Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ.
2. Les Sussman
Senior Practice Leader,
Governance Risk and Compliance
RGP
Please welcome our presenters
Jason Chiang
CPA, CIA
Auditor and Risk Manager
RGP Consultant
2
3. 1. Recognize the likely impact to companies of the PCAOB
inspections and associated report
2. Identify and reference key sources for managing or auditing
using a top-down, risk-based approach
3. Shift from the common “Controls-focused” approach
beginning with a fresh look at your Risk Assessment
4. Bring greater efficiency and automation to your risk and
compliance processes using RGP services and policyIQ
Following this session, you will be able to:
3
4. Polling Question
4
Do you have Financial Statement auditing
experience?
Yes
No
If so, you are probably familiar with much of what is
presented here. We aim to help all of our colleagues to
land on the same page as we approach SOX compliance
and auditing in the post-PCAOB Inspection Report
environment.
5. Timeline
Sarbanes Oxley Act signed by President Bush (2002)
Auditing Standard 2 released (2004)
AS 2 guidance issued by the SEC & PCAOB (2005)
SEC Management Guidance and AS 5 released (2007)
PCAOB Inspection Report (2012)
5
6. “PCAOB Issues Report on
Inspection Observations Related
to Audits of Internal Control over
Financial Reporting”
PCAOB Inspection Report
6
7. 1. Key findings
2. Deficiencies that led to findings
3. Root cause of deficiencies
PCAOB Inspection Report
7
8. Key Findings of Inspection Report
46/309 firms failed to obtain
sufficient audit evidence to
support its audit opinion on the
effectiveness of internal control
8
9. 39 of those 46 firms also failed to
obtains sufficient audit evidence to
support the financial statement
audit opinion
Key Findings of Inspection Report
9
10. In 50 of 309 inspections, evidence
of deficiencies in some firms’
systems of quality control were
observed
Key Findings of Inspection Report
10
11. Common Deficiencies
Of the six deficiencies found to be
pervasive in auditing internal
control, five related to the auditing
firms’ failure to sufficiently test or
obtain evidence of procedures
performed
11
12. Common Deficiencies
For example, firms failed to test the controls used to
monitor the results of
1. monthly comparisons of budget and actual results to
forecasts for revenues and expenses
2. comparisons of other metrics, such as profit margins
and certain expenses as a percentage of sales
3. quarterly balance sheet reviews
4. system generated data
5. procedures regarding the use of work of others
6. evaluation of control deficiencies
12
13. What can our clients expect?
13
Generally, MORE WORK!
14. What can our clients expect?
• More detailed evidence will be
required
• More testing and re-
performance of procedures will
be required
14
Generally, MORE WORK!
15. What can our clients expect?
• More detailed evidence will be
required
• More testing and re-
performance of procedures will
be required
15
Generally, MORE WORK!
The way that companies document and test their
controls will need to include more detail. Document
your thresholds. Document what you are doing as
you go along!
16. Root Causes of Deficiencies
1. Improper application of the top-down approach to the audit
of internal control as required by AS No. 5;
2. Decreases in audit firm staffing through attrition or other
reductions, and related workload pressures;
3. Insufficient firm training and guidance, including examples of
how to apply PCAOB standards and the firm's methodology;
and
4. Ineffective communication with firm's information system
specialists on the engagement team.
16
17. 1. Improper application of the top-down approach to the audit
of internal control as required by AS No. 5;
2. Decreases in audit firm staffing through attrition or other
reductions, and related workload pressures;
3. Insufficient firm training and guidance, including examples of
how to apply PCAOB standards and the firm's methodology;
and
4. Ineffective communication with firm's information system
specialists on the engagement team.
Root Causes of Deficiencies
17
Three of the four root causes
relate to improvements that
need to be made by the firms.
This first root cause is one that
management can address directly.
18. What can go wrong?
What is a top-down, risk-based approach?
18
Companies often
start with…
19. What can go wrong?
What is a top-down, risk-based approach?
19
This often results in
the documentation
of Operational Risks
20. What can go wrong?
What is a top-down, risk-based approach?
20
That is NOT representative
of a top-down approach
21. What can go wrong?
What is a top-down, risk-based approach?
21
A top-down approach
focuses on…
22. What can go wrong?
What is a top-down, risk-based approach?
22
A top-down approach
focuses on…
…with
All Company Risks
23. What can go wrong?
What is a top-down, risk-based approach?
23
…with
Financial Statement Risks
A top-down approach
focuses on…
24. What is a top-down, risk-based approach?
24
Why do financial statements matter?
25. What is a top-down, risk-based approach?
25
Why do financial statements matter?
This is what financial
readers really care about.
26. What is a top-down, risk-based approach?
26
Why do financial statements matter?
This is what financial
readers really care about.
From the
MD&A:
Will the FDA
approve?
27. What is a top-down, risk-based approach?
27
Why do financial statements matter?
This is what financial
readers really care about.
From the
MD&A:
Will the FDA
approve?
Are they
shifting
money from
one company
to another?
28. Norman Marks, CRMA, CPA, is
a vice president for SAP and
has been a chief audit
executive and chief risk officer
at major global corporations
for more than 20 years.
What is a top-down, risk-based approach?
28
29. In a recent post on the IIA blog, he
gave his assessment of a widely
distributed guide that discusses the
role of IT Risks and Controls in SOX.
He said…
What is a top-down, risk-based approach?
29
30. “I call the approach taken in this
document middle-down instead
of top-down, because it does not
start with risk to the financial
statements, but with generic IT
risk and controls.”
-Norman Marks
What is a top-down, risk-based approach?
30
31. “I call the approach taken in this
document middle-down instead
of top-down, because it does not
start with risk to the financial
statements, but with generic IT
risk and controls.”
-Norman Marks
What is a top-down, risk-based approach?
31
33. Required Recommended Reading
It is tempting to look for a
tool; something like a checklist
or a cheat sheet walk through
the top-down approach.
33
34. Required Recommended Reading
It is tempting to look for a
tool; something like a checklist
or a cheat sheet walk through
the top-down approach.
34
Jason Chiang cautions that
there’s no short-cut to the
approach. He urges risk and
audit professionals to follow the
guidance.
35. Required Recommended Reading
• Auditing Standard No. 5
http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx
• SEC’s Interpretive Guidance for Management
http://www.sec.gov/rules/interp/2007/33-8810.pdf
• STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS
INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF
SMALLER PUBLIC COMPANIES
http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf
• The External Auditing Firm’s Guidance
• COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies
http://www.coso.org/ICFR-GuidanceforSPCs.htm
• COSO: Internal Control — Integrated Framework
Guidance on Monitoring Internal Control Systems
http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf
35
37. Applying Auditing Standard No. 5 Approach
http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx
37
Read AS5.
Specifically, paragraphs
21-41 which focus on
“Using a Top-Down Approach”
38. Review Financial Statements, understanding risks to
ICFR
Examine entity-level controls, significant accounts,
disclosures and their relevant assertions
Understand risks in processes, select for testing
those controls that sufficiently address the assessed
risk of misstatement to each relevant assertion
Applying Auditing Standard No. 5 Approach
38
The first paragraph of the section walks through three
broad processes for applying AS5:
44. Risk Assessment
Which Financial Statement Accounts are significant?
44
Assess impact or
likelihood, whatever
the case may be, of
each risk factor for
each account
45. Risk Assessment
Which Financial Statement Accounts are significant?
45
Determine the calculated Risk
and consider whether this
matches your judgment of the
risk. This exercise can be used to
validate your judgment of what is
significant. If you find great
discrepancy, examine why that is.
47. Risk Assessment
Identify relevant assertions for each significant account
Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
47
These are the assertions recognized by the
PCAOB (with definitions pulled from AS15).
48. Risk Assessment
Identify relevant assertions for each significant account
Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
48
49. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
49
Step back from the academic exercise
and consider the real world
motivations of companies…
50. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
50
Management wants the company to
look good. It is natural to want to
overstate assets/cash and to
understate liabilities/expenses. Think
about how this relates to the
assertions…
51. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
51
If it is stated that
the company has
$5M in the bank,
the auditor would
logically want to
ask, “Really?”
52. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
52
In other words, does
that cash or do those
assets actually exist?
If it is stated that
the company has
$5M in the bank,
the auditor would
logically want to
ask, “Really?”
53. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
53
If it is stated that
the company has
no Accrued
Expenses, the
auditor would
logically want to
ask, “Really?”
54. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
54
What if, in January, the
auditor observes a bill for
legal fees that were
incurred on December
28th? Is the debt
liability really complete?
If it is stated that
the company has
no Accrued
Expenses, the
auditor would
logically want to
ask, “Really?”
55. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
55
Thinking through and referring to
real examples will make this exercise
of determining which assertions are
relevant much easier to understand.
56. Existence or occurrence – Assets or liabilities of the company exist at a
given date, and recorded transactions have occurred during a given period.
Completeness – All transactions and accounts that should be presented in
the financial statements are so included.
Valuation or allocation – Asset, liability, equity, revenue, and expense
components have been included in the financial statements at appropriate
amounts.
Rights and obligations – The company holds or controls rights to the
assets, and liabilities are obligations of the company at a given date.
Presentation and disclosure – The components of the financial statements
are properly classified, described, and disclosed.
Risk Assessment
Identify relevant assertions for each significant account
56
Thinking through and referring to
real examples will make this exercise
of determining which assertions are
relevant much easier to understand.
Jason recommends creating a cheat
sheet that includes the definitions
and an example for each assertion.
58. Risk Assessment
What is the level of risk for
each assertion?
58
This generally results in another High-
Medium-Low rating for each assertion.
59. Risk Assessment
What is the level of risk for
each assertion?
59
And it is another of the
determinations made by risk
and audit professionals that is
largely based on judgment.
60. Risk Assessment
ID Significant Accounts ID Financial Statement
Risk and Risk level
Determine relevant
assertions for those
significant accounts
Statement of Risk
based on
application of
assertion to account
60
Work through this process for each
financial statement line item.
62. Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts
Receivable
62
Often, the line item
determined to be
significant will then be
tagged or mapped to
a process.
63. Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts
Receivable What can go wrong?
63
Next, companies often
go to the process and
ask, “what can go
wrong in the process?”
64. Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts
Receivable What can go wrong?
64
It is tempting to get
dragged into an
operational view of
risks again.
65. Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts
Receivable What can go wrong?
65
Instead, consider…
66. Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts
Receivable What can go wrong?
What are the relevant assertions?
Existence or occurrence
Completeness
Valuation or allocation
Rights and obligations
Presentation and disclosure
66
67. Risk Assessment
Balance Sheet Example: Accounts Receivable
Accounts
Receivable
Valuation Risk –All uncollectible customer
balances may not be properly written off.
Control – On at least an quarterly basis, the Controller
reviews the Accounts Receivable Aging (including the ICS A/R
reports) for uncollectible accounts to determine the necessity
for and/or adequacy of an allowance for doubtful accounts. The
calculation is reviewed and approved by the CFO.
R
C
67
68. Risk Assessment
Income Statement Example: Salary Expense
Salary
Expense
What are the relevant assertions?
Existence or occurrence
Completeness
Valuation or allocation
Rights and obligations
Presentation and disclosure
68
69. Risk Assessment
Income Statement Example: Salary Expense
Salary
Expense
Occurrence Risk – Did the expense that
you put on your books occur? That is, does
it represent the exchange of employees’
services with cash or other consideration?
Control – The Controller reviews the payroll supporting
documentation (including timecards, the timecard tracking
spreadsheet and the approved Time-Off Request Forms for
vacation/sick/personal time off use) to ensure the completeness
and accuracy of the hours entered into payroll system.
R
C
69
70. Questions
70
What has your experience
been?
Do you see the company
focusing on those
assertions that are relevant
for each significant account
or falling back on process
or operational risks?
75. ELCFSA
C
Review Controls
C
C
C
C
CFSA
CFSA
CFSA
ELCFSA
C
CFSA
C
C
C
C
C
Beginning with an inventory of all controls
and determining which may address a
financial statement assertion is NOT
representative of a top-down approach.
Starting at the top, evaluating Entity Level
Controls, may greatly reduce the overall
amount of work required for testing.
75
76. Apply precision to
Entity Level Controls
Review Controls
76
This is another key
point discussed in the
guidance.
77. “What is the client’s expectation?”
Review Controls
77
79. Review Controls
79
The company judges
what amount would
matter to readers of
financial statements.
“What is the client’s expectation?”
Start by determining
the thresholds.
For example, 5% or 3%.
80. Review Controls
80
CC Image Courtesy of http://www.flickr.com/photos/danmoyle/
At a high level, the
client recognizes
that a portion of
the audience will
not pay…
For example
81. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
81
CC Image Courtesy of http://www.flickr.com/photos/danmoyle/
…and they’ll choose to maintain
that percentage in reserves.
82. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
82
If this is
considered an
Entity Level
Control,
…how can
precision be
applied?
83. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
83
Understand the
process for coming
up with this plan
so that it can be
quantified and
tested.
84. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
Review Controls
84
Understand the
process for coming
up with this plan
so that it can be
quantified and
tested.
The process must
reflect what is
actually being
done.
85. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
+/- 5%
Review Controls
85
If the control is
Okay, precise enough.
86. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
+/- 5%
Review Controls
86
If the control is
+/- 20%
you conclude that it
must be more precise
87. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/
+/- 5%
Review Controls
87
If the control is
+/- 20%
you conclude that it
must be more precise
We need to get to the process level to test the control and
better estimate what the actual provision should be.
88. Questions
88
Some entity-level controls might be designed to
operate at a level of precision that would
adequately prevent or detect on a timely basis
misstatements to one or more relevant assertions.
If an entity-level control sufficiently addresses the
assessed risk of misstatement, the auditor need
not test additional controls relating to that risk.
True or False?
a) True
b) False
89. Questions
89
Some entity-level controls might be designed to
operate at a level of precision that would
adequately prevent or detect on a timely basis
misstatements to one or more relevant assertions.
If an entity-level control sufficiently addresses the
assessed risk of misstatement, the auditor need
not test additional controls relating to that risk.
True or False?
a) True
b) False
This is why you start with Entity Level Controls.
They can reduce the total number of controls
and testing required.
91. Automate the process
91
Employ a tool to help bring automation, time and
cost savings to the entire process.
From my experience, policyIQ is the most cost-effective
tool out there for companies to use to manage their
content and workflow, which comes in handy for SOX
compliance. policyIQ was designed to be intuitive and
flexible. The policyIQ support team is top-notch, and will
help subscribers implement the system.
-Jason Chiang
92. Automate the process
92
S
Significant
Account /
Disclosure
P
Process
Narrative
R
Management
Assertion (Risk)
C
Key Control
T
Test
D
Deficiency
W
General
Workpaper
R
Report
F
Findings
policyIQ is customizable—you can use it to track the full
scope of documentation, manage workflow, and take
advantage of the reporting features to more easily see
and share your rationalization process…
93. Automate the process
93
S
Significant
Account /
Disclosure
P
Process
Narrative
R
Management
Assertion (Risk)
C
Key Control
T
Test
D
Deficiency
W
General
Workpaper
R
Report
F
Findings
It is a great technology pairing with your
fresh look at the risk assessment and the
proper application of the top-down,
risk-based approach.
95. Summary
1. Improper application of the top-down approach to the audit
of internal control as required by AS No. 5;
2. Decreases in audit firm staffing through attrition or other
reductions, and related workload pressures;
3. Insufficient firm training and guidance, including examples of
how to apply PCAOB standards and the firm's methodology;
and
4. Ineffective communication with firm's information system
specialists on the engagement team.
95
The PCAOB identified these as the root causes of the
deficiencies that they observed:
96. Summary
Of the six deficiencies found to be
pervasive in auditing internal
control, five related to the auditing
firms’ failure to sufficiently test or
perform procedures
96
And it seems clear that more
testing and more detailed
evidence will almost certainly be
the impact to companies.
97. Summary
97
RGP can help companies
to respond to the likely
changes imposed by the
audit firms.
98. 1. Set the tone from the beginning
• Evidence things better
• Establish a more formal and
complete policy and procedure
manual
• Track the completion of
procedural tasks
• Act as liaison between client and
audit firms
2. Proper application of a top-
down, risk-based approach
called for by AS5
Summary
98
99. 1. Set the tone from the beginning
• Evidence things better
• Establish a more formal and
complete policy and procedure
manual
• Track the completion of
procedural tasks
• Act as liaison between client and
audit firms
2. Proper application of a top-
down, risk-based approach
called for by AS5
Summary
99
With proper
application of the AS5
approach, and by
acting as a liaison
between the company
and audit firm, we
can offset some of the
additional work that
will likely be pushed
down by the PCAOB
through the firms.
100. Summary
100
The best way to ensure
that you are correctly
applying the top-down,
risk-based approach is
to follow the guidance:
101. Required Recommended Reading
• Auditing Standard No. 5
http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx
• SEC’s Interpretive Guidance for Management
http://www.sec.gov/rules/interp/2007/33-8810.pdf
• STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS
INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF
SMALLER PUBLIC COMPANIES
http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf
• The External Auditing Firm’s Guidance
• COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies
http://www.coso.org/ICFR-GuidanceforSPCs.htm
• COSO: Internal Control — Integrated Framework
Guidance on Monitoring Internal Control Systems
http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf
101
102. For more information
Jason Chiang: jchiang@rgp.com
Les Sussman: lsussman@rgp.com
policyIQ: Support@policyIQ.com
102