Welcome to the January 2010 edition of the Sarbanes
Oxley Compliance Professionals Association (SOXCPA)
newsletter
Dear Members,
I wanted to take a
moment to extend my best wishes for a safe, prosperous
and blessed year to all.
I do
hope that you will transform the difficulties around
into opportunities.
Today we will discuss one important report
about the implementation of Auditing Standards No 5.
- from the Public Company Accounting Oversight Board (PCAOB).
The PCAOB Release
No. 2009-006
REPORT ON THE FIRST-YEAR
IMPLEMENTATION OF AUDITING STANDARD NO. 5
This report describes the most common or noteworthy
observations that were derived from inspections
conducted during 2008 regarding registered audit
firms' first year implementation of the Board's
standard governing integrated audits,
Auditing
Standard No. 5, An Audit of Internal Control Over
Financial Reporting That Is Integrated with An Audit
of Financial Statements ("AS No. 5").
Background
On June 12, 2007, the Public Company Accounting
Oversight Board ("PCAOB"or "the Board") adopted AS No.
5 as part of the Board's plan to improve
implementation of the provisions of the Sarbanes-Oxley
Act of 2002 ("the Act") relating to audits of
internal control over financial reporting ("ICFR").
The Board had
four basic objectives in
issuing AS No. 5:
•
Focusing auditors on the most important matters in the
audit of ICFR,
• Eliminating unnecessary audit procedures,
• Making the audit scalable to the size and complexity
of the business, and
• Simplifying the text of the predecessor standard on
audits of ICFR.
AS No. 5 became effective for audits for fiscal years
ended on or after November 15, 2007.
The PCAOB's 2008 inspections of the eight largest
domestic annually inspected registered public
accounting firms
[Specifically, BDO Seidman, LLP; Crowe Horwath LLP;
Deloitte & Touche LLP; Ernst & Young LLP; Grant
Thornton LLP; KPMG LLP; McGladrey & Pullen, LLP; and
PricewaterhouseCoopers LLP]
included the
review of over 250 audits of ICFR that the firms had
conducted during 2007 and 2008.
Those years were,
for auditors and preparers of financial statements, a
period of learning and transition, as auditors
responded to the issuance of AS No. 5 and preparers of
financial statements received guidance from the
Securities and Exchange Commission to facilitate their
assessment of ICFR.
The 2008 inspections of ICFR audits were focused on
whether auditors were effectively transitioning to AS
No. 5. Accordingly, the
2008 inspections process included several procedures
designed to monitor and improve the quality of the
firms'
implementation of AS No. 5.
During inspection
fieldwork, the inspections staff
reviewed aspects of the firms' application of AS No. 5
to selected integrated audits.
As described
below, the inspectors selected several significant
aspects of AS No. 5, and considered whether, in the
engagements reviewed, the auditors had applied those
aspects appropriately in the process they used to
reach their conclusions.
The inspections
were not designed to evaluate the design or
effectiveness of the issuers' controls or to draw
conclusions regarding the quality of managements'
assessments of those controls.
Engagements were selected without regard to whether
the ICFR audits resulted in adverse or unqualified
opinions and without regard to the number or extent of
internal control deficiencies identified by the
engagement team during the audit.
During the
fieldwork, the inspection teams communicated to the
specific engagement teams whether the inspectors had
observed that the teams had implemented effectively
the aspects of AS No. 5 that had been reviewed, or
whether, and in what respects, their implementation
needed improvement.
Inspections
leadership summarized the observations for each firm
and discussed them with the firm's leadership
periodically.
Observations on the First-Year Implementation of AS
No. 5
In order to comply with the provisions of AS No. 5,
the auditor should use a "top down" approach to the
audit of ICFR to select the controls to test.
This approach
begins with understanding the
overall risks to internal control over financial
reporting, including the risk of fraud.
The auditor then focuses on
identifying entity-level controls, and then moves to
identifying significant accounts and disclosures
and their relevant assertions, understanding likely
sources of misstatement, and selecting controls to
test.
Risk assessment underlies the entire AS No. 5 audit
process, including the identification of significant
accounts and disclosures and relevant assertions, the
selection of controls to test, and the determination
of the audit evidence necessary for a
given control.
The auditor should
focus more of his or her attention on the areas of
highest risk.
Also, in planning
and performing the audit of ICFR, the auditor should
evaluate the extent to which he or she will use the
work of others.
In light of these concepts, the inspectors' review of
the firms' implementation of AS No. 5 focused on the
following areas:
• Risk Assessment,
• Risk of Fraud,
• Using the Work of Others,
• Entity-Level Controls,
• Nature, Timing, and Extent of Controls Testing, and
• Evaluating and Communicating Deficiencies.
The inspectors' most common or noteworthy
observations, including descriptions of certain of the
instances in which the inspectors observed that the
auditors' transition to AS No. 5 was particularly
effective or where it was less than effective, are
described below.
The inspectors'
observations varied both across and within the firms.
In each of the
areas that inspectors reviewed, inspectors observed
instances of
inappropriate application of the standard.
In general, the
areas where inappropriate application was most
frequently observed were risk assessment, the
evaluation of entity-level controls, and the nature,
timing, and extent of the controls testing.
Although the
observations described in this report were derived
from the performance of various engagement teams at
certain firms – who constitute a subset of the
auditors who performed integrated audits in 2007 and
early 2008 – the Board believes that the observations
described in this report can benefit auditors
generally, whether they are experienced in performing
integrated audits or are performing their first such
audits
Risk Assessment
In the selected areas of the engagements reviewed,
the
inspectors evaluated whether auditors adequately
assessed risk, including when determining significant
accounts and disclosures and relevant assertions,
selecting controls to test, and
determining the extent of audit evidence necessary for
a given control.
In the majority of
engagements reviewed, the inspectors did not identify
deficiencies in the auditors' assessment of risk.
In some instances,
the inspectors observed that the
auditors appropriately modified the nature, timing,
and extent of their tests of controls where they had
assessed the related risk as lower.
The inspectors, however, observed other instances
where the auditors failed to adequately assess risk in
certain relevant aspects of the audit.
These instances
included the failure to
(i) identify
certain components of an account or certain locations
in a multi-location environment that presented
different risks of material misstatement of the
financial statements than other components of the same
account or other locations, respectively,
(ii) evaluate both
the qualitative and quantitative factors when
determining whether to perform tests of controls at a
location,
(iii) identify all
relevant assertions, and
(iv) consider the effects of control deficiencies
identified during the audit (including deficiencies in
pervasive controls such as information technology
general controls) on the risk assessment.
Risk of Fraud
In the selected areas of the engagements reviewed,
inspectors evaluated whether the auditors applied
their considerations of the risk of fraud throughout
the audit, identified controls that addressed the
assessed risk of fraud, and adequately evaluated the
control environment and the period-end financial
reporting process.
In the majority of
engagements reviewed, the inspectors did not identify
noteworthy deficiencies in the auditors' assessments
of fraud risks and their consideration of the results
of those assessments when performing the audit of ICFR.
Inspectors
observed certain instances in which auditors were
particularly effective in identifying and testing
companies' controls that address fraud risk, including
the risk of management override.
For example, inspectors observed instances where
auditors focused more of their attention on audit
areas or locations that they had assessed as more
susceptible to material misstatement due to fraud, or
where auditors had involved firm personnel with
special skills and knowledge regarding fraud to assist
them in their fraud risk assessment and controls
evaluation.
There were instances, however, where the nature,
timing, and extent of auditors' tests of controls were
not sufficiently responsive to an identified fraud
risk because auditors either failed to alter the
extent of testing in areas of greater risk, or they
failed to identify and test compensating controls when
the controls identified and tested did not completely
address the identified risk.
The inspectors
also observed instances where auditors either did not
evaluate all the relevant processes of the company's
period-end financial reporting process or did not
appropriately test the design or operating
effectiveness of controls to address the risk of
management override.
Using the Work of Others
AS No. 5 provides that the auditor may use the work of
others to reduce his or her own work, but the extent
to which the auditor does so should depend on the risk
associated with the controls being tested, as well as
on the
competence and objectivity
of the individuals performing the work.
In the selected
areas of the engagements reviewed, the inspectors
observed that auditors generally used the work of
others in a
manner that was related to their assessments of the
degree of risk associated with the controls being
tested, particularly in lower-risk areas.
Similarly, the
auditors' use of the work of others in the majority of
instances reviewed was consistent with the auditors'
assessment of the competence and objectivity of those
individuals.
The inspectors
observed certain instances where, consistent with AS
No. 5, the auditors used the work of company personnel
other than internal auditors, when they determined
that those performing the work on behalf of management
were sufficiently competent and objective.
The inspectors also identified several instances that
presented further opportunities for the auditors to
use the work of others when the assessed level of risk
was lower, including when testing certain system
reports and application controls.
The inspectors
observed other instances, though, where the extent of
the auditor's use of the work of others to reduce the
auditor's own work was greater than was appropriate
under AS No. 5 considering the level of risk
associated with the control being tested (e.g., in the
area of controls over journal entries, which generally
would be considered higher risk because of the risk of
management override or other risk of fraud).
In certain instances, the auditors performed few or no
procedures to assess the competence of the others
relative to the task being performed, or they did not
adequately assess the objectivity of the others,
particularly where the work was performed by company
personnel other than internal auditors.
In addition, the
inspectors observed numerous instances where the
extent of the auditors' retesting of the work of
others was seemingly unrelated to the risks involved
(e.g., a uniform approach to retesting of 20 percent
of the controls tested).
Entity-Level Controls
The auditor's evaluation of entity-level controls is
important to the auditor's ability to appropriately
tailor the audit by identifying and testing the most
important controls and, when appropriate, reducing the
testing of controls at the process level.
The standard
requires the auditor to test those entity-level
controls that are important to the auditor's
conclusion about whether the company has effective
ICFR.
In the selected
areas of the engagements reviewed, the inspectors
observed significant variance in the effectiveness of
the auditors' efforts to identify and test
entity-level controls and to use the results of those
tests to tailor the audit.
In certain of the
engagements reviewed, the auditors were effective in
identifying and testing entity-level controls that
appeared to be designed and operating at a level of
precision sufficient to prevent or detect on a timely
basis misstatements to one or more relevant
assertions, which the auditors determined either
eliminated or reduced the need to test additional
controls related to those assertions.
In certain other situations, however,
the inspectors
observed that the auditors' work in the area could
have been more effective.
For example, in some
instances, auditors did not evaluate entity-level
controls beyond those associated with the control
environment and the period-end financial reporting
process.
(Inspectors were
told in certain cases that the auditors did not
evaluate other entity-level controls because the
issuer had not done so.)
Some auditors
identified entity-level controls that appeared to be
designed to operate with a high degree of precision,
but failed to obtain sufficient audit evidence of
their operating effectiveness.
There also were
instances where the auditors identified and tested
entity-level controls and found them to be designed
and
operating with a high degree of precision, but did not
alter their tests of process-level controls in
response to that assessment.
There also were
situations where auditors inappropriately reduced
their testing of process-level controls based on
reliance on entity-level controls.
In certain of
these instances, the auditors failed to consider the
precision with which the entity-level control
addressed a relevant financial statement assertion.
In other
instances, the auditors determined that the
entity-level control was not operating at a level of
precision sufficient to address the risk related to a
relevant financial statement assertion, yet they
nonetheless reduced the testing of the process-level
controls for the relevant assertion.
Nature, Timing, and Extent of
Controls Testing
The auditor should select controls for testing that
are important to the auditor's conclusion about
whether the issuer's controls sufficiently address the
assessed risk of misstatement to each relevant
assertion.
The
amount of
audit evidence necessary to persuade the auditor that
a control is operating effectively depends upon the
risk
associated with the control.
In the selected
areas of the engagements reviewed, the inspectors
evaluated whether the auditors focused their testing
on important controls, determined the amount and type
of evidence necessary based on the risk associated
with those controls, and designed and executed
appropriate control tests to obtain assurance that the
controls operated effectively.
In the
majority of
engagements reviewed, the inspectors did not identify
deficiencies in these areas.
The inspectors
noted that, in some engagements, the auditors used
prior years' knowledge, consistent with AS No. 5 when
determining the nature, timing, and extent of tests of
controls for the current year.
Opportunities for improvement also were observed.
For example, in
certain cases, the auditors did not consider the
assessed level of risk when selecting controls to be
tested, or the controls selected were not designed to
address the risk of misstatement to the relevant assertion(s).
The inspectors
also observed situations where auditors failed to test
a relevant control appropriately or, in some cases, at
all.
For example, inspectors observed instances where the
auditors' testing of controls over financially
significant applications was dependent on appropriate
segregation of duties, but the auditors did not test
to determine whether appropriate segregation of duties
existed.
Similarly, in some
instances, the auditors tested certain controls
without testing the system-generated data on which the
tested controls depended; the auditors did not test
controls over applications that processed financially
significant transactions,
including important manual spreadsheets; or the
auditors observed evidence of review and approval
controls (e.g. management sign-off evidencing review
and approval) without testing the design or operating
effectiveness of management's controls.
In some instances,
the auditors did not obtain service auditors' reports
related to controls at outside service organizations,
or the auditors failed to perform procedures related
to the necessary user controls identified in the
service auditors' reports.
Inspectors also observed instances where the evidence
gathered by the auditor was insufficient to support a
conclusion that the controls were operating
effectively, yet the audit team relied on the supposed
effectiveness of those controls to reduce the
scope of other audit procedures.
For example,
inspectors noted instances where the operating
effectiveness of higher-risk controls was tested
solely through inquiry and observation, which are
tests that ordinarily produce less audit evidence than
other tests, such as inspection of relevant
documentation or re-performance of a control.
In other
instances, auditors did not test the completeness of
the population from which items were selected for
testing. Inspectors also observed instances where the
extent of audit procedures was similar for both lower-
and higher-risk controls.
Evaluation of Deficiencies
The auditor must evaluate the severity of each control
deficiency that comes to his or her attention to
determine whether the deficiencies individually, or in
combination, are material weaknesses as of the date of
management's assessment.
The severity of a
control deficiency depends on whether there is a
reasonable possibility that a company's controls will
fail to prevent or detect a misstatement and the
magnitude of the potential misstatement.
AS No. 5 includes
examples of risk factors that could affect the
possibility that a company's controls would fail to
prevent or detect a misstatement.
Also, in evaluating whether control deficiencies are a
material weakness, the auditor should evaluate the
effect of compensating controls, including whether
they operate at a level of precision that would
prevent or detect a misstatement that could be
material.
In the selected areas of the engagements reviewed,
inspectors found that auditors generally considered
both applicable quantitative and qualitative factors
when assessing the severity of control deficiencies.
Similarly, in
those areas of the engagements reviewed, inspectors
observed that when the auditors considered
compensating controls to have a mitigating effect, the
auditors had generally identified compensating
controls that appeared to operate at a level of
precision to prevent or detect a misstatement that
could be material, and had tested the controls
sufficiently.
Inspectors observed instances where
auditors
appropriately modified the nature, timing, and extent
of their audit procedures in response to having
determined that certain controls were ineffective.
Inspectors observed other instances, however, where
auditors inappropriately based their conclusions about
the severity of control deficiencies solely on the
materiality of the identified errors in the financial
statements.
Also, some
auditors failed to consider relevant risk factors when
evaluating the severity of identified control
deficiencies.
In addition, there
were instances where the auditors did not consider
whether certain control deficiencies identified
through using the work of others, in combination with
other identified control deficiencies, constituted a
material weakness in
controls.
In certain
instances, the compensating controls that the auditors
identified and tested were not sufficiently precise or
did not operate effectively to mitigate the risks
associated with the identified deficiencies.
In addition, the
inspectors observed that certain auditors' required
communications of identified control deficiencies to
management or the audit committee were incomplete.
In addition, in an integrated audit, the auditor is
required to evaluate the effect of the findings of the
substantive procedures on the auditors' conclusions
about the effectiveness of ICFR.
In some instances,
the inspectors observed that auditors did not consider
the possible effects of detected errors in the
financial statements on the effectiveness of controls.
Breaking News
The
Wall Street Reform and Consumer Protection Act of 2009
was approved by a vote of 223-202
by the House.
The
legislation includes the creation of a
Consumer Financial Protection Agency
whose
task is protecting consumers from abusive financial
products and services.
The bill now goes to the Senate.
According to Treasury Secretary Timothy Geithner
“Comprehensive reform must establish clear rules of
the road with strong enforcement for our nation’s
financial institutions and markets; end loopholes that
allowed big Wall Street firms to escape supervision;
make it clear that no firm is ‘too big to fail;’ and
provide strong consumer and investor protections for
American families.”
The legislation creates a
Financial Stability Council
to
identify financial firms that could put the entire
financial system at risk.
Systemically risky firms
will feel the heat of the bill.
A major difference from an earlier version of the
bill:
The council would NOT be able to suspend or modify
accounting standards.
Dear member,
Write in your CV, resume, websites etc. that
you are a member of the Sarbanes Oxley Compliance Professionals
Association.
Take advantage of
the distance learning and online certification program of our
Association - at a cost that is unheard of.
www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm
Best
Regards,
George Lekatis
President of the Sarbanes Oxley
Compliance Professionals Association
General Manager, Compliance
LLC
1200 G Street NW Suite 800, Washington DC 20005, USA
Tel: (202) 449-9750
Email: lekatis@sarbanes-oxley-association.com
Web:
www.sarbanes-oxley-association.com
|
