Mining & Metals Industry




             American Coal Council
             Sarbanes-Oxley Compliance Initiative

       ...
Mining & Metals Industry




             Overview – Sarbanes Oxley Act
             Section 404




©2004 Ernst & Young L...
Overview of Sarbanes-Oxley
• Creates new financial reporting requirements for
  issuers
• Creates new criminal laws relati...
Responsibilities Under §404

• Sarbanes-Oxley §404(a)(1) and (2): State
  management’s responsibility and assessment
  of ...
Implications of §404

• PCAOB adopts Auditing Standard No. 2 – An
  Audit of Internal Control Over Financial
  Reporting P...
New Definition of Public Company Audit

• Integrated activity that consists of:
    – An audit of the financial statements...
Key Implications and Trends
• Additive to the core assurance work
• Executive management has heightened its overall
  awar...
Internal Control – Integrated Audit Focus



                           ce



                                           n...
Materiality Considerations for §404
  Definition of materiality:
      Errors that individually or collectively could have...
Materiality Considerations for §404 (cont.)
• Internal control deficiency:
   – Design deficiency exists when a necessary ...
Classifying Control Deficiencies
                                                                  Consider Both Quantitat...
Mining & Metals Industry




                            Sarbanes Oxley Section 404
                              Post-mor...
Sarbanes Oxley Section 404

• Summary results reported through April 29
    – See detail through May 20,2005

• Implementa...
Summary –Material Weaknesses by Major Category
10-K Filings Through April 29, 2005

                               6%     ...
404 Implementation Recap                    Plan & Scope
                                            the Project




• Exe...
Document
404 Implementation Recap                               Significant Processes
                                    ...
404 Implementation Recap                       Evaluate
                                               Effectiveness




•...
404 Implementation Recap                  Remediation Issues
                                          Monitoring Process
...
Mining Industry Material Weaknesses–
Review of 10K Filings through May 20,2005
     • Analyzed 129 mining, metals and chem...
Mining Significant Deficiencies–
Anecdotal from our Client Base
• Untimely reconciliations between fixed asset system and
...
Framework Design Objectives for 2005
                                                            The Challenge –– Sustaini...
The new reality




                                                                        The New Yorker
               ...
Other Observations
• Accept that the financial reporting environment has
  changed profoundly—more effort, more accountabi...
Mining & Metals Industry




             Section 404 – Recent Developments
             Review of New Guidance Issued by ...
SEC Statement
• Reasonable assurance (i.e., a high level of assurance), but more
  flexibility in getting there
• Top down...
Ernst & Young Observations—SEC
Statement
• Issuance of SEC staff guidance is positive and should contribute
  to a better ...
Ernst & Young Observations—SEC
Statement (Cont.)
• Robust and well-documented management
  assessment will present the aud...
PCAOB Policy Statement—Significant
Themes
           • Integrate the audits
           • Exercise professional judgment
  ...
Ernst & Young Observations—PCAOB
Policy Statement
• We are pleased that the positions and views
  expressed by the PCAOB i...
Mining & Metals Industry




                PCAOB Questions and Answers




©2004 Ernst & Young LLP. All rights reserved....
Top Down Approach

• Intended as a roadmap to traverse AS2
• Start with company-level controls and then
  drive down to si...
Ernst & Young Observations—Entity-
Level Controls
• Top-down approach is consistent with our audit
  methodology—however, ...
Risk-Based Approach

• Risk assessment underlies the entire process and has
  a pervasive effect on the amount of work we ...
Identification of Significant Accounts

• Quantitative measures alone are not
  determinative of whether an account should...
Effect on E&Y Strategy—Significant
Accounts
• We believe accounts that are quantitatively material are
  significant accou...
Identification of Significant Controls

• Management may identify and test more controls than
  necessary for the purpose ...
Risk Assessment Effect on Nature,
Timing and Extent of Testing
• As the risk associated with the control
  decreases, the ...
Effect on E&Y Strategy—Nature, Timing
and Extent of Testing of Controls
• Our methodology considers a number of
  factors ...
Using the Work of Others

• Reliance on the work of others should be
  responsive to the degree of risk associated
  with ...
Effect on E&Y Strategy—Using the Work
of Others
• We continue to clarify our internal guidance to
  emphasize the qualitat...
Benchmarking Controls

• Benchmarking strategy for testing automated
  application controls can be used
• Our methodology ...
Alternating Tests of Controls

• This is not rotation of controls
• The auditor may vary the use of the work of others,
  ...
Management’s Reliance on Monitoring
and Self Assessment
• Management’s interaction with the system of internal control
  p...
Management’s Reliance on Monitoring
and Self-Assessment (cont.)
• Clarifies AS2 definition of self-assessment to narrow
  ...
Extent of Management’s Testing

• The auditor need not evaluate the adequacy of
  management’s assessment by comparing, on...
Point in Time Assessment

• Auditor should structure testing of controls to
  obtain sufficient evidence to support the
  ...
Various Topics
• Question 52—It is inappropriate for the auditor
  to conclude that management should not
  implement chan...
Summary
• Identify and evaluate entity-level controls early in the audit so
  that our audit strategy might incorporate th...
Upcoming SlideShare
Loading in …5
×

E&Y Post Mortem Sox 404 2004

3,267 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,267
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
148
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

E&Y Post Mortem Sox 404 2004

  1. 1. Mining & Metals Industry American Coal Council Sarbanes-Oxley Compliance Initiative July 19, 2005 St. Louis, Missouri ©2004 Ernst & Young LLP. All rights reserved. This material is proprietary, confidential, and for internal use only. Unauthorized distribution or reproduction of this program or its contents violates firm policy and copyright laws.
  2. 2. Mining & Metals Industry Overview – Sarbanes Oxley Act Section 404 ©2004 Ernst & Young LLP. All rights reserved. This material is proprietary, confidential, and for internal use only. Unauthorized distribution or reproduction of this program or its contents violates firm policy and copyright laws.
  3. 3. Overview of Sarbanes-Oxley • Creates new financial reporting requirements for issuers • Creates new criminal laws relating to corporate conduct • Creates a new Public Company Accounting Oversight Board (PCAOB) • Mandates corporate governance reforms • Enhances the role and independence of audit committees • Creates new auditor independence restrictions July 19, 2005 3
  4. 4. Responsibilities Under §404 • Sarbanes-Oxley §404(a)(1) and (2): State management’s responsibility and assessment of the effectiveness of internal controls in annual report • Sarbanes-Oxley §404(b): Auditors attest to management’s assessment in annual report July 19, 2005 4
  5. 5. Implications of §404 • PCAOB adopts Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements July 19, 2005 5
  6. 6. New Definition of Public Company Audit • Integrated activity that consists of: – An audit of the financial statements – An audit of internal control Audit of financial statements Audit of internal controls Refers to procedures we Refers to an opinion on the perform to audit and issue our client’s assessment of internal opinion on the client’s financial control and on the effectiveness statements of internal control July 19, 2005 6
  7. 7. Key Implications and Trends • Additive to the core assurance work • Executive management has heightened its overall awareness and involvement in the design, implementation, and monitoring of internal controls over financial reporting • More attention to polices and procedures and related controls over highly subjective accounting areas • Companies are involving their auditors on a timely basis to make sure there is agreement about the scope of the annual assessment, including significant accounts and processes • Audit committees are requesting periodic status briefings from management July 19, 2005 7
  8. 8. Internal Control – Integrated Audit Focus ce ns ng po ial an tio rti Re anc p li e ra m Fin B Co Op F U Internal Control Control Environment U Considerations S Covered N by Sarbanes-Oxley Risk Assessment C Section 404 and U PCAOB Standard T No. 2 N Control Activities I I O T Information and Communications N S S Monitoring Diagram Based Upon AICPA Auditing Standards AU319, Definition of Internal Control (Paragraph .13) July 19, 2005 8
  9. 9. Materiality Considerations for §404 Definition of materiality: Errors that individually or collectively could have a material effect on the financial statements, or other matters such as illegal acts, conflicts of interest, and unauthorized management perquisites that, even though they are not material, could adversely affect the Company’s reputation or its relationship with its customers, shareholders, or the public if they were to remain undetected. Key considerations: • Quantitatively, 5% of pre-tax income is a generally accepted standard for considering financial statement materiality. • In addition to the above, certain qualitative considerations impact the selection of accounts for review: – - Other accounts that could adversely impact the Company’s reputation, even though – they are not material in terms of size –- Other accounts that are susceptible to fraud –- Other accounts aggregating more than the established materiality level that are an – accumulation from more than one site July 19, 2005 9 32
  10. 10. Materiality Considerations for §404 (cont.) • Internal control deficiency: – Design deficiency exists when a necessary control is missing or an existing control is not properly designed – Operating deficiency exists when a properly designed control is either not operating as designed or the person performing the control does not possess the necessary authority or qualifications to perform the control effectively • Significant deficiency is an internal control deficiency that: – Could adversely affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of management in the financial statements – Must be reported to the Audit Committee – Not necessarily a reason for a qualified attestation report • Material weakness is a significant deficiency in one or more of the internal control components that: – Alone or in the aggregate precludes the entity’s internal control from reducing to an appropriately low level of risk that material misstatements in the financial statements will not be prevented or detected on a timely basis – Must be disclosed in management’s public report on internal controls – Results in a qualified attestation report July 19, 2005 10 33
  11. 11. Classifying Control Deficiencies Consider Both Quantitative and Qualitative Factors Likelihood of potential misstatement More than Remote Control Deficiency Significant Deficiency Material Weakness Remote Control Deficiency Control Deficiency Control Deficiency Inconsequential Consequential, less than material Material Typical Starting < 1% pretax income* > 1% or < 5% pretax income* > 5% pretax income* Point Magnitude of potential misstatement * Asset or revenue test (as adjusted) may be more appropriate in limited circumstances July 19, 2005 11
  12. 12. Mining & Metals Industry Sarbanes Oxley Section 404 Post-mortem on Year 1 ©2004 Ernst & Young LLP. All rights reserved. This material is proprietary, confidential, and for internal use only. Unauthorized distribution or reproduction of this program or its contents violates firm policy and copyright laws.
  13. 13. Sarbanes Oxley Section 404 • Summary results reported through April 29 – See detail through May 20,2005 • Implementation recap • Material weaknesses reported and significant deficiencies (anecdotal) in the mining industry • Recent developments from the SEC and PCAOB July 19, 2005 13
  14. 14. Summary –Material Weaknesses by Major Category 10-K Filings Through April 29, 2005 6% 7% 11% 19% 11% 36% 1% 3% 5% 1% Documentation Entity-level controls & f raud risks Financial Statement Close Process & Disclosure IT Controls Merger Issues Multilocation Considerations Other Personnel Issues Signif icant Account Level Taxes July 19, 2005 14
  15. 15. 404 Implementation Recap Plan & Scope the Project • Executive buy-in and “tone at top” was a key success factor • First year implementation was “brute force” and heroic efforts • Lack of history and evolving interpretations (or late breaking interpretations) created inefficiencies July 19, 2005 15
  16. 16. Document 404 Implementation Recap Significant Processes and Controls • Documentation efforts were greater than initially anticipated; many companies did not have detailed policies or procedures to leverage • Companies used a combination of flow charts, narratives and risk and control matrices as core documentation • Some companies outsourced documentation, then had a “change management” issue to get process owners to own it • We saw cases of both over- or under-documentation; difficulties deciding where 404 began and ended and delineating compliance controls vs. financial controls • Documentation was not always consistent between business units creating inefficiencies and, in some cases, risks (i.e., control gaps) July 19, 2005 16
  17. 17. 404 Implementation Recap Evaluate Effectiveness • Testing performed by internal audit, other internal resources and outside resources • Some testers tested processes and not controls • Some controls were not thoroughly tested (i.e., some attributes of a set of controls were missed) • Most testing was performed late in the year, especially third and fourth quarters July 19, 2005 17
  18. 18. 404 Implementation Recap Remediation Issues Monitoring Process • Those who did “pilots” or “dry run” testing in 2003 had fewer deficiencies to remediate in 2004 • Aggregation of deficiencies resulted in some last minute surprises (i.e., aggregated to significant deficiency or material weakness) • Remediation efforts and related retesting is taking significant time July 19, 2005 18
  19. 19. Mining Industry Material Weaknesses– Review of 10K Filings through May 20,2005 • Analyzed 129 mining, metals and chemical sector registrants filing 10Ks through May 20, 2005 – Twenty-two (22) of those reported material weaknesses • Primary areas noting material weaknesses – Tax issues (greatest number; deferred taxes, quarterly rate determination) – Financial statement close processes – Inventory management (spare parts and supplies) – Staffing issues – levels, expertise & training July 19, 2005 19
  20. 20. Mining Significant Deficiencies– Anecdotal from our Client Base • Untimely reconciliations between fixed asset system and general ledger, including untimely follow-up of reconciling items, as well as untimely review of work-in-process accounts, leading to misstatement of depreciation expense • Lack of periodic review of user access to applications, leading to conflicts of segregation of duties • Quarterly perspective, material misstatements in supplies expense due to a physical inventory being performed only in the fourth quarter • Proper recording of discrete event in proper quarter • Tax basis balance sheet errors – deferred income tax analysis July 19, 2005 20
  21. 21. Framework Design Objectives for 2005 The Challenge –– Sustaining Compliance The Challenge Sustaining Compliance 404 Cost Value 302 302 • S404 - The need to re- Project Management 404 evaluate-the effectiveness of • S404 The need to re- Project Management 404 controls - each effectiveness of evaluate the year Process Management controls - each year Sustainability Containment Generation Documentation Documentation Process Management Documentation Documentation • S302- Quarterly Reporting of significant change in internal of • S302- Quarterly Reporting controls over financial in internal significant change reporting – Changes over financial reporting controls in systems, Testing Testing – Changes in systems, processes, business Testing Testing combinations, business processes, people Remediation combinations, people Remediation Remediation • The Key Challenge is – How Reporting to The Key Challenge is into • turn a one off project – How The processes, Leading Ideas and Remediation Reporting Reporting Reporting to turn a one off project into a sustainable process a sustainable process resources, practices, strategies for 12 12 !@# !@# organizational techniques and recovering structures, tools enablers to help tangible value by The Challenge –– Cost Containment The Challenge Cost Containment and enablers build and leveraging 404 • A sustainable compliance process doessustainable compliance process • A have an associated cost infrastructure does have an associated cost Project Management required to operate the most Project Management Documentation Documentation Process Management Process Management Document at ion • But - Management needs to get back But - Management to• “business as usual” needs to get back to “business as usual” Document at ion • The 404 requirements are still there comply with the cost- effective across other Test ing Test ing Testing Testing Remediation • The 404 requirements are still there • ..and the 302 requirement is more stringent the 302 requirement is more • ..and Remediation stringent risk areas, Reporting compliance • Key Challenge is - To create the Remediation ongoing Remediation Rep ort ing Rep ort ing Reporting • Key Challenge is - regime least cost complianceTo create the least cost compliance regime requirements for process. achieving control 13 !@# 13 !@# reporting on the optimization, as effectiveness of well as business The Challenge –– Incremental Value The Challenge Incremental Value ce ns po ial g an o l Fin Rep cia Re anc rtin tio and financial pli era an ce internal controls Cons m ng B an Fin Op tio rti pli era U m B Op Co Control Environment F S U Internal Control U F Considerations Control Environment S Internal Control Covered by Sarbanes- Risk Assessment N UU Considerations Oxley Section 404 process C NN Covered by Sarbanes- over financial Considerations Risk Assessment U Oxley Section 404 for Value Improvement Control Activities T CI N Considerations I TT for Value Improvement I Control Activities O IS Information and Communications T N O Information and Communications S N S • Companies have created significant reporting. improvements. Monitoring Monitoring S • Companies have created significant infrastructure to assess and report on theinfrastructure to assess and report on effectiveness of controls over financial reporting of controls over the effectiveness Diagram Based Upon AICPA Auditing Standards AU319, Definition of Internal Control (Paragraph .13) financial reporting Diagram Based Upon AICPA Auditing Standards AU319, Definition of Internal Control (Paragraph .13) • The Key Issues are - Can this be leveraged to coverare - Can this be • The Key Issues operational and compliance risks; How do you and leveraged to cover operational effectively implementHow do you compliance risks; identified effectively implement identified financial process improvements financial process improvements 14 14 !@# !@# July 19, 2005 21
  22. 22. The new reality The New Yorker - October 21, 2002 The New Reality - Significant Penalties ° False certification subjects person to a fine and/or prison ° Knowing violation: $1 million / 10 years ° Willful violation: $5 million / 20 years July 19, 2005 22
  23. 23. Other Observations • Accept that the financial reporting environment has changed profoundly—more effort, more accountability • 404 is a process, not an event • Each company has unique circumstances to address • Management should include 404 implementation and on-going compliance costs in budgets • External resources to assist may become strained • There is no “silver bullet” • Understand the limits of internal controls—mitigation, not elimination, of risks July 19, 2005 23
  24. 24. Mining & Metals Industry Section 404 – Recent Developments Review of New Guidance Issued by the SEC and PCAOB ©2004 Ernst & Young LLP. All rights reserved. This material is proprietary, confidential, and for internal use only. Unauthorized distribution or reproduction of this program or its contents violates firm policy and copyright laws.
  25. 25. SEC Statement • Reasonable assurance (i.e., a high level of assurance), but more flexibility in getting there • Top down, risk-based approach – Avoid giving all significant accounts equal attention without regard to risk – Qualitative factors should also be considered in the determination of whether or not an account is significant • Material weakness does not necessarily exist in every case of restatement resulting from error • Management discussion of accounting and auditing issues with their auditors is not of itself indicative of a deficiency • No expectation for testing IT general controls that do not pertain to financial reporting • Will continue to assess effect of reporting on internal control to smaller public companies and foreign private issuers July 19, 2005 25
  26. 26. Ernst & Young Observations—SEC Statement • Issuance of SEC staff guidance is positive and should contribute to a better dialogue between management, audit committees, and auditors • Issuers should achieve improvements in the second year’s process by refining their approach in areas of lower risk • The SEC staff has not prescribed the required scope of management’s assessment • Necessary evidence to support management’s opinion must be commensurate with the “high level of assurance” that reasonable assurance requires July 19, 2005 26
  27. 27. Ernst & Young Observations—SEC Statement (Cont.) • Robust and well-documented management assessment will present the auditor with the opportunity for greater reliance on the work of management with a commensurate reduction in the auditor’s own work • SEC staff states that dialogue and consultations between management and the auditors continue to be appropriate • Every restatement is not a material weakness, but auditors still must follow AS2 paragraph 140 – Restatement indicates at least a significant deficiency, and a strong indicator of material weakness, if the deficiency is not remediated before year-end July 19, 2005 27
  28. 28. PCAOB Policy Statement—Significant Themes • Integrate the audits • Exercise professional judgment • Top-down, risk-based approach • Flexibility in using the work of others • Auditor’s ability to provide advice to clients July 19, 2005 28
  29. 29. Ernst & Young Observations—PCAOB Policy Statement • We are pleased that the positions and views expressed by the PCAOB in its policy statement and series of questions and answers are consistent with our approach for conducting the integrated audit • We will continue to study the PCAOB guidance, learn from PCAOB inspection results, and engage in dialogue with our clients and others -- and will adopt changes or make clarifications to our methodology where necessary to enhance the effectiveness and efficiency of our audits July 19, 2005 29
  30. 30. Mining & Metals Industry PCAOB Questions and Answers ©2004 Ernst & Young LLP. All rights reserved. This material is proprietary, confidential, and for internal use only. Unauthorized distribution or reproduction of this program or its contents violates firm policy and copyright laws.
  31. 31. Top Down Approach • Intended as a roadmap to traverse AS2 • Start with company-level controls and then drive down to significant accounts, significant processes, and finally, individual controls at the process, transaction, or application levels • Identify, understand, and evaluate the design of company-level controls first because of their pervasive effect July 19, 2005 31
  32. 32. Ernst & Young Observations—Entity- Level Controls • Top-down approach is consistent with our audit methodology—however, prioritize the integrated audit effort on entity-level controls early in the cycle • Clarification—Auditor may limit the testing of the operating effectiveness of entity-level controls to the control environment, anti-fraud programs and controls, and those other entity-level controls that have a pervasive effect on the auditor’s testing of controls at the process, transaction, or application level July 19, 2005 32
  33. 33. Risk-Based Approach • Risk assessment underlies the entire process and has a pervasive effect on the amount of work we perform • Consistent with the responsibility to plan the audit of internal control so that the risk of failing to identify a material weakness is low • Risk assessment affects: – Identification of significant accounts and relevant assertions (Questions 41 and 42) – Nature, timing and extent of the tests of controls (Question 43) – Use of the work of others (Question 54) July 19, 2005 33
  34. 34. Identification of Significant Accounts • Quantitative measures alone are not determinative of whether an account should be identified as significant • The auditor should design control testing strategy to be responsive to his or her assessment of the risk related to the account July 19, 2005 34
  35. 35. Effect on E&Y Strategy—Significant Accounts • We believe accounts that are quantitatively material are significant accounts – If an account is deemed significant, it is significant for both the audit of the financial statements and the audit of internal control over financial reporting • Lower risk should be reflected in the nature, timing, and extent of the procedures applied by management and auditors (i.e., risk-based approach) – Focus on those components of the account or the relevant assertions that pose the risks • Auditor still needs to conclude that controls over such accounts are operating effectively – Eliminating internal control testing and performing more substantive financial statement audit procedures is inconsistent with the integrated audit July 19, 2005 35
  36. 36. Identification of Significant Controls • Management may identify and test more controls than necessary for the purpose of its assessment of internal control over financial reporting • Auditor needs to walk-through and test only those controls that are critical to achieving the relevant assertions related to significant accounts • Our methodology for the integrated audit requires that we test only those controls that are critical to achieving the relevant assertions related to significant accounts July 19, 2005 36
  37. 37. Risk Assessment Effect on Nature, Timing and Extent of Testing • As the risk associated with the control decreases, the persuasiveness of the evidence that the auditor needs to obtain decreases • Auditor has significant latitude to determine what work should be done • Strong, pervasive company-level controls can influence testing of other controls July 19, 2005 37
  38. 38. Effect on E&Y Strategy—Nature, Timing and Extent of Testing of Controls • Our methodology considers a number of factors in determining the extent of testing, including: – Degree that management plans to rely on the control – The relative importance of possible errors that could result – Strength of entity level controls • Strong entity level controls also can affect: – Number of and approach for locations that are individually insignificant but significant in the aggregate – Rollforward procedures (PCAOB Question 51) July 19, 2005 38
  39. 39. Using the Work of Others • Reliance on the work of others should be responsive to the degree of risk associated with the testing of the area • The evaluation of whether or not we have obtained principal evidence should be primarily qualitative • The auditor should perform work in areas that represent higher risk and ascribe more weight to the work performed in those areas July 19, 2005 39
  40. 40. Effect on E&Y Strategy—Using the Work of Others • We continue to clarify our internal guidance to emphasize the qualitative nature of assessment – Judgment is critical – We should be able to rely to the greatest extent on highly competent and objective internal auditors • Opportunities to realize efficiencies should occur as— – Management continues to refine its approach and processes for testing internal controls – Those performing the testing become more proficient through experience • Ability to use the results of self-assessment processes will depend on the nature of the process and other factors July 19, 2005 40
  41. 41. Benchmarking Controls • Benchmarking strategy for testing automated application controls can be used • Our methodology for conducting an audit of financial statements outlines guidance for benchmarking application controls where companies have made investments in effective IT general controls July 19, 2005 41
  42. 42. Alternating Tests of Controls • This is not rotation of controls • The auditor may vary the use of the work of others, time period over which controls are tested, the number and types of procedures performed, or the combination of procedures used in a particular area, from year to year • We agree that it is appropriate to alter the nature, timing, and extent of our tests however, it is important to point out that each year the auditor must obtain sufficient evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements July 19, 2005 42
  43. 43. Management’s Reliance on Monitoring and Self Assessment • Management’s interaction with the system of internal control provides them with a broader array of procedures by which to evaluate operating effectiveness • We have always recognized and advocated the view that management has a number of “tools” at its disposal for monitoring or evaluating their system of internal control over financial reporting, and we will continue to do so • We will continue to consider these procedures when evaluating management’s assessment and determining the extent to which we can use the results of such procedures in our audits July 19, 2005 43
  44. 44. Management’s Reliance on Monitoring and Self-Assessment (cont.) • Clarifies AS2 definition of self-assessment to narrow meaning—an assessment made by the same personnel who are responsible for performing the control • Determining factor is the objectivity of those performing the assessments • We will continue to evaluate the competence and objectivity of the person(s) performing self- assessments as a key factor for determining whether and how to use the work of others July 19, 2005 44
  45. 45. Extent of Management’s Testing • The auditor need not evaluate the adequacy of management’s assessment by comparing, on a control-by-control level, whether management’s testing was at least as extensive as their own • Management's testing should be sufficient to support their conclusion (i.e., assertion about the effectiveness of internal controls) but does not need to be approached in the same manner as the auditor July 19, 2005 45
  46. 46. Point in Time Assessment • Auditor should structure testing of controls to obtain sufficient evidence to support the opinion on internal control over financial reporting and to obtain sufficient evidence to support a control risk assessment of minimum for purposes of the audit of financial statements • Accordingly, the auditor tests controls over a period of time • Consistent with E&Y Guidance July 19, 2005 46
  47. 47. Various Topics • Question 52—It is inappropriate for the auditor to conclude that management should not implement changes to IT systems for some arbitrary period of time before year-end • Question 53—A control is not ineffective solely because there is no documentation evidencing the operation of the control – PCAOB— “the auditor must be satisfied however that the control actually operated” July 19, 2005 47
  48. 48. Summary • Identify and evaluate entity-level controls early in the audit so that our audit strategy might incorporate the benefit of strong entity-level controls • Lower risk should be reflected in the nature, timing, and extent of the procedures applied by management and auditors (i.e., risk-based approach) • Opportunities to realize efficiencies by using the work of others should occur as management continues to refine its approach and those performing the testing become more proficient through experience • Continue to evaluate the competence and objectivity of the person(s) performing testing (including self-assessments) as a key factor for determining whether and how to expand the use of the work of others July 19, 2005 48

×