Auditor Attestation of Internal Control Over
Financial Reporting: What You Can Expect
Smaller public companies were required to comply with the management assertion requirement of Section 404 of the Sarbanes-Oxley Act for their annual report filings for fiscal years ended on or after December 15, 2007. These companies will be subject to the auditor attestation requirement of Section 404 for those annual reports filed for fiscal years ended on or after December 15, 2009. This paper explores considerations for smaller public companies as they prepare for their first auditor attestation of internal control over financial reporting.
IntroductIon
Many smaller public companies will soon be subject to their first auditor attestation. For those holding out hope that the U.S. Securities and Exchange Commission (SEC) might eliminate, or limit in some way, the attestation requirement for smaller public companies, insights as to the SEC’s likely future actions were suggested in writ-ten responses by SEC chairwoman, Mary Schapiro, to questions she received from Senator Carl Levin during her confirmation process. In her letter to Senator Levin, Ms. Schapiro provided insight into how she will differ from her predecessor, Christopher Cox. With respect to Sarbanes-Oxley compliance, she noted that “it’s time we bring uniformity to the system.” This point virtually assures the markets that the auditor attestation of management’s assertion on the effectiveness of internal control over financial reporting (ICFR) eventually will become a reality for smaller public companies.
Many smaller public companies are already reporting on ICFR. AuditAnalytics.com released a report detailing its analysis of Year Four Sarbanes-Oxley filings. The analysis revealed that for filings through September 10, 2008, the SEC received 3,435 annual reports with an unattested management assertion on the effectiveness of ICFR, i.e., an internal control report was filed by management without an accompanying auditor attestation. Of those management assessments, 1,053 provided an adverse assessment regarding the effectiveness of ICFR, an adverse opinion rate of 30.7 percent. This is significantly higher than the 16.9 percent adverse opinion rate for first-year filings by larger accelerated filers several years ago. The higher percentage suggests that smaller public companies are having more difficulty establishing and maintaining effective ICFR than larger companies.
In the first four years of Sarbanes-Oxley filings to date, the rate of adverse opinions for accelerated filers has declined year-to-year. If nonaccelerated filers were to experience the same trend, a smaller percentage of adverse opinions would occur in future filings. However, an important factor to consider is the potential effect of audi-tor attestations. The emergence of the additional Sarbanes-Oxley attestation requirement, which is the context for the Public Company Accounting Oversight Board’s (PCAOB) Guidance for Auditors of Smaller Public Companies issued in January 2009, all but changes the dynamics of the assessment of ICFR for smaller public companies. The additional scrutiny of the external auditor directed to a company’s ICFR may impact the rate of adverse opin-ions for smaller public companies, which have now begun filing their second wave of internal control reports. This paper explores considerations for smaller public companies as they prepare for their first external auditor attestation over ICFR.
the external audItor’s role – What You can expect
In January 2009, the PCAOB published its final staff guidance on Auditing Standard No. 5 (AS5) – An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies. While AS5 provides direction to auditors on scaling the audit based on the company’s size and complexity, many were of the view that more practical guidance was needed to achieve the goal of reducing the disproportionate cost burden of Section 404 attestation requirements on smaller companies in relation to their larger counterparts. The guidance represents the PCAOB staff’s views on how auditors can apply certain aspects of AS5 to audits of smaller, less complex public companies. It also explains and illustrates how auditors can address some of the particular challenges for performing audits of ICFR in these challenging environments.
Although the PCAOB’s guidance is directed toward the auditing community, there are some key takeaways for management of smaller companies as they prepare for their first external auditor attestation of ICFR.
1. emphasize tone at the top – The control environment and its impact on behavior and the integrity of financial reporting are important areas to an auditor. Auditors will look for evidence of the tone set by management. The entity’s code of ethics, management’s operating style, clarity of roles and responsibilities, and a strong audit committee are examples of what the auditor will be looking for in this regard.
2. start at the top when identifying key controls– Understand how entity-level controls can affect the evaluation of controls at the process level. Management can rely on entity-level controls in lieu of process-level controls if the precision of these controls is sufficient in terms of detecting and correcting material errors and omissions. Strong entity-level controls could translate into less work assessing controls at the process level. That, in turn, can translate into less external auditor testing because it can affect the nature, timing and extent of the audi-tor’s procedures. In addition to the control environment, entity-level controls include controls to monitor results of operations, controls over the period-end financial reporting process and controls to monitor other controls.
3. Focus on risk– Each risk and each control are not created equal. Management should focus on risk throughout the assessment process and modify the evaluation approach with respect to controls operating effectiveness according to both the risk of material misstatement and the risk of control failure (collectively referred to as “ICFR risk”). If a matter is significant from an ICFR risk standpoint, then focus on it. If it does not relate to risk, then it is not relevant to management’s assessment under Section 404.
4. understand the risk of management override– Many smaller companies have a strong leader, which is why they are successful. This leader often has the knowledge and authority to override financial reporting proce-dures. The auditor knows that management override of established controls can occur more easily in a smaller company than in a larger one. Accordingly, auditors will look for controls that prevent or detect management override and ensure fair and reliable financial reporting. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance specifically for smaller companies, entitled Internal Control over Financial Reporting – Guidance for Smaller Public Companies, that was developed at the SEC’s request to make COSO’s Internal Control – Integrated Framework easier and more cost-effective for smaller companies to apply. In that guidance, COSO points out four things management of smaller companies can do to mitigate the risk of management override:
• Maintain a corporate culture emphasizing high integrity and ethical values. • Have an effective whistleblower program.
• Leverage an internal audit function to detect instances of wrongdoing and ensure the function has a direct line of reporting to the board of directors or audit committee.
• Have a qualified board of directors and audit committee that take their responsibilities seriously. Management should anticipate that auditors will consider the above during the audit process.
5. recognize the impact of having less formal documentation– Documentation is a source of evidence. The form, extent and availability of documentation can affect not only management’s body of evidence to support its assessment, but also can impact the auditor’s testing strategy. It is more challenging to audit the effec-tiveness of ICFR as an outsider when less documentation is available. This does not mean that management must create volumes of documentation solely for the purpose of providing evidence for the external auditor to review and test. However, management of smaller companies should meet with their auditors early in the process to enable the auditors to develop an effective audit strategy for processes or controls where minimal documentation exists. During those meetings, management may identify relatively minor changes in how con-trols are executed or evidenced that will limit issues during the testing process.
6. segregate incompatible duties or identify alternative controls– There are inherent limitations in segregating incompatible functions in companies that have fewer employees. However, management needs to understand the risks associated with a lack of segregation of duties and assess whether there are any alternative controls that achieve the same objective, such as the use of external resources and additional management oversight and review. The COSO guidance gives some practical examples of controls to help reduce the risk when incom-patible duties are not segregated:
• Review reports of detailed transactions – managers review system reports of the detailed transactions on a regular and timely basis.
• Review selected transactions – managers select transactions for review of supporting documents. • Take periodic asset counts – managers periodically conduct counts of physical inventory, equipment
or other assets and compare them with the accounting records.
• Check reconciliations – managers from time to time review reconciliations of account balances such as cash, or perform them independently.
Segregation of duties is not an end in itself, but rather a means of mitigating a risk inherent in processing transactions. When assessing ICFR in a company with limited ability to segregate duties, management should consider whether there are other controls that reduce the risk to an acceptable level.
7. Know your information technology controls – Every company relies on technology, at least to some extent, to operate its business and report financial results. Smaller companies with less complex IT infrastructure may have challenges with maintaining general and application controls of computer information systems. To be well-prepared for the auditor attestation, management should be familiar with the PCAOB’s guidance related to how the IT environment impacts the auditor’s risk assessments, selection of controls to test, tests of controls, and other audit procedures. The PCAOB staff discusses the characteristics of a less complex IT environment, how to determine the scope of the evaluation of IT controls (including IT-related risks), controls dependent on IT, and the impact of IT control deficiencies on tests of other controls. Finally, the staff details the various types of IT controls and how they may operate in a smaller company.
8. anticipate an evaluation of your financial reporting competencies – Smaller companies may have difficulty recruiting and retaining certain competencies in addition to having resource constraints that might prevent them from hiring those same competencies. The auditor is required to evaluate a company’s financial reporting competencies, including evaluating any external resources involved in a smaller company’s financial reporting process. Management will be a step ahead if it has already made the assessment and addressed any gaps. The bottom line related to the auditor attestation is this: Knowing the rules that the external auditor is required to play by and engaging the auditor early in the process puts management in the best position for success.
applYIng 20/20 hIndsIght: What We have learned so Far
What can be learned from the smaller company management assessments of ICFR that have already taken place? The AuditAnalytics.com report of Year Four Sarbanes-Oxley filings included an analysis of the material weakness disclosures for companies filing an unattested management assertion. That analysis noted the following types of internal control issues that were cited most frequently (listed in order of the highest prevalence):
1. Inadequate accounting documentation and policies 2. Accounting personnel issues
3. Segregation of duties
4. Material and/or numerous auditor year-end adjustments 5. Information technology, software, security and access issues
To dig a little deeper, 849 companies disclosed an issue with accounting documentation and policies, which translates into one in every four companies that filed only a management assertion. In addition, one in every five companies disclosed accounting personnel issues. Recognizing that these issues, as well as others, are ones that smaller, less complex companies have encountered historically, it seems likely that they are not going away any-time soon. Smaller companies will continue to struggle in these areas due to a variety of challenges that make maintaining cost-effective internal control more difficult than at larger companies:
• Lack of resources to achieve adequate segregation of duties
• Limited technical resources to assure controls over data and information systems
• Management’s ability to dominate activities, which increases the opportunity for management to override established controls
• recruiting and retaining personnel with appropriate experience and skill in accounting and financial reporting matters
Because of these challenges, management of some smaller public companies may conclude that the cost of internal control in certain financial reporting areas may outweigh the benefits of adding resources the company simply cannot afford. If so, such internal control deficiencies, along with management’s rationale for accepting them, must be disclosed. The Section 404 reporting process provides a platform for such disclosures. Following are examples:
• A technology company reported in its 2008 management iCFr assessment: “Due to the Company’s small size and lack of resources and staffing, the Chief Financial Officer is actively involved in the preparation of the financial statements and therefore, cannot provide an independent review and quality assurance function within the accounting and financial reporting group. The limited number of accounting personnel results in an inability to have independent review and approval by the Chief Financial Officer of financial accounting entries. There is a risk that a material misstatement of the financial statements could be caused, or at least not be detected in a timely manner, due to this insufficient segregation of duties.”
• A company that plans, designs, builds and maintains mission-critical facilities reported in its 2007 10-K the fol-lowing management ICFR assessment: “The folfol-lowing material weaknesses in our internal control over financial reporting were noted at December 31, 2007: (I) we did not have the ability to segregate duties; (II) we lacked the formal documentation of policies and procedures that were in place; (III) we lacked adequate financial per-sonnel; (IV) we lacked general computer controls and adequate procedures involving change management, and; (V) controls are inadequate to reasonably assume compliance with generally accepted accounting principles related to revenue.”
• A construction company reported in its 2007 10-K the following assessment: “Based on our assessment described above, management has concluded that our internal control over financial reporting was not effective during the year ended December 31, 2007. Management has determined that (I) insufficient staffing and super-vision resources and (II) inability to detect the inappropriate application of United States GAAP principles are material weaknesses in our internal control over financial reporting.”
“The Company historically has had limited staff and financing. In December 2007, we appointed a new Interim CFO, who is a CPA and has significant experience in accounting operations, auditing, and internal control sys-tems. In the future, we intend to hire additional qualified personnel to allow for adequate separation of duties.” The above control deficiencies, as reported, resulted in material weaknesses, leading to a conclusion that ICFR is ineffective. Management must decide if these deficiencies should be remediated. If not, management must disclose the rationale why, which almost always will be due to limited staff and resources and a conclusion that it is not economically feasible to add additional staff and resources at the present time. If management is of the view that the deficiencies will be remediated, disclosure of the remediation plan, as illustrated in the third example above, is appropriate. If material weaknesses continue unabated, it is up to shareholders and prospec-tive investors and lenders to assess whether management’s assessment and plan, as disclosed, makes sense given the size and scale of the business or is evidence the company is not willing to pay the price of being a public company.
preparIng For the attestatIon process – Where to start?
Due to the unique aspects of a smaller public company, there are six key decision points along the Section 404 compliance process that represent areas for aligning management’s assessment approach and the auditor’s attestation process in the early stages.
Why are these decision points so important? It is critical that smaller public companies understand the potential differences in the way the external auditor may approach these decisions as opposed to management. If one lesson has been learned by larger companies in working with external auditors in the Section 404 space, it is this: There is no upside to significant disconnects between the company’s and the auditor’s risk assessments and scoping processes. Although, in theory, the SEC guidance and COSO guidance allow management of smaller companies much more flexibility in exercising judgment during the risk assessment and scoping process, any significant disconnects between management and the auditor on the six decisions cited above will usually drive up costs and present problems if issues should arise. Therefore, management should take the necessary steps to ensure the auditor fully understands the company’s rationale driving the approach and scopes applied during the compliance process.
Establish methodology to assess severity of control deficiencies at the conclusion of the evaluation process
Determine locations and units to include into scope Consider ICFR risk to determine extent of evidence required to evaluate operating effectiveness of key controls
Decide documentation standards at different levels of risk
Select effectively designed key controls addressing each relevant financial reporting objective Select significant financial reporting objectives and related accounts
File Internal Control Report 1 2 4 5 START 6 3
The six decisions provide a context for management’s dialogue with the external auditor. The risk of disconnects between management and the auditor increases if any of the following occur:
• the auditor does not obtain an understanding of management’s assessment process.
• Management does not involve the auditor at specific checkpoints, as management applies a top-down, risk-based approach.
• Management does not document the rationale for company decisions when applying the top-down, risk-based approach. (See inset on page 8 for further commentary on documentation.)
It is best practice for management to engage the auditor in dialogue throughout the compliance process, par-ticularly during the early stages. The effective and efficient application of the top-down, risk-based approach advocated by both the PCAOB and the SEC makes this communication critical. The external auditor’s application of a top-down, risk-based approach can be greatly augmented by and reach the highest level of efficiency when the auditor understands management’s application of that approach.
While obviously important, the determination of materiality is not included in the list of decisions. The assessed level of materiality is implicit in all of the six decisions and is explicitly considered in some of them.
There is another vitally important reason why the six decision points introduced here are so critical. If man-agement and the external auditor can agree on these six decisions, it leaves open the one remaining critical decision – the testing of operating effectiveness. This particular decision is the most natural point of divergence between management and the auditor in their respective evaluations of ICFR. Since management is an insider and the auditor is not, the two parties do not begin at the same point of knowledge when designing the neces-sary tests of operating effectiveness.
The key point is this: The difference between management and the auditor in their respective approaches to testing operating effectiveness will be much smaller if there is convergence on the six decision points. A well thought-out and repeatable (structured) management assessment process maximizes audit cost-effectiveness. To be repeatable, management must generally document the supporting rationale for its decisions about the key financial reporting objectives and key controls. The good news is that much of this “rationale documentation” is a one-time investment.
Commentary
Learn the Lingo
It’s generally understood that sarbanes-Oxley is primarily about preventing material misstatements in financial reports through effective internal control. However, if you read different authoritative guidance on the topic, you’ll notice different terms are used when discussing how to scope sarbanes-Oxley compliance efforts. For example, the PCAOB talks about “assertions,” the sEC refers to “financial reporting risks,” and COsO focuses on “financial reporting objectives.” Why the difference? the PCAOB guidance is directed to financial statement auditors who look to accounting and auditing standards to guide their work. Financial reporting assertions (e.g., completeness, presentation, valuation, etc.) are the language of accountants and auditors. COsO and the sEC have a broader audience and therefore use less accounting-specific terms. the PCAOB sums it up nicely in As5 when it states the auditor can use assertions different than those listed in the standard as long as “the auditor has selected and tested controls over the pertinent risks in each significant account and disclosure that have a reasonable possibil-ity of containing misstatements that would cause the financial statements to be materially misstated.”
Following is a detailed review and discussion of each of the six key decisions and how they apply to the smaller company.
decision 1: select significant financial reporting objectives and related accounts
Companies can gain the most efficiency by focusing only on those financial reporting objectives that are material to the financial statements. To do this, start with the company’s financial statements and identify relevant busi-ness activity and process objectives that can materially impact the financial statements. This ensures the focus is on those objectives that really matter.
When identifying whether a financial reporting objective is materially relevant under a top-down, risk-based approach, management should consider both quantitative materiality as well as such qualitative factors as the susceptibility of the financial statements and supporting account balances, transactions or other supporting information to a material misstatement. This means that it is not appropriate to consider a financial reporting objective or related account as “high risk” solely on the basis of quantitative factors alone. The goal is to evalu-ate the inherent risk of mevalu-aterial misstevalu-atement, without considering the effective operation of controls. Risk factors relevant to the risk of material misstatement include, among others:
• Size and composition of the underlying account balances or transactions • Susceptibility to misstatement due to error or fraud
• volume of activity, complexity and homogeneity of the transactions processed • Nature of the disclosure or underlying accounts
• Complexities in accounting and reporting
• Exposure to losses, as well as to significant contingent liabilities • Existence of related-party transactions
As noted above, management should document the rationale for the company’s choices when selecting signifi-cant financial reporting objectives and related accounts.
decision 2: select effectively designed key controls addressing each relevant financial
reporting objective
The top-down approach starts with entity-level controls and progresses to the most important processing con-trols. This decision is about selecting those controls – and only those controls – that address the most critical financial reporting objectives, and evaluating the effectiveness of their design. This is an important decision because it addresses what accelerated filer experience has shown to be the most significant cost driver of the process – the number of key controls to evaluate and test. If management’s understanding of the control environment is sufficient and that understanding is documented in reasonable detail, then it is more likely that the application of the top-down approach will result in selecting the control set that is the most effective in miti-gating financial reporting objective risks.
There are two key areas of focus for this decision point. First, entity-level controls are the starting point for selecting key controls. Second, if additional evidence is necessary to provide reasonable assurance that a finan-cial reporting objective is met, other necessary controls must be identified and evaluated.
The SEC identified three categories of entity-level controls:
1. Controls with an important, but indirect, effect on the likelihood a misstatement will be detected or prevented – many controls in the control environment fall into this category 2. Controls that monitor the effectiveness of other controls, allowing reduction in controls testing 3. Controls designed to operate at a sufficient level of precision to prevent or detect misstatements
The absence of the first category of entity-level controls – the controls having an indirect effect on significant financial reporting elements – increases the risk of control failure. The existence of the second and third catego-ries of entity-level controls reduces the scope of testing process-level controls.
With respect to identifying other key controls after entity-level controls are considered, management should identify the process-level monitoring controls used to manage the important processes affecting financial report-ing and determine their level of precision. If a monitorreport-ing control operates at an appropriate level of precision to address a financial reporting objective, additional controls may not need to be identified or assessed for that objective.
decision 3: decide documentation standards at different levels of risk
Similar to Decision 2, a decision about documentation starts at the entity level. From there, it works down to the process level. Many large companies have extensive documentation to support their more complex and often decentralized operations. For smaller companies, however, extensive documentation may not exist. Smaller com-panies generally have fewer people working more closely together and their more frequent interaction results in less reliance on formal policies and procedures to ensure financial reporting objectives are met. That is why inadequate accounting policies and documentation have been the number one cause of material weaknesses for smaller public companies, followed by accounting personnel and segregation of duties issues.
The SEC’s Sarbanes-Oxley Section 404 – A Guide for Small Business states, “In a smaller company with centralized financial reporting, management’s daily involvement with the business may provide it with adequate knowledge to identify the financial reporting risks and related controls.” Smaller companies that are more complex may need to develop additional documentation of major processes within the accounting systems and important control activi-ties to support management’s assertions regarding the effectiveness of internal controls. A new consideration with the introduction of the auditor attestation process is that management’s documentation likely will be used by the auditor to support the auditor’s assessment of the effectiveness of ICFR. Therefore, if management has more ICFR documentation that is available for the auditor to use, audit fees probably would be lower.
The nature and extent of the documentation should be a function of the risk and complexity of the financial reporting objectives and related accounts, as well as the ability to facilitate an understanding of the likely sources of misstatements (i.e., What can go wrong?) and identify the key controls. An overall understanding is needed of the control environment and the flow of major transactions. An adequate understanding of the flow of major transactions and of the control environment at the process level enables management, and the auditor, to properly source the risk of material error or fraud and determine whether the selected key controls are properly designed to mitigate that risk. To achieve that understanding, management can use walkthroughs and discus-sions with, and involvement of, process owners who are sufficiently knowledgeable about the processes and systems underlying the critical financial reporting accounts and disclosures. However, if company personnel are
Commentary
The Documentation Dilemma – How Much is Enough?
Many companies have concerns about the time and expense associated with creating documentation for the sole purpose of supporting their assessment of ICFR. Protiviti does not advocate a blanket more-is-better approach to documentation; rather we believe management needs to have enough documentation to ensure the assessment is a repeatable process and to avoid any second-guessing in the fourth quarter when management may be asked by the auditor to justify scoping decisions made months earlier.
When it comes to documentation at smaller companies, there is no cookie-cutter approach. the sEC reinforces this point in their sarbanes-Oxley section 404 – A Guide for small Business when it states, “Management is respon-sible for maintaining reasonable support for its assessment. the sEC’s guidance doesn’t make this decision for you because we recognize that what’s reasonable will depend on the nature, size, and complexity of each company. It will also vary based on the internal control risk that management has identified.”
not sufficiently knowledgeable of the control environment or lack a sufficient fact base supporting their input to the top-down approach, then the company must document the control environment sufficiently to obtain the req-uisite understanding.
In summary, the top-down approach is easier to apply when there is an understanding of the flow of critical processes affecting the significant financial reporting objectives and the interface of such processes with the company’s key systems.
decision 4: consider IcFr risk to determine extent of evidence required to evaluate operating
effectiveness of key controls
This decision relates to understanding whether controls actually work in practice and the type of evidence management must gather to make that determination. Under the SEC’s interpretive guidance for management, ICFR risk is considered when determining the evidence management needs. This determination will impact the nature, extent and timing of tests of controls. ICFR risk has two components:
• the risk of misstatement • the risk of control failure
These two components drive management’s determination of what to test, who does the testing, when to per-form testing and how testing should be done. The higher the risk, the more persuasive the evidence needs to be. The lower the risk, the less persuasive the evidence needs to be. See the figure below for a visual depiction provided by the SEC.
If more persuasive evidence is required, there is a greater need to identify and document controls and to complete objective tests of those controls. If less persuasive evidence is required, management can rely on self-assessment and process-owner supervision. Under a top-down approach, the extent of robust entity-level controls and monitoring plays a strong role in this important assessment.
When accelerated filers initially implemented Section 404 compliance, most of the evidence gathered to formu-late a conclusion on operating effectiveness was through detailed manual testing. As the compliance process
Risk of Control Failure LOW MEDIUM HIGH MEDIUM HIGH Risk of Misstatement in Financials
How Much Evidence Do You Need to Establish that Internal Controls Are Effective?
Source: The SEC’s Sarbanes-Oxley Section 404 – A Guide for Small
moved to an increased reliance on self-assessment, entity-level and process-level monitoring, as well as auto-mated controls, all of which reduced the extent of their reliance on detailed manual testing. This transition is illustrated in the schematic below and was accomplished through a well-managed control environment that is more systems-based and preventive in nature. The message is that management must have improved transpar-ency in the performance of the key controls.
One of the keys to applying a top-down, risk-based approach is the evaluation of control failure risk, which should be explicit for each key control. For example, factors that affect the risk of control failure include: • the nature and materiality of misstatements that the control is intended to prevent or detect
• Whether there is a history of errors
• the effectiveness of entity-level controls, especially controls that monitor other controls • the complexity of the control, the frequency with which it operates and the degree to which it
is dependent on other controls
• Whether the control is people-based or systems-based • the competence of the personnel performing the control
• Whether there have been significant changes in personnel, processes or systems, or in the volume or nature of transactions processed
Based on this assessment, management might differentiate higher risk, normal risk and lower risk of control failure. The key is to understand the impact of these assessments on testing scope decisions so that manage-ment can choose the appropriate way to evaluate controls operating effectiveness.
Management should also be aware that the type and extent of testing performed by the company can impact the extent of testing performed by the external auditor, particularly if the testing is performed by a competent and objective party. If the external auditor reduces audit testing, there will be a corresponding reduction in audit fees. PCAOB Auditing Standard No. 5 requires auditors to consider whether and how to use the work of others. If management is interested in having the external auditor use its testing as audit evidence – which could reduce the amount of auditor testing otherwise required – it needs to understand the principles and rules the auditor intends to apply when making scoping decisions so that management can plan the company’s evalu-ation approach appropriately. Obviously, this is an area that warrants dialogue with the auditor. The primary criteria for using the work of others continue to be around competence and objectivity. According to the PCAOB: • “Competence” means the attainment and maintenance of a level of understanding and knowledge that
enables personnel to perform ably the assigned tasks.
• “objectivity” means the ability to perform assigned tasks impartially and with intellectual honesty.
COST SUSTAINABILITY OPTIMIZE CONTROLS IN C RE A S ED TR A N S PA RE N CY t Preventive t.BOBHFE t4ZTUFNTCBTFE t.BOVBM t%FUFDUJWF t"EIPD Self-Assessment Self-Assessment Monitoring Automated Controls Testing Testing of Manual Controls Entity-Level Monitoring Process-Level Monitoring Testing of Automated Controls Testing of Manual Controls
Companies interested in the potential efficiencies realized when the auditor relies on management’s testing should talk to their auditors about it sooner rather than later. They also should be familiar with the PCAOB’s criteria around objectivity and competency.
decision 5: determine locations and units to include into scope
When it comes to deciding which locations should be included in the scope of testing, all locations are not cre-ated equal. Use ICFR risk when evaluating multilocation scoping decisions. The focus on the degree of ICFR risk suggests the following:
• Business units or locations that contribute significantly to financial results and company operations typically are selected in scope if they include critical processes that impact key financial reporting objectives.
• A location or unit that is not individually important from a financial reporting standpoint may present specific risks that create a reasonable possibility of a material misstatement.
• if management determines that the iCFr risk of the controls at individual locations or business units is low, management may gather evidence through self-assessment routines or other ongoing monitoring activities, combined with the evidence derived from a centralized control that monitors the results of operations at individual locations.
• Entity-level controls also may provide sufficient evidence in certain circumstances. For example, the SEC states: “Management may determine that financial reporting risks are adequately addressed by controls which operate centrally.”
decision 6: establish methodology to assess severity of control deficiencies at the conclusion
of the evaluation process
The primary focus of the ICFR assessment is on identifying material weaknesses and the process of evaluat-ing deficiencies should incorporate this focus. As discussed earlier, many smaller companies encounter unique challenges when implementing cost-effective ICFR. Therefore, it may be difficult to design cost-effective solu-tions to address deficiencies due to many factors, including lack of resources to achieve segregation of duties, limited technical resources and the potential for management to override established controls. The existence of these challenges at smaller companies may, by itself, cause some to conclude there is at least a significant deficiency or, at worse, a material weakness. Therefore, it is extremely important to not only consider, but to also document the rationale, for evaluating deficiencies. Furthermore, the evaluation process should assess internal control in its totality, including the impact of entity-level controls, monitoring controls and compensat-ing controls, if any. With respect to the latter point, the SEC states in its interpretive guidance for management, “Compensating controls are controls that serve to accomplish the objective of another control that did not func-tion properly, helping to reduce risk to an acceptable level.” If compensating controls are considered in this regard, management must have evidence that they are operating effectively.
A deficiency must be evaluated in the context of risk. In other words, how likely is it that a misstatement would occur and what is the magnitude of a potential misstatement? However, companies should not use the evalu-ation process to systematically revalu-ationalize away deficiencies. The ultimate test is one of a “reasonable and prudent person“ applying his or her judgment based on the facts available. Be prepared for the external audi-tors to ask tough questions about the results of the company’s deficiency evaluation.
summarY oF the sIx decIsIons
One of the most commonly asked questions about Section 404 compliance relates to the cost of the initial auditor attestation of the effectiveness of ICFR at a smaller public company. The answer is, “It depends.” Many factors come into play, including the nature and complexity of operations and financial reporting, the extent of ICFR documentation, the nature and timing of testing performed by management, as well as the extent of testing documentation.
Following is a brief summary of the six decisions:
To reiterate the premise of this paper, if management and the external auditor can agree on these six decisions, life will be easier during the attestation process.
Key Section 404 Decision Points Key Points for Implementing a Top-Down, Risk-Based Approach
1. select significant financial reporting
objectives and related accounts Use quantitative and qualitative factors to identify only those objectives that are material. Take the time to document rationale – it will save time in the long run.
2. select effectively designed key controls
addressing each relevant objective Begin top-down, starting with entity-level controls. Take credit for monitoring controls that operate at a sufficient level of precision. 3. decide documentation standards at
different levels of risk Start at the entity level and work down; documentation is driven by ICFR risk. Management’s documentation will likely be used by the auditor to support their assessment of ICFR.
4. consider IcFr risk to determine extent of evidence required to evaluate operating effectiveness
When determining tests of controls, consider ICFR risk. If the com-pany is interested in the potential efficiencies realized when the auditor relies on management’s testing, talk to the auditor about it sooner rather than later. Be familiar with the PCAOB’s criteria around objectivity and competency.
5. determine locations and units to include
into scope Use ICFR risk when evaluating multilocation scoping decisions. 6. establish methodology to assess
severity of control deficiencies at the conclusion of the evaluation process
Focus solely on material weaknesses, looking at internal control in its entirety, but be careful not to systematically rationalize away deficiencies.
a sImple approach
We recommend a straightforward, six-step approach that is consistent with COSO’s guidance for smaller compa-nies. This approach will help smaller companies execute a cost-effective Sarbanes-Oxley compliance process that is rightsized for their organization and the level of complexity of their environment. The approach emphasizes focused attention on completing each of the six steps according to recommended time frames (e.g., see the fiscal-year quarters noted in the schematic below). The idea is to help management of smaller companies avoid the year-end fire drills experienced by accelerated filers during their first auditor attestation.
See Exhibit 1 for a more detailed explanation of the activities for each step in this approach and the keys to success. t&WBMVBUFTFWFSJUZPG SFNBJOJOHDPOUSPM EFGJDJFODJFT t&WBMVBUFFGGFDUJWFOFTT PGPWFSBMMDPOUSPM FOWJSPONFOU t'PSNVMBUFGJOBM DPODMVTJPO t%FWFMPQSFQPSU t5FTULFZDPOUSPMT t*EFOUJGZJOFGGFDUJWF DPOUSPMT t5SBDLSFNFEJBUJPO FGGPSUTUPBEESFTT JOFGGFDUJWFDPOUSPMT t3FUFTULFZDPOUSPMT BTOFDFTTBSZ t&WBMVBUFDPOUSPMT EFTJHO t%FUFSNJOFQMBOUP SFNFEJBUFEFTJHO EFGJDJFODJFT t5SBDLSFNFEJBUJPO FGGPSUT t%PDVNFOULFZ QSPDFTTFT SJTLT BOEDPOUSPMT t-JOLFOUJUZMFWFM DPOUSPMTUPQSPDFTT SJTLTBOEGJOBODJBM SFQPSUJOHPCKFDUJWFT t"TTFTTTFHSFHBUJPO PGEVUJFT t*EFOUJGZSPMFTBOE SFTQPOTJCJMJUJFT t%FWFMPQQSPKFDUQMBO BOEUJNFMJOF t%FGJOFSFQPSUJOH SFRVJSFNFOUT t4FUUIFUPOF t*EFOUJGZGJOBODJBM SFQPSUJOHPCKFDUJWFT BOESFMBUFEQSPDFTTFT BOECVTJOFTTVOJUT t*EFOUJGZLFZ*5 BQQMJDBUJPOT t$PNQMFUFFOUJUZMFWFM DPOUSPMBTTFTTNFOU
Ongoing Communication with Management, Process Owners, External Auditors and Audit Committee
$FSUBJORVBSUFSMZDPOUSPMTBOEZFBSFOEDPOUSPMTNBZCFUFTUFETVCTFRVFOUUPUIFFOEPGUIFGJTDBMZFBS
Plan Scope Document Evaluate Test Assess
Q1 Q1 Q1/Q2 Q1/Q2 Q3/Q4* Q4/Beyond
The 20 Principles from COSO’s ICFR Guidance for Smaller Public Companies
the KeYs to success: avoId delaY, Become educated, Be prepared
There certainly is not a cookie-cutter approach to Sarbanes-Oxley compliance for smaller public companies. Each company’s situation is unique. We suggest that companies become educated about the six decisions and the six-step approach we have outlined herein. What it all boils down to is that the Section 404 compliance process may take a new twist now that the auditors are joining the playing field at smaller public companies. As outsid-ers, they will have a different perspective from management, which has day-to-day involvement in the running of the company. Companies that are most knowledgeable about the authoritative guidance and that understand their options are best positioned to increase the cost-effectiveness of their compliance process while minimizing surprises resulting from “too many cooks in the kitchen.” A focus on the six decisions and the six-step approach will help ensure a successful outcome to the process.In closing, we recommend the following:
• don’t delay. Engage your external auditor in substantive discussion about the six key decision points.
• educate yourself and insist that your evaluation team (including your internal auditors) do likewise. For example, ask your evaluation team to understand the SEC interpretive guidance for management as well as the PCAOB’s An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies. Knowledge is power.
• apply a well thought-out and repeatable, top-down, risk-based approach. Protiviti can help with this, using the six-step approach.
• don’t do more than what you have to do. Compliance with Section 404 requires the exercise of considerable judg-ment, which can lead the evaluation team to do more work than necessary if the thought process for rationalizing the scope of work is not top-down and risk-based.
• Focus on risk throughout the process. A risk-based approach maximizes the cost-effectiveness of the Section 404 process.
• look at how you manage and monitor your business and give yourself credit for what you do. Reliance on effec-tive monitoring can reduce the extent of reliance on detailed manual testing.
• learn from others’ mistakes. Take a close look at your controls by carefully considering the top weaknesses identified by smaller companies in Year Four of Sarbanes-Oxley compliance. These areas of weakness are prime targets for auditors.
• don’t forget to focus on the risk of fraud and management override. It will help you manage the audit process. • exploit identified deficiencies by turning them into process and control improvements. Timely remediation of
deficiencies reduces the risk of a material weakness. • Finally, be prepared to:
- challenge the status quo.
- proactively engage in a dialogue with the external auditor.
- answer questions your audit committee may ask about the dynamics of having your external auditor evaluating your ICFR.
remember that time is of the essence. Start now if you want to ensure you are prepared for your first auditor attestation of the effectiveness of ICFR.
exhIBIt 1 – sIx-step approach
Key Activities Keys to Success
• identify project sponsor and team members and define roles, responsibilities and resources. • Develop project plan, approach and reporting
requirements.
• Establish tone and importance of the project.
• Start early.
• Ensure ownership and commitment by man-agement and process owners (i.e., treating Sarbanes-Oxley commitment to reliable reporting as an ongoing process and a “way of life”). • think risk throughout the planning process. • identify/prioritize key financial reporting
objec-tives.
• identify key it systems and applications affecting financial reporting as well as their interfaces. • identify process owners and communicate their
Sarbanes-Oxley-related responsibilities. • Define documentation standards.
• identify key financial reporting risks (including fraud).
• Complete entity-level control assessment.
• Entity-level controls are a critical component, not an afterthought.
• Link entity-level controls directly to the specific risks to which they relate.
• Leverage operational reporting (KPis) already utilized to manage the business as part of manage-ment’s monitoring controls.
• Document targeted processes, including risks and controls.
• Link entity-level controls to key financial reporting risks.
• Determine key controls in each process. • identify key spreadsheets and reports.
• Minimize overdocumentation and testing by using risk-based scoping.
• Emphasize appropriate controls and use of key reports and spreadsheets in key processes. • integrate assessment of it systems’ impact on the
selection of key controls.
• Don’t do more than what you have to do to comply with Section 404.
• Evaluate user access and segregation of duties linking unavoidable conflicts to key controls. • Evaluate control design effectiveness.
• Prioritize control gaps for remediation and identify responsible owners.
• track remediation efforts and establish account-ability with senior management.
• revise documentation based on remediation efforts as necessary.
• Standardize processes across business units and centralize common activities.
• take a cost versus benefit approach about what’s reasonable to document during controls operation. • Direct attention to improving the operational
efficiency and effectiveness of upstream financial reporting processes.
• Document test plans and strategy relative to both components of ICFR risk.
• test operating effectiveness of key controls. • identify control operating effectiveness issues
and design remediation for significant issues. • track management remediation efforts. • re-test all control gaps as necessary based on
testing strategy.
• increase reliance on entity-level and process-level monitoring controls to reduce transaction testing. • Evaluate use of comprehensive testing techniques,
such as data mining, to minimize test efforts and provide value-added insight beyond sample-based testing.
• Formulate final conclusions on individual controls. • Provide final documentation and test results to
external auditors.
• Formulate final conclusion on overall control environment.
• Plan and formulate public disclosures.
• Modify the evaluation approach according to ICFR risk.
• A deficiency only matters if it could result in a material weakness. Plan Scope Document Evaluate Test Assess Plan Scope Document Evaluate Test Assess Plan Scope Document Evaluate Test Assess Plan Scope Document Evaluate Test Assess Plan Scope Document Evaluate Test Assess Plan Scope Document Evaluate Test Assess
aBout protIvItI Inc.
Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts spe-cializing in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Protiviti’s highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
Internal audIt and FInancIal controls solutIons
We work with audit executives, management and audit committees at companies of virtually any size, public or private, to assist them with their internal audit activities. This can include starting and running the activity for them on a fully outsourced basis or working with an existing internal audit function to supplement their team when they lack adequate staff or skills. Protiviti professionals have assisted hundreds of companies in establishing first-year Sarbanes-Oxley compliance programs as well as ongoing compliance. We help organizations transition to a process-based approach for financial control compliance, identifying effective ways to appropriately reduce effort through better risk assessment, scoping and use of technology, thus reducing the cost of compliance. Reporting directly to the board, audit committee or management, as desired, we have completed hundreds of discrete, focused financial and internal control reviews and control investigations, either as part of a formal internal audit activity or apart from it.
One of the key features about Protiviti is that we are not an audit/accounting firm, thus there is never an indepen-dence issue in the work we do for clients. Protiviti is able to use all of our consultants to work on internal audit projects – this allows us at any time to bring in our best experts in various functional and process areas. In addi-tion, Protiviti can conduct an independent review of a company’s internal audit function – such a review is called for every five years under standards from The Institute of Internal Auditors.
Among the services we provide are:
– Internal Audit Outsourcing and Co-Sourcing – Financial Control and Sarbanes-Oxley Compliance – Internal Audit Quality Assurance Reviews
ATLANTA Bonnie-Jeanne Gerety +1.404.926.4359 bonniejeanne.gerety@protiviti.com CHICAGO David Brand +1.312.476.6401 david.brand@protiviti.com DALLAS Clint McPherson +1.469.374.2438 clint.mcpherson@protiviti.com HOUSTON Jim DeLoach +1.713.314.4981 jim.deloach@protiviti.com NEW YORK Frederick Magliozzi +1.212.603.8363 frederick.magliozzi@protiviti.com PHILADELPHIA John Riesch +1.267.256.8822 john.riesch@protiviti.com PHOENIx Ignacio Martinez +1.602.273.8021 ignacio.martinez@protiviti.com SAN FRANCISCO Robert B. Hirth Jr. +1.415.402.3621 robert.hirth@protiviti.com
SILICON VALLEY/SANTA CLARA
Paresh Raghani +1.408.808.3223
paresh.raghani@protiviti.com
EuROPE BElgIum Brussels FRAncE Paris gERmAny Düsseldorf Frankfurt munich ItAly milan Rome turin tHE nEtHER-lAnDS Amsterdam SPAIn madrid unItED KIngDOm london mIDDlE EASt KuwAIt Kuwait city* OmAn muscat*
unItED ARAB EmIRAtES
Abu Dhabi* Dubai* ASIA-PAcIFIc AuStRAlIA Brisbane canberra melbourne Sydney cHInA Beijing Hong Kong Shanghai Shenzhen InDIA Bangalore mumbai new Delhi InDOnESIA Jakarta** JAPAn Osaka tokyo SIngAPORE Singapore SOutH KOREA Seoul
* Protiviti Member Firm ** Protiviti Alliance Member
tHE AmERIcAS unItED StAtES Alexandria Atlanta Baltimore Boston charlotte chicago cincinnati cleveland Dallas Denver Fort lauderdale Houston Kansas city los Angeles milwaukee minneapolis new york Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento
Salt lake city San Francisco Seattle Silicon Valley/ Santa clara Stamford St. louis tampa Vienna woodbridge BRAzIl São Paulo cAnADA Kitchener-waterloo toronto mExIcO mexico city PERu lima* VEnEzuElA caracas*