2013 PCAOB Report - Important SOX Update
Transcript of 2013 PCAOB Report - Important SOX Update
Important SOX Update
Understanding the Impact of the
PCAOB Report on ICFR Audits
1
Session brought to you by
&
Les Sussman Senior Practice Leader,
Governance Risk and Compliance RGP
Please welcome our presenters
Jason Chiang CPA, CIA
Auditor and Risk Manager RGP Consultant
2
1. Recognize the likely impact to companies of the PCAOB inspections and associated report
2. Identify and reference key sources for managing or auditing using a top-down, risk-based approach
3. Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment
4. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ
Following this session, you will be able to:
3
Polling Question
4
Do you have Financial Statement auditing experience?
Yes
No
If so, you are probably familiar with much of what is
presented here. We aim to help all of our colleagues to
land on the same page as we approach SOX compliance
and auditing in the post-PCAOB Inspection Report
environment.
Timeline
Sarbanes Oxley Act signed by President Bush (2002)
Auditing Standard 2 released (2004)
AS 2 guidance issued by the SEC & PCAOB (2005)
SEC Management Guidance and AS 5 released (2007)
PCAOB Inspection Report (2012)
5
“PCAOB Issues Report on
Inspection Observations Related
to Audits of Internal Control over
Financial Reporting”
PCAOB Inspection Report
6
1. Key findings
2. Deficiencies that led to findings
3. Root cause of deficiencies
PCAOB Inspection Report
7
Key Findings of Inspection Report
46/309 firms failed to obtain sufficient audit evidence to support its audit opinion on the effectiveness of internal control
8
39 of those 46 firms also failed to obtains sufficient audit evidence to support the financial statement audit opinion
Key Findings of Inspection Report
9
In 50 of 309 inspections, evidence of deficiencies in some firms’ systems of quality control were observed
Key Findings of Inspection Report
10
Common Deficiencies
Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or obtain evidence of procedures performed
11
Common Deficiencies
For example, firms failed to test the controls used to monitor the results of
1. monthly comparisons of budget and actual results to forecasts for revenues and expenses
2. comparisons of other metrics, such as profit margins and certain expenses as a percentage of sales
3. quarterly balance sheet reviews
4. system generated data
5. procedures regarding the use of work of others
6. evaluation of control deficiencies
12
What can our clients expect?
• More detailed evidence will be required
• More testing and re-performance of procedures will be required
14
Generally, MORE WORK!
What can our clients expect?
• More detailed evidence will be required
• More testing and re-performance of procedures will be required
15
Generally, MORE WORK!
The way that companies document and test their
controls will need to include more detail. Document
your thresholds. Document what you are doing as
you go along!
Root Causes of Deficiencies
1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5;
2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures;
3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and
4. Ineffective communication with firm's information system specialists on the engagement team.
16
1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5;
2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures;
3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and
4. Ineffective communication with firm's information system specialists on the engagement team.
Root Causes of Deficiencies
17
Three of the four root causes
relate to improvements that
need to be made by the firms.
This first root cause is one that
management can address directly.
What can go wrong?
What is a top-down, risk-based approach?
19
This often results in the documentation of Operational Risks
What can go wrong?
What is a top-down, risk-based approach?
20
That is NOT representative of a top-down approach
What can go wrong?
What is a top-down, risk-based approach?
22
A top-down approach focuses on…
…with
All Company Risks
What can go wrong?
What is a top-down, risk-based approach?
23
…with
Financial Statement Risks
A top-down approach focuses on…
What is a top-down, risk-based approach?
25
Why do financial statements matter?
This is what financial readers really care about.
What is a top-down, risk-based approach?
26
Why do financial statements matter?
This is what financial readers really care about.
From the MD&A: Will the FDA approve?
What is a top-down, risk-based approach?
27
Why do financial statements matter?
This is what financial readers really care about.
From the MD&A: Will the FDA approve?
Are they shifting money from one company to another?
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
What is a top-down, risk-based approach?
28
In a recent post on the IIA blog, he gave his assessment of a widely distributed guide that discusses the role of IT Risks and Controls in SOX. He said…
What is a top-down, risk-based approach?
29
“I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.”
-Norman Marks
What is a top-down, risk-based approach?
30
“I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.”
-Norman Marks
What is a top-down, risk-based approach?
31
Polling Question
32
What model do you think your approach follows?
a) top down
b) bottom up
c) middle down
d) not sure
Required Recommended Reading
It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach.
33
Required Recommended Reading
It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach.
34
Jason Chiang cautions that there’s no short-cut to the approach. He urges risk and audit professionals to follow the guidance.
Required Recommended Reading
• Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx
• SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf
• STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES
http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf
• The External Auditing Firm’s Guidance
• COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm
• COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf
35
Applying Auditing Standard No. 5 Approach
http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx
37
Read AS5.
Specifically, paragraphs 21-41 which focus on
“Using a Top-Down Approach”
Review Financial Statements, understanding risks to ICFR
Examine entity-level controls, significant accounts, disclosures and their relevant assertions
Understand risks in processes, select for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion
Applying Auditing Standard No. 5 Approach
38
The first paragraph of the section walks through three broad processes for applying AS5:
Risk Assessment
Which Financial Statement Accounts are significant?
41
Determine the risk factors you will assess
Risk Assessment
Which Financial Statement Accounts are significant?
42
Decide how each factor will weigh into the overall rating
Risk Assessment
Which Financial Statement Accounts are significant?
43
Choose a rating scale for the assessment
Risk Assessment
Which Financial Statement Accounts are significant?
44
Assess impact or likelihood, whatever the case may be, of each risk factor for each account
Risk Assessment
Which Financial Statement Accounts are significant?
45
Determine the calculated Risk and consider whether this matches your judgment of the risk. This exercise can be used to validate your judgment of what is significant. If you find great discrepancy, examine why that is.
Risk Assessment
Identify relevant assertions for each significant account
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
47
These are the assertions recognized by the
PCAOB (with definitions pulled from AS15).
Risk Assessment
Identify relevant assertions for each significant account
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
48
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
49
Step back from the academic exercise and consider the real world motivations of companies…
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
50
Management wants the company to look good. It is natural to want to overstate assets/cash and to understate liabilities/expenses. Think about how this relates to the assertions…
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
51
If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
52
In other words, does that cash or do those assets actually exist?
If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
53
If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
54
What if, in January, the auditor observes a bill for legal fees that were incurred on December 28th? Is the debt liability really complete?
If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
55
Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand.
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.
Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
56
Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand.
Jason recommends creating a cheat sheet that includes the definitions and an example for each assertion.
Risk Assessment
What is the level of risk for each assertion?
58
This generally results in another High-Medium-Low rating for each assertion.
Risk Assessment
What is the level of risk for each assertion?
59
And it is another of the determinations made by risk and audit professionals that is largely based on judgment.
Risk Assessment
ID Significant Accounts ID Financial Statement Risk and Risk level
Determine relevant assertions for those significant accounts
Statement of Risk
based on
application of
assertion to account
60
Work through this process for each financial statement line item.
Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts Receivable
62
Often, the line item determined to be significant will then be tagged or mapped to a process.
Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts Receivable
What can go wrong?
63
Next, companies often go to the process and ask, “what can go wrong in the process?”
Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts Receivable
What can go wrong?
64
It is tempting to get dragged into an operational view of risks again.
Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts Receivable
What can go wrong?
65
Instead, consider…
Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts Receivable
What can go wrong?
What are the relevant assertions? Existence or occurrence
Completeness
Valuation or allocation
Rights and obligations
Presentation and disclosure 66
Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts Receivable
Valuation Risk –All uncollectible customer balances may not be properly written off.
Control – On at least an quarterly basis, the Controller reviews the Accounts Receivable Aging (including the ICS A/R reports) for uncollectible accounts to determine the necessity for and/or adequacy of an allowance for doubtful accounts. The calculation is reviewed and approved by the CFO.
R
C
67
Risk Assessment
Income Statement Example: Salary Expense
Salary Expense
What are the relevant assertions? Existence or occurrence
Completeness
Valuation or allocation
Rights and obligations
Presentation and disclosure
68
Risk Assessment
Income Statement Example: Salary Expense
Salary Expense
Occurrence Risk – Did the expense that you put on your books occur? That is, does it represent the exchange of employees’ services with cash or other consideration?
Control – The Controller reviews the payroll supporting documentation (including timecards, the timecard tracking spreadsheet and the approved Time-Off Request Forms for vacation/sick/personal time off use) to ensure the completeness and accuracy of the hours entered into payroll system.
R
C
69
Questions
70
What has your experience been? Do you see the company focusing on those assertions that are relevant for each significant account or falling back on process or operational risks?
ELC FSA C
Review Controls
C
C
C C
C FSA
C FSA
C FSA
ELC FSA
C
C FSA
71
C C
C
C
C
Following identification of the relevant assertions and risks to financial statements…
ELC FSA C
Review Controls
C
C
C C
C FSA
C FSA
C FSA
ELC FSA
C
C FSA
72
C C
C
C
C
Following identification of the relevant assertions and risks to financial statements…
…determine which controls a company might establish to address those risks.
ELC FSA
Review Controls
C
C FSA
C FSA
C FSA
ELC FSA
C FSA
C
The guidance says to start with identification and evaluation of the Financial Statement Close process or Entity Level Controls
73
ELC FSA C
Review Controls
C
C
C C
C FSA
C FSA
C FSA
ELC FSA
C
C FSA C
C
C
C
C
Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach.
74
ELC FSA C
Review Controls
C
C
C C
C FSA
C FSA
C FSA
ELC FSA
C
C FSA C
C
C
C
C
Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach. Starting at the top, evaluating Entity Level Controls, may greatly reduce the overall amount of work required for testing.
75
Apply precision to Entity Level Controls
Review Controls
76
This is another key point discussed in the guidance.
Review Controls
79
The company judges what amount would matter to readers of financial statements.
“What is the client’s expectation?” Start by determining the thresholds.
For example, 5% or 3%.
Review Controls
80
CC Image Courtesy of http://www.flickr.com/photos/danmoyle/
At a high level, the client recognizes that a portion of the audience will not pay…
For example
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
81
CC Image Courtesy of http://www.flickr.com/photos/danmoyle/
…and they’ll choose to maintain that percentage in reserves.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
82
If this is considered an Entity Level Control, …how can precision be applied?
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
83
Understand the process for coming up with this plan so that it can be quantified and tested.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
84
Understand the process for coming up with this plan so that it can be quantified and tested. The process must reflect what is actually being done.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
+/- 5%
Review Controls
85
If the control is
Okay, precise enough.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
+/- 5%
Review Controls
86
If the control is
+/- 20%
you conclude that it must be more precise
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
+/- 5%
Review Controls
87
If the control is
+/- 20%
you conclude that it must be more precise
We need to get to the process level to test the control and better estimate what the actual provision should be.
Questions
88
Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False
Questions
89
Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False
This is why you start with Entity Level Controls. They can reduce the total number of controls and testing required.
Automate the process
91
Employ a tool to help bring automation, time and cost savings to the entire process.
From my experience, policyIQ is the most cost-effective tool out there for companies to use to manage their content and workflow, which comes in handy for SOX compliance. policyIQ was designed to be intuitive and flexible. The policyIQ support team is top-notch, and will help subscribers implement the system.
-Jason Chiang
Automate the process
92
S
Significant Account / Disclosure
P
Process Narrative
R Management
Assertion (Risk)
C Key Control
T
Test
D
Deficiency
W General
Workpaper
R
Report
F Findings
policyIQ is customizable—you can use it to track the full scope of documentation, manage workflow, and take advantage of the reporting features to more easily see and share your rationalization process…
Automate the process
93
S
Significant Account / Disclosure
P
Process Narrative
R Management
Assertion (Risk)
C Key Control
T
Test
D
Deficiency
W General
Workpaper
R
Report
F Findings
It is a great technology pairing with your fresh look at the risk assessment and the proper application of the top-down, risk-based approach.
Summary
1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5;
2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures;
3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and
4. Ineffective communication with firm's information system specialists on the engagement team.
95
The PCAOB identified these as the root causes of the deficiencies that they observed:
Summary
Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or perform procedures
96
And it seems clear that more testing and more detailed evidence will almost certainly be the impact to companies.
1. Set the tone from the beginning
• Evidence things better
• Establish a more formal and complete policy and procedure manual
• Track the completion of procedural tasks
• Act as liaison between client and audit firms
2. Proper application of a top-down, risk-based approach called for by AS5
Summary
98
1. Set the tone from the beginning
• Evidence things better
• Establish a more formal and complete policy and procedure manual
• Track the completion of procedural tasks
• Act as liaison between client and audit firms
2. Proper application of a top-down, risk-based approach called for by AS5
Summary
99
With proper application of the AS5 approach, and by acting as a liaison between the company and audit firm, we can offset some of the additional work that will likely be pushed down by the PCAOB through the firms.
Summary
100
The best way to ensure that you are correctly applying the top-down, risk-based approach is to follow the guidance:
Required Recommended Reading
• Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx
• SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf
• STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES
http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf
• The External Auditing Firm’s Guidance
• COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm
• COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf
101
For more information
Jason Chiang: [email protected]
Les Sussman: [email protected]
policyIQ: [email protected]
102