Ask FERF (financial executives research foundation) about ... internal control audits.On the same day the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ) issued its Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, Financial Executives Research Foundation (FERF FERF Financial Executives Research Foundation FERF Far End Reporting Failure FERF Far End Receive Failure ) summarized the Board's discussion in approving the standard and how it responded to comments on the proposed standard. (The complete analysis is at www.fei.org/news/pcaob_3_9_04.cfm). As a follow-up, the article by FERF beginning on page 48 provides a sampling of FEI member reactions to the rule and advice on what companies should do next. Reliance on Internal Audit While PCAOB understands the standard will be costly, it believes benefits will justify the costs. Thus, it has responded by being less prescriptive and allowing greater reliance by auditors on others, particularly internal audit. Specifically, the standard will allow more use of judgment by auditors and permits the use of a Statement of Auditing Standards (SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. ) No. 65 approach, with modifications. Along these lines, walkthroughs must still be done directly by auditors, but now apply to major classes of transactions rather than all transactions. Also, external auditors can rely on information technology controls and period-end financial statement closing processes. Reliance on internal audit, however, depends on auditors' judgment of both the competency and objectivity of others. Furthermore, a strong score on one criterion cannot offset weakness in the other. Also, judgment of competency and objectivity is specific to the area being assessed and does not mean the same reliance can be placed in other areas. Management is still ultimately responsible for the internal control assessment to which external auditors will opine. And though final attestation still lies in the hands of external auditors, companies may want to take this opportunity to streamline documentation and testing efforts with their internal audit departments. This may reduce the time and resources a company spends on 404, especially considering that internal audit is focused on enterprise-wide risk management and operational controls, not just financial controls. Thus, 404 work can be categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat as: * Not independent and/or performed by management. * Independent and/or performed by internal audit. This could be helpful in identifying work on which external audit can rely. Internal audit may also be given priority in choosing specific areas to test, particularly for high-risk areas that would have been either: * Tested by external auditors during the financial statement and/or internal control audit. * Mandated by the audit committee for examination due to high-level risk assessment. Management can then perform the remainder of the tests in conjunction with financial statement close processes, and the company can reduce overall duplicative efforts. In response to an FEI member looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. checklists that would be helpful in coordinating his company's efforts, FERF found the following resources helpful: KnowledgeLeader's Web site. www.knowledgeleader.com, provides a sample request for proposal (RFP (Request For Proposal) A document that invites a vendor to submit a bid for hardware, software and/or services. It may provide a general or very detailed specification of the system. 1. (business) RFP - Request for Proposal. 2. ) for third-party internal audit and Sarbanes-Oxley compliance services. The RFP details project phases such as: * Formal business risk assessments and audit plans * Documentation of process flows/control objectives for business segments * Recommendations for certification processes * Development of corporate policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental * Development of audit programs to evaluate effectiveness of controls * Remediation * Compliance testing With respect specifically to fraud detection, efforts could include financial statement analytics, forensic analysis of unusual transactions, computer hacker or system stress testing Determining the durability of a system by pushing it to its limits. Stress testing a network is performed by transmitting excessive numbers of packets or attempting to break in illegally. through creation of mock transactions, thorough review of balance sheet account reconciliation and enhanced whistleblower/compliance procedures. The AICPA AICPA See American Institute of Certified Public Accountants (AICPA). provides an appendix to SAS No. 99, Fraud Risk Factors, on its Web site, www.aicpa.org/antifraud/business_industry_govt/assessing_organization_vulnerability/identify_assess_risk/38.htm; this can serve as a fraud checklist. It contains examples of risk factors discussed in paragraphs 31 through 33 of the statement. Examples related to fraudulent financial reporting and misappropriation misappropriation n. the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate, or by any of assets are provided. FERF is developing publications that summarize short-term internal control issues and examine how companies expect to sustain efforts after the initial attestation. All FERF publications are available at the FERF bookstore: www.fei.org/rfbookstore/. Cheryl de Mesa Graziano, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. (cgraziano@fei.org), is Director of Research at FERF. contributed by FERF |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion