Financial Reporting
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,294
On Slideshare
1,294
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. April 2004 Financial Reporting Contents: Compliance with Section 404 of the Introduction ..........................................1 Management’s Report .........................2 Sarbanes Oxley Act: A Company Management’s Project to Comply Perspective with Section 404 Requirements ....3 Required Management Representations to the Introduction Independent Auditor .......................4 The upcoming requirement for public companies, going forward, The Scope of the Company’s to report on the effectiveness of their internal control over finan- “Controls Over Financial cial reporting (terms in bold are defined in the Glossary accom- Reporting” ........................................6 panying this communication), and for auditors to report on that Documenting Controls Over Financial Reporting .........................8 assertion and on the effectiveness of internal controls, has raised Management’s Required a lot of questions, such as: Assessment of Controls ................10 • How do I assess my controls? Documenting the Control • Do I need assistance, or can I do this project internally? Environment ..................................11 • What can my independent auditor do to help me in this process? Information Technology General • How much should I document and test? Controls .........................................11 • How do I make the critical distinctions between control deficiencies, Extent and Timing of significant deficiencies, and material weaknesses? Management Testing ...................12 • What are my reporting requirements? Managing the Compliance Costs ...17 The list of questions continues to grow as companies document, assess, and Concluding Remarks .........................17 test their controls. As this is the first year of implementing this new require- Important References and Company Resources .....................17 ment, there are both “knowns” and “unknowns,” but the implementation date is approaching, and companies and auditors will need to move forward on a Glossary - The Definition of Key Terms .......................................18 best efforts basis, even in the absence of specific answers to all the questions. This communication focuses on Section 404 of the Sarbanes-Oxley Act of APPENDIX............................................19 2002 (“the Act”) from management’s perspective. It summarizes our current understanding of what the SEC and auditors are likely to expect of companies. This communication should not be used in lieu of reading Section 404 of the Act, the related SEC rules, and the PCAOB Auditing Standard. Future clarifications or modifications and changes to the SEC rules and PCAOB Auditing Standard may supersede guidance or requirements provided here.
  • 2. Financial Reporting BDO Seidman, LLP noted in our dard by the SEC for an exposure company’s internal control over comments on the PCAOB Exposure period (occurred on April 12). At the financial reporting; Draft on auditing internal controls conclusion of the exposure period, • An assessment of the effective- that more guidance is needed to the Standard, if approved, will be ness of the company’s internal assist companies in defining their published in the Federal Register. control over financial reporting responsibilities under the Act. To Once published, the Standard will as of the end of the company’s date, such additional guidance has be effective. Implementation guid- most recent fiscal year, including not been forthcoming. Neither the ance should follow the approval by an explicit statement as to independent auditor nor the the SEC of the final Standard, and whether that internal control PCAOB can interpret management’s thus may not be available until this over financial reporting is effec- responsibilities under the Act. This summer. We believe there will be a tive; and needs to come from the SEC. need for clarifying and implementa- • A statement that the registered Issuance of PCAOB Standard No. 2, tion guidance throughout 2004 and public accounting firm that An Audit of Internal Control Over Finan- 2005, as more practical issues are audited the financial statements cial Reporting Performed in Conjunction identified. included in the annual report with An Audit of Financial Statements, on has issued an attestation report March 9, 2004, which is subject to on management’s assessment of SEC approval before it becomes Management’s the company’s internal control effective, provides some insight into Report over financial reporting. what auditors are likely to “expect” Top management of public compa- If material weaknesses are dis- regarding management’s documen- nies (issuers) subject to the Section covered prior to the “as of” reporting tation and testing of controls, and 404 requirements will be required to date, and there is sufficient time for thus indirectly creates guidance for include in their annual reports an the company to remediate them, management. assessment of the effectiveness of they need not be reported as of year- This Financial Reporting Letter the company’s internal control over end. However, the company has is based on highlights of existing financial reporting. This assessment quarterly certifications it must make requirements noted in the Act, SEC is made “as of” the balance sheet to the SEC under Section 302 of the rulemaking to date and Auditing date. If a material weakness is iden- Act, and such identified material Standard No. 2. The PCAOB has tified as existing at the balance weaknesses, even if corrected, need formed a Working Party to help sheet date, it must be disclosed in to be reported as a change in con- identify the myriad of company and management’s report. trols during the quarter. auditor issues that arise in the Management cannot conclude If a subsidiary’s financial state- implementation process. Once the that the company’s internal controls ments cover a different fiscal period Standard becomes effective, the over financial reporting are effective than the consolidated entity, PCAOB may disseminate interpre- in the presence of one or more required subsequent events proce- tive guidance on those issues that material weaknesses. dures relating to that subsidiary have been identified. At this time The format of the report is flexi- might reveal a material weakness we are not aware of any project of ble, in order to permit the most existing at the “as of” reporting date. the SEC underway to develop spe- meaningful and relevant reporting In such cases, we believe the weak- cific implementation guidance for for each company, but the following ness should be included in the con- companies. Careful attention to elements are required (See Item solidated management assessment subsequent guidance on company 308(a) of Regulation S-B and S-K): for that year. and auditor requirements will be • A statement of management’s Significant deficiencies do not necessary as this new requirement responsibility for establishing and need to be publicly reported, but for management and the auditor is maintaining adequate internal should be evaluated to assess implemented. control over financial reporting; whether, in the aggregate, the iden- The process that will take place • A statement identifying the tified significant deficiencies consti- over the next several months framework used by management tute a material weakness. The defi- regarding Auditing Standard No. 2 to conduct the required assess- nition of significant deficiency in includes the posting of the Stan- ment of the effectiveness of the PCAOB Standard No. 2 sets a 2 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 3. Financial Reporting threshold that is very low, so many weaknesses, some estimate the ent auditors or members of their of the deficiencies identified during range of between 10 to 20 percent of firm are precluded from serving in the testing of controls, absent effec- large established entities will still any role that could compromise the tive compensating controls to report the existence of material audit firm’s independence in per- achieve that control objective and weaknesses. Some estimates are forming their required assessments related assertion, may rise to the much higher for the first-time and procedures. Any permitted level of a significant deficiency. reporting of internal control effec- internal control related service the Note that normal management tiveness by smaller companies. In independent auditor is engaged to oversight, and the application of small start-up businesses, the rate perform must be specifically pre- broad analytical procedures such as may be much higher, as effective approved by the audit committee. comparisons to budgeted amounts, segregation of duties and the imple- It is currently believed that are not generally considered ade- mentation of a formal controls sys- employees of the independent quate compensating controls. If a tem may be impractical to achieve. audit firm may be engaged to func- large number of significant defi- It is not clear how the financial tion as a “scribe” in the documenta- ciencies are identified, manage- markets will react to reports of inef- tion of management controls, ment may conclude that, in the fective controls. The market gener- clearly working under the direct aggregate, they constitute a mate- ally dislikes “surprises,” like earn- supervision of management. How- rial weakness. ings surprises. Conjecture is that ever, such employees should not be The identification of a material larger, more established companies involved in any way in directing the adjustment to the financial state- are expected to have more effective documentation efforts or directing ments of any sort by the auditor as a controls. If so, reported weaknesses which controls are documented or result of performing the audit of the be involved in management’s test- by larger companies may be per- financial statements is a strong ing of the controls. To date, many ceived more severely than those of indicator of the existence of a mate- boards of directors and audit com- smaller ones. Only time will tell. rial weakness in company internal mittees have hired third party con- This issue will likely be the focus of controls. sultants so that independence academic research as companies In addition to the required ele- questions will not arise. report under the requirements of ments of communication, manage- the Act. ment may wish to communicate Overview of a Typical Project Even if a company reports a additional information in its report. Plan material weakness, if it takes prompt Such information might include A typical company project plan action to correct it, there need be no comprises various phases. A com- disclosures concerning remediated long range effect on the perceptions monly encountered series of phases deficiencies, plans regarding new of the company, as remediation will includes: controls, and cost-benefit state- indicate a stronger control environ- • Identifying the company individ- ments regarding controls (e.g., statements that remediation costs ment. Over time, it is likely that ual with overall responsibility for would exceed the benefits of an fewer companies will be reporting the project (e.g., CFO) effective control in a particular cir- weaknesses and thus those that do • Identifying the designated proj- cumstance). If management chooses report them will stand out. ect manager and related team to make such disclosures, the audi- members tor is required to disclaim an opin- • Identifying the framework that ion on this additional information. Management’s will underlie the analysis (e.g., Project to Comply COSO) What are the Implications of with Section 404 • Scoping (identifying the accounts, Reporting that a Material locations and processes) of the Weakness Exists? Requirements engagement for documentation It is only conjecture how many com- Management may choose to self- and testing purposes panies will ultimately issue reports manage its required documentation • Selecting an approach and tools indicating one or more material and testing or hire advisors or con- that will facilitate documenta- weaknesses. Even after remediation sultants to assist it in that process. tion and testing of currently known deficiencies and However, the company’s independ- (continued on page 5) COPYRIGHT 2004, BDO SEIDMAN, LLP 3
  • 4. Financial Reporting Required Management Representations to the Independent Auditor In addition to the representations made by management to independent auditors regarding the audit of the finan- cial statements, additional representations regarding the audit of internal controls will be required. Before the inde- pendent auditor can issue the two control-related opinions on management’s assessment of the effectiveness of its controls and on the effectiveness of the company’s internal control, the auditor will require certain written repre- sentations from management, including the following: • Acknowledging management’s responsibility for • Stating that management has disclosed to the establishing and maintaining effective internal con- auditor all deficiencies in the design or operation trol over financial reporting of internal control over financial reporting identi- fied as part of management’s assessment, includ- ing separately disclosing to the auditor all such deficiencies that it believes to be significant defi- ciencies or material weaknesses in internal control over financial reporting • Stating that management has performed an assess- • Describing any material fraud and any other fraud ment of the effectiveness of the company’s internal that, although not material, involves senior man- control over financial reporting and specifying the agement or management or other employees who control criteria have a significant role in the company’s internal control over financial reporting * Stating that management did not use the auditor’s • Stating whether control deficiencies identified and procedures performed during the audits of internal communicated to the audit committee during pre- control over financial reporting or the financial vious engagements have been resolved, and specif- statements as part of the basis for management’s ically identifying any that have not. assessment of the effectiveness of internal control over financial reporting • Stating management’s conclusion about the effec- • Stating whether there were, subsequent to the date tiveness of the company’s internal control over being reported on, any changes in internal control financial reporting based on the control criteria as of over financial reporting or other factors that might a specified date significantly affect internal control over financial reporting, including any corrective actions taken by management with regard to significant deficiencies and material weaknesses 4 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 5. Financial Reporting • Documenting a project plan • Any future interpretations of man- independent auditor can be helpful • Documenting the relevant con- agement requirements under in suggesting a number of possible trols Section 404 by the SEC or PCAOB alternatives and in helping manage- • Assessing the effectiveness of • Internal controls as they relate ment assess the qualifications and controls design to the financial reporting technical understanding of a pro- • Testing controls effectiveness requirements and processes, spective manager. However, man- • Communicating issues inter- and in that regard, an internal agement clearly must make the nally and to the independent controls framework (such as selection. auditors as they arise COSO), including the role of Hiring a third party consultant • Concluding on controls effec- control objectives, and the rela- does not in itself ensure that the tiveness tion of controls to those objec- project will be efficient and meet tives and relevant assertions the requirements of the SEC rules. Good Practice. Many companies such as completeness, exis- Insightful assessment of the project have benefited from completing an tence, etc. manager’s qualifications and care- initial “pilot” project focused on • Information technology ful monitoring of the project by selected accounts at one or two • Complex project management management is essential. selected locations in order to skills Management’s assessment of ensure the company’s envisioned Most projects will require a the project management team’s process is workable and can be team of employees to ensure the performance should include contin- communicated to others, and to project has access to the requisite ued monitoring of the project ensure that the selected tools are manpower and skills. Organiza- progress and meeting of important effective for their purpose. This milestones, and consider feedback tionally, the project should report to “shake down” phase is where cor- from the internal auditor, the inde- an appropriate level of manage- rections can be made most effi- pendent auditor, as well as other ment such as the CFO. Members of ciently before committing to a plan. company personnel. the core team will need to have the ability to obtain access to the infor- In practice, these phases may Benefits of Using Internal mation and individuals necessary to be blurred, or may be taking place Auditors or Independent complete management’s require- in different locations at different Consultants ments to assess, document, and times. Effective scheduling of scarce In considering the use of a third test internal controls over financial party consultant to advise, manage, resources is an important element reporting. and/or perform procedures, man- of project management. As the proj- If management believes that the agement needs to consider that ect proceeds, if deficiencies are project management and perform- there may be benefits of engaging identified, a process of remediation and retesting of the effectiveness of ance cannot be effectively staffed internal auditors or a third party the controls takes place. from internal resources, a qualified consulting resource beyond the Throughout the various project consultant will need to be engaged, obvious desire to leverage their stages, the observations of the and, if so, the quicker the better. experience and expertise. Since the independent auditor can be helpful, Already, a significant number of com- independent auditor may consider but project management responsi- panies have engaged consultants the work of objective and compe- bility and project decisions clearly and are in the process of document- tent “others” (including internal belong to management. ing their controls. As fewer qualified auditors) when determining their resources are available to manage required procedures, the use of Choosing a Project Manager and staff such engagements through such resources in the documenta- and Project Team 2004 and into 2005, the engagement tion and testing process may result Whether an internal or external of timely, qualified assistance will in lower independent auditor costs. resource, a project manager will become more difficult. Management’s attitude towards need to possess or acquire a strong While it is generally not appro- the new requirements may also understanding of: priate for the independent auditor influence the likely success and ulti- • The requirements of the Act and to recommend just one specific mate cost of the project. Approach- the related SEC rules company advisor, we believe the ing the Section 404 requirements COPYRIGHT 2004, BDO SEIDMAN, LLP 5
  • 6. Financial Reporting using marginally qualified resources, • Disclosure controls and proce- document the reason for scoping and testing to the minimum levels dures. Disclosure controls ensure these entities out of its analysis, as believed possible is a strategy that that the accounting disclosures auditors will be required to review has hidden costs and pitfalls that in the footnotes are complete and concur with this analysis. can de-rail the process at a late and accurate. We believe that if a company, as stage, when remediation of weak- • All financial statement elements a result of its agreement with the nesses may be impossible. There- or processes or functions that, VIE, joint venture, or other invest- fore, management should approach due to a risk of misstatement or ment vehicle performs the book- the project with a positive attitude fraud, could give rise to an expo- keeping functions for the invest- regarding its possible benefits and sure or a material misstatement. ment, it may need to include those should be prepared to devote For example, the trading of cur- functions in its internal control enough resources to ensure robust rencies or existence of derivative assessments, documentation, and coverage. Further discussion of this financial instruments could give testing. issue is presented in the section rise to significant business and Companies acquired at or near entitled Extent and Timing of disclosure risks that might not the year-end are currently required Management Testing. always be apparent. to be included in management’s Clearly, most accounts at the assessment of controls. This often consolidated financial statement will create a practical problem when The Scope of the level and a significant number of these entities are significant, as Company’s “Controls processes are expected to be there may be insufficient time for included in the project plan. In management to adequately docu- Over Financial some cases, it is easier to think of ment and test their controls, and for Reporting” what may be “scoped-out” of the the auditor to perform the required Companies will need to define the analysis. procedures. Auditing Standard No. scope of what accounts and pro- In a multi-location entity, clearly 2 indicates that the SEC may be cesses are being included in their inconsequential locations that are considering a provision that would assessment, documentation, and immaterial to say, income or signif- allow companies to exclude certain testing of internal controls. Auditing icant account balances, both indi- year-end acquisitions from compli- Standard No. 2 suggests that there vidually and the aggregate, need ance with the Section 404 require- are a number of criteria that could not be included in management’s ments (with some required disclo- cause a financial statement ele- analysis unless a specific risk is sures). Companies should consider ment, process, or location to be identified that relates to one or discussing this issue in advance more of these entities. with their independent auditors included in the analysis. Equity method investments, when year-end acquisitions are • Starting at the consolidated variable interest entities (VIEs), and foreseeable. Be alert for future SEC financial statement level, all sig- any proportionately consolidated rulemaking on this specific issue. nificant accounts (regardless of entities (e.g., this accounting While controls that impact only whether they are assessed as method may be used in the oil and operations and not the financial being high risk). For example, gas industry) where management reporting process are not generally fixed assets are included if they does not have sufficient access to relevant for inclusion in manage- are significant. the entity to extend the controls ment’s internal control assessment • All significant processes. The project to those entities are also plan, special consideration may financial statement closing “scoped-out.” Management will need to be given to issues that may process (annual and quarterly) include in its analysis, however, the arise in heavily regulated industries. is always a significant process. company’s controls over informa- Evidence of failures to meet regula- Periodic depreciation and amor- tion gathering and any controls over tory and compliance requirements tization, accruals, and the esti- significant payments or receipts may indicate the need for additional mation of allowances such as that involve the scoped-out entity, disclosures or could have an impact bad debts will often be signifi- unless the amounts are clearly on the determination of accrual or cant processes. immaterial. Management should reserve amounts. Auditors will be 6 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 7. Financial Reporting reviewing any identified regulatory document its scope and analyze the The auditing profession’s mech- compliance issues to determine coverage attained by management’s anism for dealing with this situation whether there is an impact on the plan. to date has been to have the service financial statements or disclosures organization engage an auditor to or the effectiveness of internal con- A well-designed project plan and perform procedures and issue a trols, such as the “tone at the top” a well-documented system of inter- report on the controls over process- within the company. nal controls has value to the entity ing by the entity. This report is dis- Common processes, common and the auditor. While the burden cussed in Statement on Auditing control environments, and com- that this expected scope of company Standards No. 70, Service Organiza- pany-wide controls may sometimes coverage imparts on management tions. Commonly referred to as a provide an appropriate basis for seems significant, the first-time doc- “SAS 70” report, this document was documenting and assessing con- umentation and assessment is the designed as an auditor-to-auditor trols at locations that may aggre- most challenging, and even as sys- communication regarding the inter- gate to a material amount, but are tems evolve over time, the experi- nal controls over the processing or not individually material. For exam- ence and insight gained in this ini- other functions performed by the ple, in many multi-location entities, tial year of implementation will have service organization. One type of common control processes have future benefits. report only assesses the design of been implemented over significant internal controls over the function processes such as sales and Use of Service Organizations being performed. However, this type accounts such as cash. Various loca- The phenomenon of outsourcing of report will not be useful to meet tions may also share common has expanded considerably in the the requirements of Section 404. accounting systems. last decade. Many companies are The reports must address both For some highly decentralized, surprised when they examine the design and operating effectiveness multi-location companies that do extent and variety of the outsourc- of controls. not have common processes and ing that has become an integral part Additionally, the SAS 70 reports controls, covering all but an imma- of their internal accounting and pro- must be timely to be able to provide terial portion of significant accounts cessing systems. Functions that assurance to the company’s inde- and processes of the entity will be may commonly be outsourced pendent auditor. A report dated difficult to achieve, as the corporate include payroll processing, network more than a year before the “as of” structure may involve the inclusion administration and information date of the company’s required of hundreds of independent entities. technology management, human report on internal controls provides Nevertheless, such companies must resources, and even the accounting little evidence of current controls develop a basis for their assertion and transaction recording process effectiveness. Reports issued nearer about the effectiveness of internal in its entirety. the “as of” date of the company’s controls. These situations will need When a service organization is report on internal control effective- special consideration by manage- used in lieu of an internal process, ness, are stronger evidence of con- ment and the independent auditor, management’s responsibility regard- trols effectiveness. Obviously, man- and may be an area of future inter- ing internal control is unchanged, agement must also be assured the pretive guidance by the PCAOB. including the responsibility to controls and functions reported on assess, test, and monitor the con- by the service organization’s auditor Good Practice. Companies have trols. However, those controls may are the ones of interest and focus to found it helpful to prepare a matrix be resident in the service organiza- the company. of all accounts at the consolidated tion, and management may have When a service organization’s level. This matrix helps management limited access to that entity’s pro- auditor report is not available, is not identify the significant accounts. The cessing environment. Nevertheless, relevant or timely, or does not matrix is often expanded to show the management must satisfy itself that extend to the operating effective- breakdown of the accounts by signif- effective controls are in place over ness of the controls, management icant location, line of business, or the transactions processed by the needs to obtain information from some other division of the entity. service organization. This can be the service organization to support This matrix helps management to accomplished in different ways. their assertion over the effectiveness COPYRIGHT 2004, BDO SEIDMAN, LLP 7
  • 8. Financial Reporting of company controls. Obtaining • If a company obtains a service inquiries by the company being access to this information about the organization’s auditor report serviced and their auditors on the provider’s processing environment that covers an important pro- relevant underlying controls and can be difficult so the issue should cess or function when viewed their operating effectiveness. be covered in the contractual from the company’s perspective, Because such arrangements are arrangement between the service even if not significant to the more likely to involve a single com- organization and the company. It service organization, must the pany and may also cover a signifi- can also be awkward for the service auditor issuing the service cant process from the perspective organization with numerous public organization report be regis- of the company receiving the serv- clients (and auditors), all of whom tered with the PCAOB? ice, the auditor selected to prepare have need for this information. • How will companies obtain a the report may need to be different It has been observed that the service organization report on from the one used by the company market for service organization processes outsourced to other for which the service is performed, auditor reports has changed in countries? The concept of such and the “service auditor” may need recent months. More service organ- reports is not generally well to be registered with the PCAOB. izations are requiring them, and established outside of the U.S., many more are being scheduled for and the work may need to be update every 6 months or so to performed by an auditor regis- Documenting accommodate different client fiscal tered with the PCAOB to be Controls Over years. The procedures and related acceptable. Financial Reporting testing being performed are also These and other issues are likely There is no specific format specified being aligned with the Section 404 to be addressed by future guidance. for management’s documentation. requirements. We suggest companies identify Flowcharts, narratives, and other Even so, there are complex these situations early and alert their means may be used to supplement issues that can arise in the current independent auditors to the issues. the documentation of controls. environment that will need to be Be alert for further guidance or Excel, Word, and manual documen- addressed in future guidance. Cur- modifications of the professional tation certainly can be used, but rent standards regarding service auditing standards addressing serv- special purpose software may help organization reports were devel- ice organizations later this year. companies consistently document oped prior to the Act, and may not There is one more issue that their controls and processes and fit well in a variety of areas with the companies need to consider. Some facilitate updating and version current Section 404 environment. larger organizations, to meet spe- control. For example: cific contractual arrangements with • Can management rely on a serv- other companies, may perform cer- Software ice organization auditor’s report tain record-keeping functions that Software packages are in use now issued by the company’s inde- pertain to another business. For and new ones are continually com- pendent audit firm, since man- example, some companies may ing to market to help companies agement cannot rely on proce- only provide summary reports of document their controls. The selec- dures of the auditor for its assur- the transactions they process and tion of a tool or software program ance? Is the answer different the commissions that are due on that is appropriate to the entity and when the service organization those transactions. Such compa- its special characteristics or is tai- has one or a few customers ver- nies may never have considered lored to its industry is itself an sus thousands of customers? themselves “service organizations,” important responsibility of project • Is a service organization’s audi- but the current environment puts management. tor report sufficient when the them into this role as it relates to When considering a software function outsourced is an impor- other businesses. In such circum- package, in addition to price, man- tant part of the business (e.g., stances, the company needs to agement should consider the ven- outsourcing the entire IT func- consider whether it should engage dor’s experience and reputation, tion or entire transaction pro- an auditor to issue a SAS70 report recommendations from other cessing function)? in lieu of receiving substantive users, the ease of learning the soft- 8 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 9. Financial Reporting ware by possibly a wide number of Methodology • The design of controls over all users, and degree of flexibility and Whether software or another relevant assertions related to all technical guidance inherent in the method is used, the documentation significant accounts and disclo- software’s functionality. The ease of methodology will generally start sures updating the data over time and a with a control objective. The frame- • How transactions or processes means of archiving each year’s doc- work (e.g., COSO) used will provide are initiated, authorized, record- umentation and testing results as a starting point for some generic ed, processed, and reported (in support for management’s asser- control objectives. These may need sufficient detail to assist auditors tion in the financial statements are to be tailored for certain specific in their required “walkthroughs”) also considerations when reviewing industries such as banking and • Points in the process where a package. Management should insurance, and an element of proj- fraud or error could occur. also consider whether the archiving ect management will be to obtain The following example illus- process results in a record that can information about tailored control trates the relationship between con- be reviewed in the future (giving objectives that are being used in the trol objectives, risks, controls, and consideration to likely future industry. The controls that support related assertions for one risk relat- advances in technology and how each objective are then articulated, ing to a control objective. the vendor will ensure the readabil- whether preventive or detective in ity of the documentation) as may nature. be required for regulatory or legal Documentation should be in purposes. sufficient detail to communicate: Example: Payroll / Human Resources Cycle PROCESS CONTROL RISK CONTROL ASSERTIONS OBJECTIVE ACTIVITIES Payroll Processing Salaried payroll is Incorrect amounts Time records are Existence, processed accurately are paid to salaried reviewed and Accuracy (Accuracy and completely employees approved by each is an element in the department head. broader assertion of Valuation and Allocation) Independent Accuracy calculations of expected payroll (i.e., month end balance + additions +/- changes – deletions) are compared to actual. Actual payroll is Completeness, compared to Accuracy, etc. budgeted amounts. Etc… COPYRIGHT 2004, BDO SEIDMAN, LLP 9
  • 10. Financial Reporting Good Practice. While truly redun- Failure to adequately document accounts and disclosures and dant controls do not need to be controls and relate internal controls related assertions embodied documented, it may be prudent to to a framework, control objectives, in the financial statements. do so during the initial documenta- and assertions is a deficiency that 2. Controls over procedures used tion process, even if they are not can rise to the level of a material to enter transaction totals into scheduled for testing. This informa- weakness, depending on the extent the ledgers and the general tion may be useful if testing later of the deficiency. ledger. reveals the primary control to be 3. Controls over the selection less than effective. The identified Retaining Management’s and application of accounting redundant control may then be Basis for Their Assertion policies. tested as a “fall back” compensatory The management assessments, 4. The design and implementa- control. documentation of the controls, and tion of antifraud programs and the results of management’s tests controls. The documentation should that form the basis of manage- 5. Controls over the quarterly relate the controls (or the identified ment’s assertion regarding controls and year-end closing process process) to relevant financial state- should be archived annually, and (for example, consolidation ment assertions (e.g., complete- retained in a retrievable form for a adjustments and eliminations ness, existence, valuation and allo- period of time to meet regulatory and reclassifications). cation, rights and obligations, and and legal requirements. We believe 6. Controls, including informa- presentation and disclosure) to this is consistent with the existing tion technology general con- ensure the controls fully address general requirement that compa- trols, on which other controls control objectives. While the afore- nies retain documents supporting are dependent. For example, mentioned are the specific asser- information in SEC filings and the the integrity of financial sys- tions named in Standard No. 2, the SEC requirement that companies tems is potentially impaired use of other, functionally equivalent maintain adequate books and when systems security is assertion identification methods records. inadequate. continue to be appropriate. 7. Controls over significant non- Quality documentation that fol- lows this approach will make a clear Management’s routine and non-systematic transactions, such as accounts record of the controls in place and Required involving judgments and esti- assist management and auditors in identifying the controls to test. It Assessment of mates and recording of such will facilitate the auditor’s under- Controls adjustments. standing and assessment of the Auditors will be anticipating that 8. Controls over the safeguard- company’s controls as well as con- management’s process for assess- ing of assets. Either protective tribute positively to the auditor’s ing the effectiveness of the com- or detective controls to en- assessment of the adequacy of pany’s internal control over finan- sure against financial state- management’s process. cial reporting will address the fol- ment misstatement due to lowing elements: loss or theft. Good Practice. While not required • Determining which controls 9. Company level controls, in- of management, the auditor is should be documented and cluding the control environ- required to “walkthrough” signifi- tested, including controls over ment, risk assessment pro- cant controls and processes to con- all relevant assertions related to cess, centralized processing firm the documentation of manage- all significant accounts and dis- and controls, and controls ment. It is recommended that man- closures in the financial state- over the period-end (quarterly agement objectively “walkthrough” ments. Such controls would and annual) financial report- its descriptions of its controls in include: ing process. advance to ensure that the docu- 1. Controls over initiating, auth- • Assessing the risk that a control’s mentation is accurate and com- orizing, recording, processing, failure could lead to a material plete. and reporting significant misstatement. 10 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 11. Financial Reporting • Evaluating the design and oper- the CFO, CEO, and the independent tive. However, some best practices ating effectiveness of the con- auditors. evolving to date regarding testing trols. Management probably already and monitoring the effectiveness of • Determining whether any identi- has many of the components to corporate policies involve inter- fied deficiencies in internal con- begin the documentation of the views or questionnaires with a sam- trol constitute significant defi- control environment. Charters of ple of management and non-man- ciencies or material weaknesses. the board and audit committee, a agement employees that focus on • Communicating any findings to corporate ethics or code of conduct their awareness of the policies and the auditor and others. policy, and the human resources their perceptions of compliance policy and procedures manual are with and management’s attitude often essential elements of the doc- towards corporate policies and pro- Documenting the umentation process. cedures. Control Environment Anti-fraud programs and proce- An important element of the COSO dures are also an element of the control environment. An exhibit Information framework is the control environ- ment. It comprises a number of published with the recent auditing Technology General overarching components, including: standard on fraud (SAS 99, Controls • Integrity and Ethical Values Consideration of Fraud in a Financial IT General controls are intended to • Management Philosophy and Statement Audit) entitled Guidance to establish a framework of control Help Prevent, Deter, and Detect Fraud Operating Style over all aspects of computerized included recommendations to help • Assignment of Authority and processing, and therefore will affect companies develop and implement Responsibility many applications. General controls anti-fraud programs and proce- • Governance – Board of Directors also provide assurance about the dures. For some companies, those and the Audit Committee effective operation of the controls programs may already be well doc- • Commitment to Competence throughout the period. For reliance umented due to their recent imple- • Organizational Structure on the automated operation of con- mentation. • Human Resource Policies and trols over routine transaction pro- Contributing to the current Practices cessing, these controls need to be focus on fraud in financial reporting While these are subjective ele- in place and effective. are the instances of management’s ments, management must assess While defined differently in vari- override of existing controls that them and document how the com- ous resource materials, general have come to light in recent years. pany has addressed each one. Since In assessing the control environ- controls cover the following areas: the auditor must also assess these ment, fraud prevention programs, • IT control environment factors, good documentation will and the operating effectiveness of • Systems development and imple- facilitate the auditor’s review. controls, management should be mentation Auditing Standard No. 2 clarified particularly sensitive to any • Program changes the importance of the effectiveness instances where an override of con- • Access and security of the audit committee within the trols is indicated. Auditors will be • Computer operations (schedul- context of overall corporate gover- alert to any instances identified and ing, daily backup, day-to-day nance. Specifically, it is expected the corrections taken by manage- issue management, etc). that management will make and ment to address the issue. General controls over the infor- document an assessment of the mation systems (IS) organization effectiveness of the audit commit- Good Practice. The testing and and division of duties are designed tee. In making this assessment, monitoring of these programs to to ensure that the IS organization companies will generally review the provide the support for manage- meets the needs of the company, is committee’s charter; and examine ment’s assertion that these controls responsible to management, and the members’ independence from are operating effectively will be that adequate segregation of duties management, and interactions and challenging, as the assessment of is maintained within the IS organi- relations with the internal auditors, their effectiveness is largely subjec- zation. COPYRIGHT 2004, BDO SEIDMAN, LLP 11
  • 12. Financial Reporting All of the elements of general their assertion on the effectiveness ual auditing firms can specify the com- controls may not be relevant to all of internal controls. It may be pany’s responsibility to meet the require- companies. For example, if no new impossible in some instances to go ments under Section 404 of the Sarbanes- systems are being implemented or backwards in time to assess the ini- Oxley Act. if there are no customizable soft- tial implementation process over In the absence of further com- ware options, controls over systems such systems, but the related appli- pany guidance from the SEC, the implementation and program cation controls over the processing determination of the sufficiency of changes may not be relevant in a of significant transactions should testing rests initially with manage- reporting period. be tested on an annual basis. ment. However, the judgments of IT professionals and organiza- Information technology profes- independent auditors regarding the tions have developed detailed sionals are key in today’s environ- adequacy of management’s assess- frameworks of the controls environ- ment in ensuring the effective oper- ment will be guided by Standard ment, which may help management ation of general controls. Manage- No. 2, so management needs to define appropriate control objec- ment must assess its general con- consider the guidance in Standard tives for controls, including general trols. Unfortunately, the individuals No. 2 when developing their plans. controls. For example, the Infor- with the extensive information tech- The following guidance is directed mation Systems Audit and Control nology skill sets required to under- at helping companies understand Association (ISACA) has developed stand and test these controls in the judgments required, and the an IT controls framework, COBIT. many companies may be limited to implications of those judgments Also see IT Control Objectives for the individuals already performing when determining sample sizes. It is Sarbanes-Oxley – A Discussion Docu- the controls. Thus, many companies focused on company considerations ment, www.itgi.org and www.isaca.org. may be forced into a “self assess- when determining sample sizes for However, these frameworks may be ment” process when assessing, doc- testing manual controls that oper- more complex and detailed than umenting, and testing these impor- ate frequently. Many companies are currently envisioned as necessary to tant controls, and thus little or no surprised at the number of controls meet the requirements of Section independent auditor reliance will be that rely on human (manual) opera- 404, and may be primarily useful as able to be placed on management’s tion, despite the extensive comput- company background resource tests. erization of certain transaction pro- Multiple significant deficiencies material. cessing operations. identified in company general con- Some IT professionals note that trols will often lead to a conclusion How Much Should weaknesses in access and security that a material weakness exists in Management Test? controls are a widespread problem the internal control due to the per- for many companies. Careful reme- In response to issues raised in vasive role of general controls. diation of weaknesses should per- questions and in speeches, repre- mit reliance on the general controls sentatives of the SEC and PCAOB and reduce the level of testing Extent and Timing have publicly stated that they required on the controls that rely on expect that the company’s testing general controls to operate effec- of Management generally will be greater than that tively. Testing performed by the auditor. Auditing In established companies, Management and the auditors are Standard No. 2 indicates that man- “legacy” systems, implemented long- required annually to monitor and agement should not consider the ago, may still perform critical pro- test the controls over significant required auditor testing as evidence cessing procedures and implement accounts and processes as well as when determining the extent of its significant controls. These systems general controls. BDO Seidman’s own required testing in support of may have a long history of perceived comment letter to the PCAOB out- its assertion that its controls are effective operation, but may lack lined our recommendation that operating effectively. Thus, manage- robust documentation. Manage- companies be given guidance by ment’s testing should stand alone ment should nevertheless docu- the SEC on the nature and extent of in providing management with a ment the system and test the required documentation and test- high level of assurance that its con- embedded controls as a basis for ing. Neither the PCAOB nor the individ- trols are operating effectively. 12 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 13. Financial Reporting Companies should plan to test document, and test controls, and there is a risk, when sampling is per- robustly to confirm the effective assert their effectiveness through- formed, that the testing will not operation of the controls. Auditors out the company, except for an reveal the condition in the true pop- are required by Standard No. 2 to immaterial portion. Auditors are ulation. This risk is controlled when test “a large portion” of the com- not precluded from testing loca- determining a statistically sup- pany’s operations or financial posi- tions or accounts not tested by ported sample size, by setting a tion to meet their professional management. The lack of operating level of required “confidence” for responsibility. Our view is that effectiveness identified by tests of the test. Confidence levels of 90% to between 60% and 75% of the entity significant local controls and 95% are consistent with the high would constitute a “large portion” in asserted “company-wide controls” level of assurance that is sought this context. This guidance was at one location may call into ques- regarding the test’s conclusions. developed for auditors, not compa- tion the assertion regarding the nies. Considering the expectation effective operation of controls at Determining a Sample Size that management should not test other locations that were not tested Sample sizes can be computed by less than the auditor, the targeted by the auditor. reference to statistical tables or pro- testing scope for companies should grams that will provide the desired exceed this range. Management Parameters For Determining confidence level that the actual rate should consider that portions of Sample Sizes of deviation in the population does The following two sections discuss not exceed the tolerable rate (i.e., significant accounts and processes important parameters for determin- the greatest deviation rate that that remain untested, even though ing appropriate sample sizes. management will tolerate before they are documented and assessed concluding that the control is not regarding design, constitute a risk How Effective Do Controls Need operating effectively). There is no to the company. to Be? To be considered effective, a requirement to use statistical sam- Substantially all of the com- control should operate at a high pling, but its principles can be help- pany’s relevant controls should be degree of effectiveness. When a ful when setting sample sizes in documented as a result of the control is first designed, a very high articulating the assurance and accu- analysis of significant accounts, level of “expected” performance is racy of the sample. processes, and locations. Even often targeted. In operation, For example: A sample designed though management may have though, controls, particularly man- to achieve a 90% assurance (confi- tested a sufficient portion of their ual controls, may not always dence) level with a high effective- controls to constitute a basis for achieve the targeted performance ness (no more than a true deviation their assertion about controls effec- level. While a goal, perfection is not rate of 5%) leads to a sample size of tiveness, they may not have tested a realistic expectation for the oper- 45 items. To achieve a 95% confi- all controls at all locations. Thus, we ation of a manual control. Auto- dence level, the sample would need recommend that when manage- mated (programmed) controls, as a to be around 60 items. These sce- ment does not test all controls and type of control, are most likely to narios assume zero deviations will locations, they should develop a consistently operate as designed. In be identified from testing from a testing strategy based on rotation many cases, a control that operates large population. or sampling theory that causes correctly 95% of the time would be With such a sample, the deci- them to visit and test controls at considered by many to be “highly sion rule is simple: locations that are individually effective.” If no deviations are found in the sample, the immaterial, but may be part of a control passes the test. If one or more devi- material aggregate. How Much Assurance is Needed ations are found, then the control “fails.” that the Controls Operated Good Practice. To support the Effectively? To be certain that the Deviations should always be evalu- auditor’s opinion on internal con- controls operated at the desired ated for the cause of the deviation. trols, auditors may test any account, effectiveness level, you would need The identified deficiency must also process, or location to ensure con- to test most, and maybe nearly all, be evaluated for its significance – as trols are operating effectively. of the instances of the control’s a deficiency, significant deficiency, Management is required to assess, operation. This is not practical, so or material weakness. COPYRIGHT 2004, BDO SEIDMAN, LLP 13
  • 14. Financial Reporting In general, the required sample Tests of Automated Controls Good Practice. We believe that size increases when more devia- When testing automated (pro- during this period of uncertainty tions are expected and also when grammed) controls, often examining and initial implementation, “mini- the tolerable deviation rate is low- one or just a few instances of the mum” testing could be a very costly ered. operation of the control is sufficient. strategy to an issuer. Some compa- Where companies wish to allow This assumes that the relevant gen- nies have indicated that they intend for a deviation to occur without eral controls are assessed to be to test some controls initially more “failing” the test, a sampling plan strong. When general controls are than 100 times, to form an effective can be developed so the sample less effective, sample sizes tending “base line” for any required remedi- size initially allows for one deviation towards the manual control envi- ation and further risk assessment. without “failing” the test, or a two- ronment sample sizes should be When the company objectively and stage plan can be developed such used if the general controls weak- adequately documents and robustly that if a deviation is found in the ness could impact the reliability of tests controls, auditors can make first sample, an additional sample the control being tested. Because of meaningful reductions in the test can be validly added to the first. their importance to testing plans of levels they perform. However, com- Since some types of sampling plans automated controls, general con- panies that have designed “mini- allow for an occasional deviation, a trols should be documented, tested mum” testing plans will probably deviation may not as quickly be cat- and assessed as effective at an ear- incur additional audit costs, as egorized as a significant deficiency lier project stage than the testing of independent auditor sample size based on incidence alone. After a automated controls. reductions will not be supportable. deviation is identified it is often The Risk of Performing It is always important to remem- appropriate for the company to con- Minimal Testing when Setting ber that the cost of testing is not sider whether it needs to strengthen Company Sample Sizes only associated with the number of the control before proceeding with When considering the testing items examined. There is a “fixed” any further testing. Of course, if the requirements, companies need to cost of setting up the test in the first deviation identified at the first stage be cognizant of the risks they face place. Additionally, there is a dimin- indicates a material weakness exists from under-testing. Under-testing ishing cost of examining additional (e.g., management override of con- exposes the tester to the risk that items as the tester becomes more trols), then a second stage sample internal control weaknesses will not familiar and proficient with the pro- would not be performed. be exposed until the auditor tests cedure. Thus, doubling a sample These plans that allow for the the control, or in the near or post size from 20 items to 40 will not occurrence of one deviation as part year-end substantive testing phase necessarily double the cost of the of the sampling plan are more effi- or the closing phase of the audit, test. cient than the alternative of taking when such weaknesses are difficult Early, robust testing provides an two full independent samples when or impossible to correct. Worse yet, effective “base line” of understand- unexpected deviations are found. such weaknesses, if they exist, could ing the state of current controls and You may wish to consult with your be detected in future periods, rais- identifying remediation opportuni- BDO Seidman engagement team to ing questions about the adequacy ties before the auditor begins to provide you with more detailed, of the work supporting the previ- evaluate and test. specialized guidance for developing ously made internal controls asser- a sampling plan consistent with tion. Restatements of financial A Minimum Sample Size? management’s stated objectives. statements will likely imply that cer- There is no “bright line” minimum Illustrative sample size tables tain controls were not effective in a sample size, but companies may that relate confidence levels, tolera- past period. have to explain how they have ble deficiency rates, and expected Furthermore, since only the attained a high level of assurance deficiency rates and an illustrative important controls are being tested, that controls are operating effec- two-stage sampling plan (for large a deviation identified may quickly tively if they are testing very few populations) are illustrated in an rise to the level of a significant defi- items (e.g., 20 items or less on an Appendix to this Financial Report- ciency when a deviation is found in annual basis) for a frequently oper- ing Letter. a small “minimum sample size” test. ating manual control. 14 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 15. Financial Reporting If the auditor concludes that the evidence obtained on which the ing the test is questionable. Never- level of testing by the company is auditor’s opinion is based is from theless, such tests are acceptable insufficient to enable the company procedures the auditor performed. for the company to perform to sup- to conclude with a high level of Additionally, the auditor must per- port its own assertion. assurance that the controls are form tests of controls over highly operating effectively, the auditor judgmental areas such as certain The Timing of Company Tests will consider this a deficiency. If allowance and reserve calculations, The “as of” date of the company’s deemed serious enough, the issue and can place limited reliance on assertion regarding internal con- could be elevated to the level of a the tests of others. In other cases, trols is the year-end balance sheet material weakness, which would the extent of testing by manage- date. Performing significant testing preclude the auditor from conclud- ment and others may be a greater early in the year places great ing that management had an ade- factor to be considered in reducing reliance on the continuity of the quate basis for its assertion. The the extent of auditor procedures. controls throughout the year. Also, auditor would have to state this in There are obvious cost savings management will need to consider the auditor’s report on manage- when the independent auditor can how it will extend the conclusions ment’s process. Obviously, the audi- rely on company tests to the great- of its tests performed earlier tor in this situation would be able est extent allowed. through year-end by some means to place little reliance on the proce- (e.g., further testing, observations of In order to consider the testing dures that the company performed control operations, walk-throughs). the company performs, the auditor when determining the required Planning to perform tests in will need to assess the objectivity scope of the auditor’s procedures. each quarter throughout the year is and competence of the work per- a strategy that that some compa- formed that supports the company’s Independent Auditor nies are considering for controlling assertion of controls effectiveness. Reliance on Testing the level of effort expended during The greatest objectivity of com- Performed by Others the year. However, recall that the pany testing may be present when It is an auditor judgment as to the cost of performing a test also an objective third party or internal extent of reliance that can be placed includes the cost of test set-up, auditor performs the tests. When on company procedures. Unless the sample selection, and evaluation. testing using company employees, auditor is required to rely solely on Thus, designing numerous small objectivity can also be improved by its own tests in a particular area samples is likely to be less efficient such as the control environment, testing controls using employees than designing fewer larger sam- the auditor may place significant, from unrelated functions or differ- ples. Other companies are consid- little, or no reliance on company ent departments. Competence is ering testing strategies that concen- tests, depending on the extent of often assessed by examining the trate the annual testing in fewer management’s testing and the procedures employed, and reper- periods, with some testing being objectivity and competence of man- forming some of the procedures. It performed in the last quarter to agement’s work. is further corroborated when the extend the earlier conclusions. For Therefore, the independent audi- independent auditor tests the con- example, on a continuing basis the tor can, subject to some limitations, trol and observes similar results. company may plan to test most of rely on the company’s testing to However, the auditing standard its controls during the third quarter, reduce its own testing that is neces- requires that company procedures followed by some testing in the sary to issue an opinion on internal that result from a “self assessment” fourth quarter. controls. However, there are several cannot be relied on by the inde- Another complexity introduced caveats that are explicit in Auditing pendent auditor. A self assessment by early period testing is that devia- Standard No. 2. The auditor must is where the employee performing tions identified in early testing will perform sufficient procedures over the test of the control is also the still require follow-up to assess the control environment to reach con- employee responsible for the oper- their nature and possible extent, clusions on its effectiveness without ation of the control. The obvious and may have implications for quar- reliance on the company’s tests, and problem is that in such a case, the terly SEC attestations and financial the auditor must also perform suffi- objectivity of the employee in reporting. For example, if an annual cient procedures so that most of the selecting the test items or perform- sample size of 60 items is split into COPYRIGHT 2004, BDO SEIDMAN, LLP 15
  • 16. Financial Reporting 4 equal samples per quarter, a devi- closing process as a reference in tion, observation of the operation of ation found in a sample of 15 items order to assist them in the assess- the control a few times during the during a quarter may loom larger ment of the design, documentation, year is a logical procedure. than if it was the only deviation and testing that will be required at found in the context of the larger the next closing date. Final Testing Comments sample. As the implementation date for Testing Considerations in expressing management’s assertion Good Practice. In this first year of Other Situations regarding internal controls approaches, implementation, companies are Modified guidance is needed when we hope that further guidance will urged to test controls robustly as testing infrequently operating con- be forthcoming from the SEC. This soon as possible after the documen- trols (e.g., daily, weekly, monthly, interim guidance has been devel- tation of the controls and assess- quarterly). A table of small popula- oped to assist companies strug- tion sampling guidance is provided gling to document and test internal ment of the effectiveness of the in an Appendix to this Financial controls in this period of uncer- design of the controls is made for Reporting Letter. each significant location, process, tainty. There are many more sub- Judgment needs to be exercised etc. This provides the best possibil- jects relating to the extent of test- and documented about the extent ity of identifying documentation and ing (e.g., testing controls over cor- of reliance being placed on any gen- operating problems and remediat- porate governance) that are not eral controls that are determined to ing them in a timely manner in included herein. contain significant deficiencies or advance of auditor testing. weaknesses. For example, a weak- Provided that the company ness in data backup procedures determines the approach and crite- Certain controls can only be might have no impact on the ria it wishes to use for its testing of tested in the timeframe in which reliance on certain general controls controls, both initially and continu- they are operating. Quarterly clos- when testing transaction level ing, we believe the independent ing controls can only be examined application controls. However, auditor can assist the company, at the interim quarters. Controls weaknesses in program change con- internal auditors, or independent over the accrual process, valuation trols or weaknesses in user access consultants in designing a sampling allowance accounts, the year-end controls might often have a signifi- plan that will meet those criteria. closing process, etc. can only be cant impact on automated applica- Independent auditors are some- observed and tested during specific tion control sample sizes. times more familiar with tables and periods, which may actually be at or When examining information computer software that can com- after the “as of” year-end date. In technology general controls, the pute a sample size from specific cri- such cases, remediation of devia- sampling framework is sometimes teria, or develop two-stage sam- tions is often not possible, so sig- applicable. For example, one could pling plans to meet management’s nificant attention must be devoted select a sample of program change stated needs. authorizations to examine the man- to “getting it right” the first time. ual aspects of the process and The shortening of the filing dead- Good Practice. When the company proper granting of approvals for the lines for accelerated filers will exac- robustly tests its controls and when change made. On the other hand, erbate the problem of focusing the tests were objectively and com- the performance of certain regular attention on the control reporting petently performed, it obtains sig- backup procedures may only need requirement this year. Any issues nificant evidence that the control to be corroborated with persons arising in this process will likely be performing the procedures and operates as designed and can per- identified as significant deficiencies observed on a surprise basis a few mit the maximum reductions in and, more likely, as material weak- times to confirm their effective procedures by the external auditor. nesses. operation. In cases where docu- Companies may wish to discuss mentary documented evidence of some of the sample size trade-offs Good Practice. In this first year of the operation of the control is not with their independent auditors to implementation, companies may generated, such as the physical better understand how the extent of wish to simulate the year-end clos- locking of a room containing sensi- company testing can result in ing process using their most recent tive equipment or program informa- reduced levels of auditor testing. 16 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 17. Financial Reporting Managing the assertion regarding controls. They ciencies in documentation and test- also provide management with the ing to the audit committee. Compliance Costs strong foundation to “roll-forward” Total projects costs have two key the documentation into future peri- components – company costs and ods, as well as provide a basis for Concluding Remarks auditor costs. reducing the extent of future testing Companies should understand that Preparing the initial detailed and monitoring costs in low risk neither their own project team, their documentation and company test- areas. advisors, nor their independent ing as a basis for its assertion on the Communication between com- auditor possess all the answers to effectiveness of internal controls is pany project management and the all the possible issues that will arise a significant effort, particularly in independent auditor will facilitate in the process of implementing the the first year. The extent of effort will early identification and resolution of Section 404 requirements. It is depend on the prior extent of con- issues. Such conversations should important to make the best efforts trols, their documentation, and include the intended scope of the possible to comply with the require- effectiveness, and will vary greatly company’s assessment, documenta- ments and identify issues where among companies. Early project tion, and testing procedures. clarification is necessary. effort estimates of time and cost to When the auditor can rely to the Implementation working groups complete the first year of company maximum extent permitted by have been established by the PCAOB compliance continue to rise. Auditing Standard No. 2 on the to assist in identifying issues arising work of others underlying manage- from the company and auditor per- Good Practice. Company costs can ment’s assertion, audit costs are spectives. Current practice has been be best controlled by: reduced. This should be a consid- • Assembling the right manage- evolving since the enactment of the ered when setting out the initial ment team overall project plan. Sarbanes-Oxley Act in 2002 and • Making timely, objective, and Companies should be confident through various exposure drafts of critical assessments of potential that they have adequately fulfilled auditor guidance. weaknesses their responsibilities under the Additional guidance is antici- • Testing robustly, particularly in existing rules before indicating to pated in 2004 and 2005 that may the first year, to identify poten- the independent auditors that they clarify or modify our understanding tial weaknesses for remediation are ready to have them perform of the intent and requirements of • Remediating control weak- their required detailed reviews and the Act and SEC rules as they relate nesses early in the process testing. Once the independent audi- to company responsibilities. We will • Preparing documentation that is tor begins work towards issuing an keep you apprised through various complete, accurate, and clear opinion on management’s assertion BDO Seidman publications and and internal controls, they will be through communications from your All these elements will facilitate responsible for evaluating the doc- BDO Seidman engagement team as the review by the independent audi- umentation and testing of manage- issues are clarified. tor of management’s process and ment’s data, and are required to Please contact your BDO Seidman permit the auditor to rely, to the assess observed deficiencies in engagement team representative for extent possible, on the underlying management’s process or execution questions that are specific to your work supporting management’s and communicate significant defi- company circumstances. Important References and Company Resources The COSO Internal Control Integrated Framework. AICPA product order number 990012kk at www.cpa2biz.com SEC Rules on Section 404 www.sec.gov/rules/final/33-8238.htm PCAOB Standard No. 2 www.pcaobus.org/rules/Release-20040308-1.pdf Sarbanes-Oxley Act of 2002 The United States Congress (2002), The Sarbanes-Oxley Act (H.R. 3763). http://www.law.uc.edu/CCL/SOact/toc.html AICPA Antifraud & Corporate Responsibility Center www.aicpa.org/antifraud/ AICPA Audit Committee Effectiveness Center http://www.aicpa.org/audcommctr/homepage.htm COPYRIGHT 2004, BDO SEIDMAN, LLP 17
  • 18. Financial Reporting Glossary - The Definition of Key Terms “Internal control over financial reporting” is defined “A significant deficiency” (PCAOB Standard No. 2, by PCAOB Standard No. 2, paragraph 7 and Securities paragraph 9) “is a control deficiency, or combination of Exchange Act Rules 13a-15(f) and 15d-15(f). The SEC control deficiencies, that adversely affects the com- rules use the word “registrant” rather than company. pany’s ability to initiate, authorize, record, process, or “A process designed by, or under the supervision of, report external financial data reliably in accordance the company’s principal executive and principal finan- with generally accepted accounting principles such cial officers, or persons performing similar functions, that there is more than a remote likelihood that a mis- and effected by the company’s board of directors, man- statement of the company’s annual or interim financial agement, and other personnel, to provide reasonable statements that is more than inconsequential will not assurance regarding the reliability of financial reporting be prevented or detected. “ and the preparation of financial statements for exter- The term “remote” as used here has the same nal purposes in accordance with generally accepted meaning as in Financial Accounting Standards Board accounting principles and includes those policies and Statement No. 5, Accounting for Contingencies, “ the chance of procedures that: the future event or events occurring is slight.” • Pertain to the maintenance of records that, in rea- Guidance in PCAOB Standard No. 2 notes that the sonable detail, accurately and fairly reflect the “inconsequential” threshold references the expecta- transactions and dispositions of the assets of the tions of a “reasonable person” that any misstatement company; as a result of a noted deficiency, either alone or in com- • Provide reasonable assurance that transactions are bination with other misstatements, would not be mate- recorded as necessary to permit preparation of rial to the financial statements. Note that in our view financial statements in accordance with generally this indicates a low threshold for classifying a defi- accepted accounting principles, and that receipts ciency as a significant deficiency. and expenditures of the company are being made Note: The threshold for a significant deficiency is only in accordance with authorizations of manage- very low and will likely result in a large number of sig- ment and directors of the company; and nificant deficiencies being identified by management • Provide reasonable assurance regarding prevention and the auditor. For example, while specific examples or timely detection of unauthorized acquisition, use have not been cited, a projected impact of no less than or disposition of the company’s assets that could say 5% of financial statement materiality would be a have a material effect on the financial statements.” practical rule of thumb for identifying a deficiency as significant, since allowance should be made for the “A control deficiency” (PCAOB Standard No 2, para- accumulation of such deficiencies before reaching the graph 8) “exists when the design or operation of a con- materiality threshold (e.g., a material weakness). trol does not allow management or employees, in the Accumulation of all deficiencies projected to be 1% or normal course of performing their assigned functions, more of materiality for consideration as to their nature to prevent or detect misstatements on a timely basis. may be a conservative first year practice. • A deficiency in design exists when (a) a control nec- essary to meet the control objective is missing or A material weakness is a significant deficiency, or (b) an existing control is not properly designed so combination of significant deficiencies, that results in that, even if the control operates as designed, the more than a remote likelihood that a material mis- control objective is not always met. statement of the annual or interim financial statements • A deficiency in operation exists when a properly will not be prevented or detected. designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.” 18 COPYRIGHT 2004, BDO SEIDMAN, LLP
  • 19. Financial Reporting APPENDIX – Sample Size Plans Small Population Sample Size Guidance – High Assurance For Manual Controls Operating Quarterly, Monthly, Weekly, and Daily Frequency Sample Sizes Daily 16 – 25 Weekly 7 – 10 Monthly 3–5 Quarterly 2 Companies may wish to initially test controls at the higher end of the range, and reduce testing to the lower end of the range when the effectiveness of the operation of the controls is clear. Assurance (Confidence, Reliability) Level – 95% Large Population Tolerable Deviation Rate (%) Expected Deviation Rate (%) .5 1 2 3 5 8 10 0 598 299 149 99 59 36 29 .5 1181 313 157 93 58 46 1.0 590 257 93 58 46 1.5 2257 392 124 58 46 2.0 846 181 77 46 3.0 361 95 61 4.0 1348 146 89 Assurance (Confidence, Reliability) Level – 90% Large Population Tolerable Deviation Rate (%) Expected Deviation Rate (%) .5 1 2 3 5 8 10 0 460 230 114 76 45 28 22 .5 738 194 129 77 48 38 1.0 398 176 77 48 38 1.5 1463 265 105 48 38 2.0 590 105 48 38 3.0 233 65 52 4.0 873 98 65 COPYRIGHT 2004, BDO SEIDMAN, LLP 19
  • 20. Financial Reporting Two Stage Sampling Plan – Decision Rules and Plan Two Stage Sampling Plan – Decision Rules No Deviations One Deviation Two or More Deviations Stage 1 Pass, Stop Go to Stage 2 Fail Stage 2 Pass Fail Fail Two Stage Plan Sample Sizes – Large Population Tolerable Deviation Rate Stage 1 Stage 2 Confidence % (Maximum Allowed) % Sample Size Sample Size 95 5% 65 42 90 5% 51 39 The COSO Internal Control Integrated Framework This framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission and was published in 1992. It was an outgrowth of the Commission on Fraudulent Financial Reporting studying fraudulent financial reporting. The focus of the Act is internal control over financial reporting. The basic framework consists of five integrated compo- nents, which should be considered as a whole when eval- uating the effectiveness of internal control. • Control environment. This element is the “base” of the framework and includes senior management setting an appropriate “tone at the top” regarding controls and fraud prevention. • Risk assessment. Companies must identify risks that its control objectives might not be satisfied, and develop responses to manage these risks. • Control activities. These constitute the “nuts and bolts” of the company’s controls including the implementation of effective general and application controls. • Information and communication. This element is essential in providing management with the timely and relevant information needed for effective company manage- ment, risk identification and developing effective reporting, including disclosures. • Monitoring. To ensure effective controls, they need to be monitored on a continuing basis. Monitoring may include inquiries, observations, management over- sight and review and testing the effectiveness of The framework is flexible, and requires adaptation to controls. specific industries or types of business organizations. Material discussed in this Financial Reporting newsletter is meant to provide general information and should not be acted upon without first obtaining professional advice appropriately tailored to your individual facts and circumstances. 20 COPYRIGHT 2004, BDO SEIDMAN, LLP