see and share your rationalization process…


93

S

Significant Account / Disclosure

P

Process Narrative

R Management

Assertion (Risk)

C Key Control

T

Test

D

Deficiency

W General

Workpaper

R

Report

F Findings

It is a great technology pairing with your fresh look at the risk assessment and the proper application of the top-down, risk-based approach.

Summary

Let’s recap what we have said…

94

Summary





95

The PCAOB identified these as the root causes of the deficiencies that they observed:

Summary

Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or perform procedures

96

And it seems clear that more testing and more detailed evidence will almost certainly be the impact to companies.

Summary

97

RGP can help companies to respond to the likely changes imposed by the audit firms.

1. Set the tone from the beginning

• Evidence things better

• Establish a more formal and complete policy and procedure manual

• Track the completion of procedural tasks

• Act as liaison between client and audit firms

2. Proper application of a top-down, risk-based approach called for by AS5

Summary

98

1. Set the tone from the beginning

• Evidence things better

• Establish a more formal and complete policy and procedure manual

• Track the completion of procedural tasks

• Act as liaison between client and audit firms

2. Proper application of a top-down, risk-based approach called for by AS5

Summary

99

With proper application of the AS5 approach, and by acting as a liaison between the company and audit firm, we can offset some of the additional work that will likely be pushed down by the PCAOB through the firms.

Summary

100

The best way to ensure that you are correctly applying the top-down, risk-based approach is to follow the guidance:


• Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx

• SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf

• STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES


• The External Auditing Firm’s Guidance

• COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm

• COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf

101
















For more information

Jason Chiang: [email protected]

Les Sussman: [email protected]

policyIQ: [email protected]

102

Thank you

103

2013 PCAOB Report - Important SOX Update

Software

Transcript of 2013 PCAOB Report - Important SOX Update