SlideShare a Scribd company logo

2013 PCAOB Report - Important SOX Update

S
sbyearly

Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ.

Software
1 of 103
Download to read offline
Important SOX Update Understanding the Impact of the PCAOB Report on ICFR Audits 1 Session brought to you by &
Les Sussman Senior Practice Leader, Governance Risk and Compliance RGP Please welcome our presenters Jason Chiang CPA, CIA Auditor and Risk Manager RGP Consultant 2
1. Recognize the likely impact to companies of the PCAOB inspections and associated report 2. Identify and reference key sources for managing or auditing using a top-down, risk-based approach 3. Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment 4. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ Following this session, you will be able to: 3
Polling Question 4 Do you have Financial Statement auditing experience?  Yes  No If so, you are probably familiar with much of what is presented here. We aim to help all of our colleagues to land on the same page as we approach SOX compliance and auditing in the post-PCAOB Inspection Report environment.
Timeline  Sarbanes Oxley Act signed by President Bush (2002)  Auditing Standard 2 released (2004)  AS 2 guidance issued by the SEC & PCAOB (2005)  SEC Management Guidance and AS 5 released (2007)  PCAOB Inspection Report (2012) 5
“PCAOB Issues Report on Inspection Observations Related to Audits of Internal Control over Financial Reporting” PCAOB Inspection Report 6
1. Key findings 2. Deficiencies that led to findings 3. Root cause of deficiencies PCAOB Inspection Report 7
Key Findings of Inspection Report 46/309 firms failed to obtain sufficient audit evidence to support its audit opinion on the effectiveness of internal control 8
39 of those 46 firms also failed to obtains sufficient audit evidence to support the financial statement audit opinion Key Findings of Inspection Report 9
In 50 of 309 inspections, evidence of deficiencies in some firms’ systems of quality control were observed Key Findings of Inspection Report 10
Common Deficiencies Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or obtain evidence of procedures performed 11
Common Deficiencies For example, firms failed to test the controls used to monitor the results of 1. monthly comparisons of budget and actual results to forecasts for revenues and expenses 2. comparisons of other metrics, such as profit margins and certain expenses as a percentage of sales 3. quarterly balance sheet reviews 4. system generated data 5. procedures regarding the use of work of others 6. evaluation of control deficiencies 12
What can our clients expect? 13 Generally, MORE WORK!
What can our clients expect? • More detailed evidence will be required • More testing and re- performance of procedures will be required 14 Generally, MORE WORK!
What can our clients expect? • More detailed evidence will be required • More testing and re- performance of procedures will be required 15 Generally, MORE WORK! The way that companies document and test their controls will need to include more detail. Document your thresholds. Document what you are doing as you go along!
Root Causes of Deficiencies 1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5; 2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures; 3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and 4. Ineffective communication with firm's information system specialists on the engagement team. 16
1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5; 2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures; 3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and 4. Ineffective communication with firm's information system specialists on the engagement team. Root Causes of Deficiencies 17 Three of the four root causes relate to improvements that need to be made by the firms. This first root cause is one that management can address directly.
What can go wrong? What is a top-down, risk-based approach? 18 Companies often start with…
What can go wrong? What is a top-down, risk-based approach? 19 This often results in the documentation of Operational Risks
What can go wrong? What is a top-down, risk-based approach? 20 That is NOT representative of a top-down approach
What can go wrong? What is a top-down, risk-based approach? 21 A top-down approach focuses on…
What can go wrong? What is a top-down, risk-based approach? 22 A top-down approach focuses on… …with All Company Risks
What can go wrong? What is a top-down, risk-based approach? 23 …with Financial Statement Risks A top-down approach focuses on…
What is a top-down, risk-based approach? 24 Why do financial statements matter?
What is a top-down, risk-based approach? 25 Why do financial statements matter? This is what financial readers really care about.
What is a top-down, risk-based approach? 26 Why do financial statements matter? This is what financial readers really care about. From the MD&A: Will the FDA approve?
What is a top-down, risk-based approach? 27 Why do financial statements matter? This is what financial readers really care about. From the MD&A: Will the FDA approve? Are they shifting money from one company to another?
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years. What is a top-down, risk-based approach? 28
In a recent post on the IIA blog, he gave his assessment of a widely distributed guide that discusses the role of IT Risks and Controls in SOX. He said… What is a top-down, risk-based approach? 29
“I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.” -Norman Marks What is a top-down, risk-based approach? 30
“I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.” -Norman Marks What is a top-down, risk-based approach? 31
Polling Question 32 What model do you think your approach follows? a) top down b) bottom up c) middle down d) not sure
Required Recommended Reading It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach. 33
Required Recommended Reading It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach. 34 Jason Chiang cautions that there’s no short-cut to the approach. He urges risk and audit professionals to follow the guidance.
Required Recommended Reading • Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx • SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf • STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf • The External Auditing Firm’s Guidance • COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm • COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf 35
Applying Auditing Standard No. 5 Approach 36 Jason suggests starting with this…
Applying Auditing Standard No. 5 Approach http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx 37 Read AS5. Specifically, paragraphs 21-41 which focus on “Using a Top-Down Approach”
 Review Financial Statements, understanding risks to ICFR  Examine entity-level controls, significant accounts, disclosures and their relevant assertions  Understand risks in processes, select for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion Applying Auditing Standard No. 5 Approach 38 The first paragraph of the section walks through three broad processes for applying AS5:
Risk Assessment 39 Let’s walk through the approach at a high level…
Risk Assessment Which Financial Statement Accounts are significant? 40
Risk Assessment Which Financial Statement Accounts are significant? 41 Determine the risk factors you will assess
Risk Assessment Which Financial Statement Accounts are significant? 42 Decide how each factor will weigh into the overall rating
Risk Assessment Which Financial Statement Accounts are significant? 43 Choose a rating scale for the assessment
Risk Assessment Which Financial Statement Accounts are significant? 44 Assess impact or likelihood, whatever the case may be, of each risk factor for each account
Risk Assessment Which Financial Statement Accounts are significant? 45 Determine the calculated Risk and consider whether this matches your judgment of the risk. This exercise can be used to validate your judgment of what is significant. If you find great discrepancy, examine why that is.
Risk Assessment Which Financial Statement Assertions are relevant? 46
Risk Assessment Identify relevant assertions for each significant account Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. 47 These are the assertions recognized by the PCAOB (with definitions pulled from AS15).
Risk Assessment Identify relevant assertions for each significant account Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. 48
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 49 Step back from the academic exercise and consider the real world motivations of companies…
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 50 Management wants the company to look good. It is natural to want to overstate assets/cash and to understate liabilities/expenses. Think about how this relates to the assertions…
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 51 If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 52 In other words, does that cash or do those assets actually exist? If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 53 If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 54 What if, in January, the auditor observes a bill for legal fees that were incurred on December 28th? Is the debt liability really complete? If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 55 Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand.
Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 56 Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand. Jason recommends creating a cheat sheet that includes the definitions and an example for each assertion.
Risk Assessment What is the level of risk for each assertion? 57 Next, determine…
Risk Assessment What is the level of risk for each assertion? 58 This generally results in another High- Medium-Low rating for each assertion.
Risk Assessment What is the level of risk for each assertion? 59 And it is another of the determinations made by risk and audit professionals that is largely based on judgment.
Risk Assessment ID Significant Accounts ID Financial Statement Risk and Risk level Determine relevant assertions for those significant accounts Statement of Risk based on application of assertion to account 60 Work through this process for each financial statement line item.
Risk Assessment Examples 61
Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable 62 Often, the line item determined to be significant will then be tagged or mapped to a process.
Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? 63 Next, companies often go to the process and ask, “what can go wrong in the process?”
Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? 64 It is tempting to get dragged into an operational view of risks again.
Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? 65 Instead, consider…
Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? What are the relevant assertions? Existence or occurrence Completeness Valuation or allocation Rights and obligations Presentation and disclosure 66
Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable Valuation Risk –All uncollectible customer balances may not be properly written off. Control – On at least an quarterly basis, the Controller reviews the Accounts Receivable Aging (including the ICS A/R reports) for uncollectible accounts to determine the necessity for and/or adequacy of an allowance for doubtful accounts. The calculation is reviewed and approved by the CFO. R C 67
Risk Assessment Income Statement Example: Salary Expense Salary Expense What are the relevant assertions? Existence or occurrence Completeness Valuation or allocation Rights and obligations Presentation and disclosure 68
Risk Assessment Income Statement Example: Salary Expense Salary Expense Occurrence Risk – Did the expense that you put on your books occur? That is, does it represent the exchange of employees’ services with cash or other consideration? Control – The Controller reviews the payroll supporting documentation (including timecards, the timecard tracking spreadsheet and the approved Time-Off Request Forms for vacation/sick/personal time off use) to ensure the completeness and accuracy of the hours entered into payroll system. R C 69
Questions 70 What has your experience been? Do you see the company focusing on those assertions that are relevant for each significant account or falling back on process or operational risks?
ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA 71 C C C C C Following identification of the relevant assertions and risks to financial statements…
ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA 72 C C C C C Following identification of the relevant assertions and risks to financial statements… …determine which controls a company might establish to address those risks.
ELCFSA Review Controls C CFSA CFSA CFSA ELCFSA CFSA C The guidance says to start with identification and evaluation of the Financial Statement Close process or Entity Level Controls 73
ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA C C C C C Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach. 74
ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA C C C C C Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach. Starting at the top, evaluating Entity Level Controls, may greatly reduce the overall amount of work required for testing. 75
Apply precision to Entity Level Controls Review Controls 76 This is another key point discussed in the guidance.
“What is the client’s expectation?” Review Controls 77
Review Controls 78 “What is the client’s expectation?” Start by determining the thresholds.
Review Controls 79 The company judges what amount would matter to readers of financial statements. “What is the client’s expectation?” Start by determining the thresholds. For example, 5% or 3%.
Review Controls 80 CC Image Courtesy of http://www.flickr.com/photos/danmoyle/ At a high level, the client recognizes that a portion of the audience will not pay… For example
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 81 CC Image Courtesy of http://www.flickr.com/photos/danmoyle/ …and they’ll choose to maintain that percentage in reserves.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 82 If this is considered an Entity Level Control, …how can precision be applied?
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 83 Understand the process for coming up with this plan so that it can be quantified and tested.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 84 Understand the process for coming up with this plan so that it can be quantified and tested. The process must reflect what is actually being done.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ +/- 5% Review Controls 85 If the control is Okay, precise enough.
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ +/- 5% Review Controls 86 If the control is +/- 20% you conclude that it must be more precise
CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ +/- 5% Review Controls 87 If the control is +/- 20% you conclude that it must be more precise We need to get to the process level to test the control and better estimate what the actual provision should be.
Questions 88 Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False
Questions 89 Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False This is why you start with Entity Level Controls. They can reduce the total number of controls and testing required.
Automate the process 90
Automate the process 91 Employ a tool to help bring automation, time and cost savings to the entire process. From my experience, policyIQ is the most cost-effective tool out there for companies to use to manage their content and workflow, which comes in handy for SOX compliance. policyIQ was designed to be intuitive and flexible. The policyIQ support team is top-notch, and will help subscribers implement the system. -Jason Chiang
Automate the process 92 S Significant Account / Disclosure P Process Narrative R Management Assertion (Risk) C Key Control T Test D Deficiency W General Workpaper R Report F Findings policyIQ is customizable—you can use it to track the full scope of documentation, manage workflow, and take advantage of the reporting features to more easily see and share your rationalization process…
Automate the process 93 S Significant Account / Disclosure P Process Narrative R Management Assertion (Risk) C Key Control T Test D Deficiency W General Workpaper R Report F Findings It is a great technology pairing with your fresh look at the risk assessment and the proper application of the top-down, risk-based approach.
Summary Let’s recap what we have said… 94
Summary 1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5; 2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures; 3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and 4. Ineffective communication with firm's information system specialists on the engagement team. 95 The PCAOB identified these as the root causes of the deficiencies that they observed:
Summary Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or perform procedures 96 And it seems clear that more testing and more detailed evidence will almost certainly be the impact to companies.
Summary 97 RGP can help companies to respond to the likely changes imposed by the audit firms.
1. Set the tone from the beginning • Evidence things better • Establish a more formal and complete policy and procedure manual • Track the completion of procedural tasks • Act as liaison between client and audit firms 2. Proper application of a top- down, risk-based approach called for by AS5 Summary 98
1. Set the tone from the beginning • Evidence things better • Establish a more formal and complete policy and procedure manual • Track the completion of procedural tasks • Act as liaison between client and audit firms 2. Proper application of a top- down, risk-based approach called for by AS5 Summary 99 With proper application of the AS5 approach, and by acting as a liaison between the company and audit firm, we can offset some of the additional work that will likely be pushed down by the PCAOB through the firms.
Summary 100 The best way to ensure that you are correctly applying the top-down, risk-based approach is to follow the guidance:
Required Recommended Reading • Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx • SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf • STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf • The External Auditing Firm’s Guidance • COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm • COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf 101
For more information Jason Chiang: jchiang@rgp.com Les Sussman: lsussman@rgp.com policyIQ: Support@policyIQ.com 102
Thank you 103

Recommended

COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideCenapSerdarolu
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideAstalapulosListestos
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guideCenapSerdarolu
 

Recommended

COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideCenapSerdarolu
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideAstalapulosListestos
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkBlackLine
 
COSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightCOSO Implementation: Getting Real, Getting It Right
COSO Implementation: Getting Real, Getting It RightBlackLine
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guideCenapSerdarolu
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - TemplatesAviva Spectrum™
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects3gamma
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSOJesús Gándara
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideCenapSerdarolu
 
COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTFDavid Fernandes
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The AuditorCorporate Compliance Seminars
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.finalAnna Cuson, CPA, CFE, CRMA, CGMA, CICP, CICA
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Reportessbaih
 
N6.pdf
N6.pdfN6.pdf
N6.pdfTrungVThnh8
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docxRE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docxaudeleypearl
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
ERM Assessment Guide
ERM Assessment GuideERM Assessment Guide
ERM Assessment GuideHassan Zaitoun
 

More Related Content

What's hot

Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects3gamma
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideCenapSerdarolu
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Reportessbaih
 

What's hot (16)

Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guide
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
 
Coso erm
Coso ermCoso erm
Coso erm
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
 
COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTF
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.final
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
 
Audit of Risk Management Final Report
Audit of Risk Management Final ReportAudit of Risk Management Final Report
Audit of Risk Management Final Report
 

Similar to 2013 PCAOB Report - Important SOX Update

IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docxRE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docxaudeleypearl
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit
2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit
2015_GKB Driving Success in a Changing World_10 Imperatives for Internal AuditChristian Patricio Vaca Benalcázar
 
CFO.Com and Oracle - Improving Bottom Line with Advanced Controls
CFO.Com and Oracle - Improving Bottom Line with Advanced ControlsCFO.Com and Oracle - Improving Bottom Line with Advanced Controls
CFO.Com and Oracle - Improving Bottom Line with Advanced ControlsOracle
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptxAral20101
 
2. op risk and aml
2. op risk and aml2. op risk and aml
2. op risk and amlcrmbasel
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Gaiani (CarnCorpAudit)
 
Strategic management note. 2
Strategic management note. 2 Strategic management note. 2
Strategic management note. 2 Tarek Aziz
 
Lean Six Sigma Course Training Part 16
Lean Six Sigma Course Training Part 16Lean Six Sigma Course Training Part 16
Lean Six Sigma Course Training Part 16Lean Insight
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 

Similar to 2013 PCAOB Report - Important SOX Update (20)

N6.pdf
N6.pdfN6.pdf
N6.pdf
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docxRE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
RE Chapter 34 Building an ERM Program at General MotorsCOLLAPS.docx
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
ERM Assessment Guide
ERM Assessment GuideERM Assessment Guide
ERM Assessment Guide
 
2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit
2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit
2015_GKB Driving Success in a Changing World_10 Imperatives for Internal Audit
 
CFO.Com and Oracle - Improving Bottom Line with Advanced Controls
CFO.Com and Oracle - Improving Bottom Line with Advanced ControlsCFO.Com and Oracle - Improving Bottom Line with Advanced Controls
CFO.Com and Oracle - Improving Bottom Line with Advanced Controls
 
How Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksHow Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party Risks
 
bu
bubu
bu
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
 
Acc 490 final exam
Acc 490 final examAcc 490 final exam
Acc 490 final exam
 
UNCCInternalControls.pptx
UNCCInternalControls.pptxUNCCInternalControls.pptx
UNCCInternalControls.pptx
 
2. op risk and aml
2. op risk and aml2. op risk and aml
2. op risk and aml
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAH
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09
 
Strategic management note. 2
Strategic management note. 2 Strategic management note. 2
Strategic management note. 2
 
Lean Six Sigma Course Training Part 16
Lean Six Sigma Course Training Part 16Lean Six Sigma Course Training Part 16
Lean Six Sigma Course Training Part 16
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Compliance Risk Assessment
Compliance Risk AssessmentCompliance Risk Assessment
Compliance Risk Assessment
 

Recently uploaded

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 

Recently uploaded (20)

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 

2013 PCAOB Report - Important SOX Update

  • 1. Important SOX Update Understanding the Impact of the PCAOB Report on ICFR Audits 1 Session brought to you by &
  • 2. Les Sussman Senior Practice Leader, Governance Risk and Compliance RGP Please welcome our presenters Jason Chiang CPA, CIA Auditor and Risk Manager RGP Consultant 2
  • 3. 1. Recognize the likely impact to companies of the PCAOB inspections and associated report 2. Identify and reference key sources for managing or auditing using a top-down, risk-based approach 3. Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment 4. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ Following this session, you will be able to: 3
  • 4. Polling Question 4 Do you have Financial Statement auditing experience?  Yes  No If so, you are probably familiar with much of what is presented here. We aim to help all of our colleagues to land on the same page as we approach SOX compliance and auditing in the post-PCAOB Inspection Report environment.
  • 5. Timeline  Sarbanes Oxley Act signed by President Bush (2002)  Auditing Standard 2 released (2004)  AS 2 guidance issued by the SEC & PCAOB (2005)  SEC Management Guidance and AS 5 released (2007)  PCAOB Inspection Report (2012) 5
  • 6. “PCAOB Issues Report on Inspection Observations Related to Audits of Internal Control over Financial Reporting” PCAOB Inspection Report 6
  • 7. 1. Key findings 2. Deficiencies that led to findings 3. Root cause of deficiencies PCAOB Inspection Report 7
  • 8. Key Findings of Inspection Report 46/309 firms failed to obtain sufficient audit evidence to support its audit opinion on the effectiveness of internal control 8
  • 9. 39 of those 46 firms also failed to obtains sufficient audit evidence to support the financial statement audit opinion Key Findings of Inspection Report 9
  • 10. In 50 of 309 inspections, evidence of deficiencies in some firms’ systems of quality control were observed Key Findings of Inspection Report 10
  • 11. Common Deficiencies Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or obtain evidence of procedures performed 11
  • 12. Common Deficiencies For example, firms failed to test the controls used to monitor the results of 1. monthly comparisons of budget and actual results to forecasts for revenues and expenses 2. comparisons of other metrics, such as profit margins and certain expenses as a percentage of sales 3. quarterly balance sheet reviews 4. system generated data 5. procedures regarding the use of work of others 6. evaluation of control deficiencies 12
  • 13. What can our clients expect? 13 Generally, MORE WORK!
  • 14. What can our clients expect? • More detailed evidence will be required • More testing and re- performance of procedures will be required 14 Generally, MORE WORK!
  • 15. What can our clients expect? • More detailed evidence will be required • More testing and re- performance of procedures will be required 15 Generally, MORE WORK! The way that companies document and test their controls will need to include more detail. Document your thresholds. Document what you are doing as you go along!
  • 16. Root Causes of Deficiencies 1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5; 2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures; 3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and 4. Ineffective communication with firm's information system specialists on the engagement team. 16
  • 17. 1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5; 2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures; 3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and 4. Ineffective communication with firm's information system specialists on the engagement team. Root Causes of Deficiencies 17 Three of the four root causes relate to improvements that need to be made by the firms. This first root cause is one that management can address directly.
  • 18. What can go wrong? What is a top-down, risk-based approach? 18 Companies often start with…
  • 19. What can go wrong? What is a top-down, risk-based approach? 19 This often results in the documentation of Operational Risks
  • 20. What can go wrong? What is a top-down, risk-based approach? 20 That is NOT representative of a top-down approach
  • 21. What can go wrong? What is a top-down, risk-based approach? 21 A top-down approach focuses on…
  • 22. What can go wrong? What is a top-down, risk-based approach? 22 A top-down approach focuses on… …with All Company Risks
  • 23. What can go wrong? What is a top-down, risk-based approach? 23 …with Financial Statement Risks A top-down approach focuses on…
  • 24. What is a top-down, risk-based approach? 24 Why do financial statements matter?
  • 25. What is a top-down, risk-based approach? 25 Why do financial statements matter? This is what financial readers really care about.
  • 26. What is a top-down, risk-based approach? 26 Why do financial statements matter? This is what financial readers really care about. From the MD&A: Will the FDA approve?
  • 27. What is a top-down, risk-based approach? 27 Why do financial statements matter? This is what financial readers really care about. From the MD&A: Will the FDA approve? Are they shifting money from one company to another?
  • 28. Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years. What is a top-down, risk-based approach? 28
  • 29. In a recent post on the IIA blog, he gave his assessment of a widely distributed guide that discusses the role of IT Risks and Controls in SOX. He said… What is a top-down, risk-based approach? 29
  • 30. “I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.” -Norman Marks What is a top-down, risk-based approach? 30
  • 31. “I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.” -Norman Marks What is a top-down, risk-based approach? 31
  • 32. Polling Question 32 What model do you think your approach follows? a) top down b) bottom up c) middle down d) not sure
  • 33. Required Recommended Reading It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach. 33
  • 34. Required Recommended Reading It is tempting to look for a tool; something like a checklist or a cheat sheet walk through the top-down approach. 34 Jason Chiang cautions that there’s no short-cut to the approach. He urges risk and audit professionals to follow the guidance.
  • 35. Required Recommended Reading • Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx • SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf • STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf • The External Auditing Firm’s Guidance • COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm • COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf 35
  • 36. Applying Auditing Standard No. 5 Approach 36 Jason suggests starting with this…
  • 37. Applying Auditing Standard No. 5 Approach http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx 37 Read AS5. Specifically, paragraphs 21-41 which focus on “Using a Top-Down Approach”
  • 38.  Review Financial Statements, understanding risks to ICFR  Examine entity-level controls, significant accounts, disclosures and their relevant assertions  Understand risks in processes, select for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion Applying Auditing Standard No. 5 Approach 38 The first paragraph of the section walks through three broad processes for applying AS5:
  • 39. Risk Assessment 39 Let’s walk through the approach at a high level…
  • 40. Risk Assessment Which Financial Statement Accounts are significant? 40
  • 41. Risk Assessment Which Financial Statement Accounts are significant? 41 Determine the risk factors you will assess
  • 42. Risk Assessment Which Financial Statement Accounts are significant? 42 Decide how each factor will weigh into the overall rating
  • 43. Risk Assessment Which Financial Statement Accounts are significant? 43 Choose a rating scale for the assessment
  • 44. Risk Assessment Which Financial Statement Accounts are significant? 44 Assess impact or likelihood, whatever the case may be, of each risk factor for each account
  • 45. Risk Assessment Which Financial Statement Accounts are significant? 45 Determine the calculated Risk and consider whether this matches your judgment of the risk. This exercise can be used to validate your judgment of what is significant. If you find great discrepancy, examine why that is.
  • 46. Risk Assessment Which Financial Statement Assertions are relevant? 46
  • 47. Risk Assessment Identify relevant assertions for each significant account Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. 47 These are the assertions recognized by the PCAOB (with definitions pulled from AS15).
  • 48. Risk Assessment Identify relevant assertions for each significant account Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. 48
  • 49. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 49 Step back from the academic exercise and consider the real world motivations of companies…
  • 50. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 50 Management wants the company to look good. It is natural to want to overstate assets/cash and to understate liabilities/expenses. Think about how this relates to the assertions…
  • 51. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 51 If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”
  • 52. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 52 In other words, does that cash or do those assets actually exist? If it is stated that the company has $5M in the bank, the auditor would logically want to ask, “Really?”
  • 53. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 53 If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”
  • 54. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 54 What if, in January, the auditor observes a bill for legal fees that were incurred on December 28th? Is the debt liability really complete? If it is stated that the company has no Accrued Expenses, the auditor would logically want to ask, “Really?”
  • 55. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 55 Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand.
  • 56. Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. Completeness – All transactions and accounts that should be presented in the financial statements are so included. Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed. Risk Assessment Identify relevant assertions for each significant account 56 Thinking through and referring to real examples will make this exercise of determining which assertions are relevant much easier to understand. Jason recommends creating a cheat sheet that includes the definitions and an example for each assertion.
  • 57. Risk Assessment What is the level of risk for each assertion? 57 Next, determine…
  • 58. Risk Assessment What is the level of risk for each assertion? 58 This generally results in another High- Medium-Low rating for each assertion.
  • 59. Risk Assessment What is the level of risk for each assertion? 59 And it is another of the determinations made by risk and audit professionals that is largely based on judgment.
  • 60. Risk Assessment ID Significant Accounts ID Financial Statement Risk and Risk level Determine relevant assertions for those significant accounts Statement of Risk based on application of assertion to account 60 Work through this process for each financial statement line item.
  • 62. Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable 62 Often, the line item determined to be significant will then be tagged or mapped to a process.
  • 63. Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? 63 Next, companies often go to the process and ask, “what can go wrong in the process?”
  • 64. Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? 64 It is tempting to get dragged into an operational view of risks again.
  • 65. Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? 65 Instead, consider…
  • 66. Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable What can go wrong? What are the relevant assertions? Existence or occurrence Completeness Valuation or allocation Rights and obligations Presentation and disclosure 66
  • 67. Risk Assessment Balance Sheet Example: Accounts Receivable Accounts Receivable Valuation Risk –All uncollectible customer balances may not be properly written off. Control – On at least an quarterly basis, the Controller reviews the Accounts Receivable Aging (including the ICS A/R reports) for uncollectible accounts to determine the necessity for and/or adequacy of an allowance for doubtful accounts. The calculation is reviewed and approved by the CFO. R C 67
  • 68. Risk Assessment Income Statement Example: Salary Expense Salary Expense What are the relevant assertions? Existence or occurrence Completeness Valuation or allocation Rights and obligations Presentation and disclosure 68
  • 69. Risk Assessment Income Statement Example: Salary Expense Salary Expense Occurrence Risk – Did the expense that you put on your books occur? That is, does it represent the exchange of employees’ services with cash or other consideration? Control – The Controller reviews the payroll supporting documentation (including timecards, the timecard tracking spreadsheet and the approved Time-Off Request Forms for vacation/sick/personal time off use) to ensure the completeness and accuracy of the hours entered into payroll system. R C 69
  • 70. Questions 70 What has your experience been? Do you see the company focusing on those assertions that are relevant for each significant account or falling back on process or operational risks?
  • 72. ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA 72 C C C C C Following identification of the relevant assertions and risks to financial statements… …determine which controls a company might establish to address those risks.
  • 73. ELCFSA Review Controls C CFSA CFSA CFSA ELCFSA CFSA C The guidance says to start with identification and evaluation of the Financial Statement Close process or Entity Level Controls 73
  • 74. ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA C C C C C Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach. 74
  • 75. ELCFSA C Review Controls C C C C CFSA CFSA CFSA ELCFSA C CFSA C C C C C Beginning with an inventory of all controls and determining which may address a financial statement assertion is NOT representative of a top-down approach. Starting at the top, evaluating Entity Level Controls, may greatly reduce the overall amount of work required for testing. 75
  • 76. Apply precision to Entity Level Controls Review Controls 76 This is another key point discussed in the guidance.
  • 77. “What is the client’s expectation?” Review Controls 77
  • 78. Review Controls 78 “What is the client’s expectation?” Start by determining the thresholds.
  • 79. Review Controls 79 The company judges what amount would matter to readers of financial statements. “What is the client’s expectation?” Start by determining the thresholds. For example, 5% or 3%.
  • 80. Review Controls 80 CC Image Courtesy of http://www.flickr.com/photos/danmoyle/ At a high level, the client recognizes that a portion of the audience will not pay… For example
  • 81. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 81 CC Image Courtesy of http://www.flickr.com/photos/danmoyle/ …and they’ll choose to maintain that percentage in reserves.
  • 82. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 82 If this is considered an Entity Level Control, …how can precision be applied?
  • 83. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 83 Understand the process for coming up with this plan so that it can be quantified and tested.
  • 84. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ Review Controls 84 Understand the process for coming up with this plan so that it can be quantified and tested. The process must reflect what is actually being done.
  • 85. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ +/- 5% Review Controls 85 If the control is Okay, precise enough.
  • 86. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ +/- 5% Review Controls 86 If the control is +/- 20% you conclude that it must be more precise
  • 87. CC Image Courtesy of http://www.flickr.com/photos/daniel-sound/ +/- 5% Review Controls 87 If the control is +/- 20% you conclude that it must be more precise We need to get to the process level to test the control and better estimate what the actual provision should be.
  • 88. Questions 88 Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False
  • 89. Questions 89 Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk. True or False? a) True b) False This is why you start with Entity Level Controls. They can reduce the total number of controls and testing required.
  • 91. Automate the process 91 Employ a tool to help bring automation, time and cost savings to the entire process. From my experience, policyIQ is the most cost-effective tool out there for companies to use to manage their content and workflow, which comes in handy for SOX compliance. policyIQ was designed to be intuitive and flexible. The policyIQ support team is top-notch, and will help subscribers implement the system. -Jason Chiang
  • 92. Automate the process 92 S Significant Account / Disclosure P Process Narrative R Management Assertion (Risk) C Key Control T Test D Deficiency W General Workpaper R Report F Findings policyIQ is customizable—you can use it to track the full scope of documentation, manage workflow, and take advantage of the reporting features to more easily see and share your rationalization process…
  • 93. Automate the process 93 S Significant Account / Disclosure P Process Narrative R Management Assertion (Risk) C Key Control T Test D Deficiency W General Workpaper R Report F Findings It is a great technology pairing with your fresh look at the risk assessment and the proper application of the top-down, risk-based approach.
  • 94. Summary Let’s recap what we have said… 94
  • 95. Summary 1. Improper application of the top-down approach to the audit of internal control as required by AS No. 5; 2. Decreases in audit firm staffing through attrition or other reductions, and related workload pressures; 3. Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology; and 4. Ineffective communication with firm's information system specialists on the engagement team. 95 The PCAOB identified these as the root causes of the deficiencies that they observed:
  • 96. Summary Of the six deficiencies found to be pervasive in auditing internal control, five related to the auditing firms’ failure to sufficiently test or perform procedures 96 And it seems clear that more testing and more detailed evidence will almost certainly be the impact to companies.
  • 97. Summary 97 RGP can help companies to respond to the likely changes imposed by the audit firms.
  • 98. 1. Set the tone from the beginning • Evidence things better • Establish a more formal and complete policy and procedure manual • Track the completion of procedural tasks • Act as liaison between client and audit firms 2. Proper application of a top- down, risk-based approach called for by AS5 Summary 98
  • 99. 1. Set the tone from the beginning • Evidence things better • Establish a more formal and complete policy and procedure manual • Track the completion of procedural tasks • Act as liaison between client and audit firms 2. Proper application of a top- down, risk-based approach called for by AS5 Summary 99 With proper application of the AS5 approach, and by acting as a liaison between the company and audit firm, we can offset some of the additional work that will likely be pushed down by the PCAOB through the firms.
  • 100. Summary 100 The best way to ensure that you are correctly applying the top-down, risk-based approach is to follow the guidance:
  • 101. Required Recommended Reading • Auditing Standard No. 5 http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx • SEC’s Interpretive Guidance for Management http://www.sec.gov/rules/interp/2007/33-8810.pdf • STAFF VIEWS: AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES http://pcaobus.org/Standards/Auditing/Documents/AS5/Guidance.pdf • The External Auditing Firm’s Guidance • COSO: Internal Control over Financial Reporting — Guidance for Smaller Public Companies http://www.coso.org/ICFR-GuidanceforSPCs.htm • COSO: Internal Control — Integrated Framework Guidance on Monitoring Internal Control Systems http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf 101
  • 102. For more information Jason Chiang: jchiang@rgp.com Les Sussman: lsussman@rgp.com policyIQ: Support@policyIQ.com 102