© 2014 Hein & Associates LLP. All rights reserved.
Internal Control Assessment:
Lessons Learned and the Pain Felt - 2014 Recap
Sonya LaVeau, Managing Director of Internal Audit
December 3, 2014
© 2014 Hein & Associates LLP. All rights reserved.
Recap of 2014
© 2014 Hein & Associates LLP. All rights reserved.
Agenda
• PCAOB- Practice Alert 11
– Common Audit Failures
– Level of Precision
– Old vs. New
– Key Report Testing
• Information Provided by Entity “IPE”
– Definition
– Lessons Learned
– Excel Impact
• COSO 2013 Update
• What’s Next?
• Q&A
© 2014 Hein & Associates LLP. All rights reserved.
New PCAOB Auditing Bar
• Caused audit procedure
layering
• More in-depth written
description of estimates and
use of judgment, especially
review controls
• Detailed documentation and
testing of system reports
utilized in performance of
controls.
© 2014 Hein & Associates LLP. All rights reserved.
External Audit Firm: Closing The Books
(Findings)
The Firm failed to sufficiently test controls over the period-end
financial reporting process.
Specifically:
o The Firm selected for testing controls that included the review of
journal entries, but the Firm’s procedures did not include testing the
effectiveness of the issuer’s review. Specifically, its procedures to
test the review aspect of these controls were limited to observing
evidence of review and comparing information in journal entries to
supporting documentation or the general ledger, without evaluating
whether the controls operated at a level of precision that would
prevent or detect material misstatements.
© 2014 Hein & Associates LLP. All rights reserved.
Closing the Books (Cont’d.)
The Firm’s tests of controls over the period-end financial reporting
process were insufficient. Specifically, although the Firm selected
certain review controls for testing this process, the Firm’s procedures
to test the controls were limited to observing signatures as evidence
of review; verifying that certain actions that constituted a part of the
controls had occurred, such as the preparation of monthly
reconciliations and reporting packages; and observing some
notations made by the reviewers. The Firm, however, failed to
perform procedures to determine whether these review controls
operated at a level of precision that would prevent or detect material
misstatements.
© 2014 Hein & Associates LLP. All rights reserved.
Level of Precision in Plain English?
• How detailed is management’s review of journal entries?
• Document your thought process
– Dollar Threshold
– Percentage of Revenue
– Geographic Location
– Line of Business
– Other Risk Factors
– Timing
© 2014 Hein & Associates LLP. All rights reserved.
Good Isn’t Good Enough
Good v. NEW PCAOB Control Language
Older Language (“OK”)
Quarterly, Controller reviews the AR allowance for adequacy and
reasonableness of reserve amounts by initialing and dating the
“AR reserve” analysis.
© 2014 Hein & Associates LLP. All rights reserved.
Audit Controller initials and
Match Total $ = DONE!
Older Language (“OK”)
Quarterly, Controllerreviews the ARallowance for adequacyand reasonableness ofreserve amounts byinitialing and dating the“AR reserve” analysis.
Good Isn’t Good Enough
Good v. NEW PCAOB Control Language
© 2014 Hein & Associates LLP. All rights reserved.
Better Control Wording
© 2014 Hein & Associates LLP. All rights reserved.
NEW PCAOB control Language
Older Language (“OK”)
Quarterly, Controller reviews the AR
allowance for adequacy and
reasonableness of reserve amounts
by initialing and dating the “AR
reserve” analysis.
Updated Controller (“Better”)
Quarterly, Controller reviews AR balances
of significant customers with o/s balances
greater than $10k and 5% of AR balance
and those under that threshold by
customer type (e.g. geographical location,
types of orders, etc.), to review the AR
allowance for accuracy and completeness.
Adjustments, if needed are sent via email
to the AR manager, final review of the AR
reserve analysis is initialed and dated by
the Controller which agrees to the final g/l
balance for the period.
© 2014 Hein & Associates LLP. All rights reserved.
Entity Level Example of Precision
• Objective of the review
• Level of aggregation
• Consistency of performance
• Correlation to relevant assertions
• Predictability of expectations
• Criteria for investigation
© 2014 Hein & Associates LLP. All rights reserved.
Evaluating Management Review Controls
Capability to Prevent or Detecting Potential Material
Misstatement – Test of Design
• Control satisfies the corresponding control objective.
• Factors affecting precision of the review, including
objective of review and appropriateness of expectations,
level of aggregation, criteria of investigation for identifying
potentially material misstatement.
• Steps involved investigating expectation deviations.
© 2014 Hein & Associates LLP. All rights reserved.
Evaluating MRC Capability to Prevent
or Detecting Potential Material Misstatement
Test of Design (cont.)
• Persons who perform the control and competence and
authority of the person.
• Frequency of performance of control – review occurs often
enough to prevent or detect misstatements.
• Information used in the review, whether the review uses
system-generated data or reports.
© 2014 Hein & Associates LLP. All rights reserved.
• Steps performed to identify and investigate significant
deficiencies.
• Conclusion reached in the reviewer’s investigation, including
potential misstatements were appropriately investigated and if
corrective action was taken if necessary.
• If control uses system generated information or reports –
reviewer should document their verification of completeness
and accuracy of the data.
Evaluating MRC Designed to Prevent
or Detecting Potential Material
Misstatement – Test of Operating Effectiveness
© 2014 Hein & Associates LLP. All rights reserved.
Assessing Risk
• Components of significant accounts and disclosures can have
different risk:
– Individual revenue categories different risk varying types of
products and services, sales terms, information systems,
including revenue processes, or accounting requirements.
– Individual investment securities or category of securities
have different risk if vary in nature and complexity, level of
market activity, or availability of observable market data.
© 2014 Hein & Associates LLP. All rights reserved.
Other items in Practice Alert 11
• Use of the work of others
• Walkthrough observation
• Evaluating identified control deficiencies
© 2014 Hein & Associates LLP. All rights reserved.
PCAOB standards - use of work of
others
• Extent to which the work of others can be used depends on:
– The associated risk of the control:
• Complexity of the control;
• Significance of judgment made in connection with its
operation; and
• Inherent risk of account or assertion.
– The competence and objectivity of the persons whose
work the auditor plans to use.
© 2014 Hein & Associates LLP. All rights reserved.
Auditor walkthroughs PCAOB
Observations
• In some situations walkthroughs procedures were not
adequate:
– Performed inquiry and observation to confirm no significant
changes;
– Obtaining an understanding through controls testing and
substantive procedures;
– Review of walkthroughs performed by company not under
the direction of the auditing firm.
© 2014 Hein & Associates LLP. All rights reserved.
Evaluating identified control
deficiencies
• AS 5 – Severity of control deficiencies depends on:
– Reasonable possibility that the company’s controls would
fail to prevent or detect a misstatement of an account
balance or disclosure;
– Magnitude of the potential misstatement resulting from the
deficiency or deficiencies.
© 2014 Hein & Associates LLP. All rights reserved.
Evaluating Identified Control
Deficiencies (cont.)
• Severity DOES NOT depend on whether a misstatement
actually occurred, but rather on whether there is reasonable
possibility that the company’s controls will fail to prevent or
detect a misstatement.
© 2014 Hein & Associates LLP. All rights reserved.
Key Reports
© 2014 Hein & Associates LLP. All rights reserved.
Information Produced by Entity
(IPE)
• Different firms = different name
• Typically a report is:
– System generated
– Manually prepared
– Or a combo of both
• Three elements of IPE
– Source Data
– Report Logic
– Report Parameters
© 2014 Hein & Associates LLP. All rights reserved.
Element Descriptions
• Source Data
– Information IPE created from
• Report Logic
– Computer code, algorithms, or formulas for transforming,
extracting or loading the relevant source data and creating
the report.
• Report Parameters
– Allows user to look at only information that is of interest to
them.
© 2014 Hein & Associates LLP. All rights reserved.
Flowchart of the Three Elements
Enter Date
Range
A/R Aging
A/R
Sub-
Ledger
A/R Aging
Report
ParametersReport Logic
Source Data
Key Reports IPE
© 2014 Hein & Associates LLP. All rights reserved.
Following Relates to Completeness
and Accuracy IPE Risk
• Not all data is captured
• Data is input incorrectly
• Report logic is incorrect
• Report logic or source data could be changed inappropriately
or without authorization
• User entered parameters are entered incorrectly
© 2014 Hein & Associates LLP. All rights reserved.
Key Reports
• Completeness – how does the reviewer know the data is
complete?
• Accuracy – how is accuracy ensured (check figures, tie back to
source document, or formula validation)
• Report parameters
• Segregation of Duties – restricted access within the system
• Valuation assumptions – must document rationale for
assumptions used – reviewer agrees and documents
© 2014 Hein & Associates LLP. All rights reserved.
Key Report Questions:
• How would you know a report is inaccurate?
• When process begins to generate inaccurate and/or
incomplete reports, how would you know?
• Given complexity of reporting processes today, how hard is it
to imagine a report could have an error?
• How many reports go through multiple input points (system
and manual) before the final report is produced?
• How easy is it to relate the final report data to the information
originally input into the system?
© 2014 Hein & Associates LLP. All rights reserved.
Documentation in Excel
• Notate use of a threshold for review
– What is sufficient?
• What other considerations are key?
• How to document Management’s review?
• Every reviewer is different
– Depth of review Manager vs. Controller
© 2014 Hein & Associates LLP. All rights reserved.
Conducting Report Testing
Report testing phases:
• Phase I-Recalculation
• Phase II-Accuracy Testing
• Phase III-Completeness Testing
© 2014 Hein & Associates LLP. All rights reserved.
When Electronic Data is Available
Recalculation - When an electronic version of the report (i.e., the
data output from the query that produced the report), automated
tools (e.g., Access, Excel, or ACL), can be used to recalculate
the entire report very quickly. This gives 100% assurance on the
operation of the query analytics.
© 2014 Hein & Associates LLP. All rights reserved.
Accuracy Test of Electronic Data
System Reliance
Accuracy test - focuses on testing whether the query pulled the
appropriate data from the database.
AR Aging Report, can the auditor independently verify that the
data on the report accurately reflects the data in the database?
Population can be tested completely by executing similar queries
against the population and comparing the result to the report
tested.
© 2014 Hein & Associates LLP. All rights reserved.
Completeness Test of Electronic
Data
Completeness Test - Since the step uses the electronic
population and is able to achieve testing of 100% of the
population, the act of testing accuracy also satisfies the
completeness test.
© 2014 Hein & Associates LLP. All rights reserved.
Electronic Data is Not Available
or Cannot be Used
Preferred method - receive the data electronically and execute
full testing using automated means, there are instances when-
due to the complexity of the environment or the state of controls-
the electronic data cannot be considered reliable.
© 2014 Hein & Associates LLP. All rights reserved.
Electronic Data is Not Available
or Cannot be Used (cont.)
Examples of these instances include:
• Reports are generated from multiple or complex queries from
multiple databases.
• Change controls and security controls are deemed ineffective
for the systems that house the data.
• Change controls and security controls are deemed ineffective
for the systems that process the transactions that feed the
database.
• Process controls governing the business processes that feed
the database are deemed ineffective.
© 2014 Hein & Associates LLP. All rights reserved.
Electronic Data is Not Available
or Cannot be Used (cont.)
• Recalculation
– Too large to recalculate everything
– Use risk based / sampling approach
– Key financial totals recalculated
• Accuracy
– Back tracing – report to source documents
• May be required if controls around data input deemedineffective.
• Completeness
– Forward tracing – source data to report
© 2014 Hein & Associates LLP. All rights reserved.
IPE Take Away
• Keep completeness and accuracy in mind when utilizing
spreadsheets.
• Automation without manipulation is preferred.
• Key reports should be inventory, assessed, and tested every 3
to 5 years.
• Document how management gets comfortable with data
integrity.
© 2014 Hein & Associates LLP. All rights reserved.
COSO 2013
© 2014 Hein & Associates LLP. All rights reserved.
Observations from dozens of
accounting fraud investigations:
• Management integrity and tone at the top are obviously critical.
• Think and react critically to internal control environment and
risk assessment.
• Scrutinize results that seem extraordinary ‐ think critically
about economic substance and whether the results match.
• Understand what the real drivers of the business are and what
is important to outside constituents.
• Increase skepticism around period‐end activity.
• Increase skepticism around areas involving high levels of
management discretion and judgment.
© 2014 Hein & Associates LLP. All rights reserved.
COSO Timeline
© 2014 Hein & Associates LLP. All rights reserved.
Common Gaps Identified
• Principle Gaps
– Fail to meet the standard of one or more principles
• Control Attribute Gaps
– Not meeting one or more of the points of focus
• Control Testing Gaps
– New control added – need to test
• Control Evidence Gaps
– Control is present and functioning – need documentation
evidence
© 2014 Hein & Associates LLP. All rights reserved.
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
Articulates Principles of Effective
Internal Control
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
© 2014 Hein & Associates LLP. All rights reserved.
COSO 2013
• Competency / Succession Planning
• Understanding of duties by process / control owners
• Outside Service Providers (OSP) –
– Obtaining SSAE 16 is not enough
• User considerations
• Exceptions
© 2014 Hein & Associates LLP. All rights reserved.
What’s Next
© 2014 Hein & Associates LLP. All rights reserved.
Stay Tuned
• March 26 – SEC roundtable Cyber Security – Q&A
• July 30 – SEC charges CEO and former CFO hiding Internal
Control Deficiencies and violating SOX requirements
• Nov 18 and 19 – AICPA O&G conference SEC Rep. stating
now precedence has been set
© 2014 Hein & Associates LLP. All rights reserved.
Stay Tuned (cont.)
• Nov 20 and 21 - PCAOB Standing Advisory Group conducting
outreach / analyzing information regarding auditor’s approach
to detecting material misstatement of F/S due to fraud
• SEC action on AS #18 - Related Party
• Revenue Recognition – Effective 1/1/17
-Inventory of revenue contracts
© 2014 Hein & Associates LLP. All rights reserved.
Internal Control Mantra
© 2014 Hein & Associates LLP. All rights reserved.
Citations
• Protiviti
– PCAOB Flash Report, PCAOB Issues Practice Alert Related toAuditing Revenue, September 16, 2014
• Protiviti
– Testing the Reporting Process-Validating Critical Information
• The D&O Diary
– SEC File Enforcement Action Over Internal Controls Reporting: ASign of Things to Come? Kevin M. LaCroix, August 4, 2014
• Norman Marks
– Norman Marks on Governance, Risk Management, and Audit,May 3, 2014
© 2014 Hein & Associates LLP. All rights reserved.
Questions
© 2014 Hein & Associates LLP. All rights reserved.
Sonya LaVeau
Managing Director of Internal Audit
Hein & Associates LLP
303-226-7034
Top Related