Opportunity detected: new SEC interpretive guidance and AS5 give companies and auditors a chance to make internal controls more efficient.EXECUTIVE SUMMARY * The crux Crux (kr  ks) [Lat.,=cross], small but brilliant southern constellation whose four most prominent members form a Latin cross, the famous Southern Cross. of the SEC's interpretive in·ter·pre·tive also in·ter·pre·ta·tiveadj. Relating to or marked by interpretation; explanatory. in·ter  pre·tive·ly adv. guidance for management
is a top-down, risk-based approach that puts risk first and foremost.
Four key areas of opportunity can be used to reduce an
organization's overall SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. 404 compliance effort-risk assessment,
entity-level controls, control selection and testing approach.
* AS5 complements the SEC interpretive guidance to management and includes the following key points: ** Risk assessment underlies the entire audit process, ** Evaluation of entity-level controls can result in increasing or decreasing the testing that otherwise would be performed on controls at the process, transaction or application levels. ** Auditors are specifically permitted to consider the nature, timing and extent of procedures performed in the prior year and the results of those procedures in determining the risk associated with a particular control. ** The standard makes it easier to use the work of others and allows auditors to use direct assistance from other parties in performing walk-throughs. ** The external auditor The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. will no longer be required to opine on management's assessment. ** The definition of a material weakness was changed to conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" FASB Statement FASB Statement A standard set by the Financial Accounting Standards Board regarding a financial accounting and reporting method. Essentially, FASB statements determine the acceptable accounting practices that Certified Public Accountants use in reporting no. 5 and the definition of a significant deficiency was changed to focus the auditor on the communication requirements rather than scoping issues. ** The authors recommend a "stop-rethink-reuse" strategy for implementing the new guidance: Stop. To avoid changing simply for the sake of change, risk should be at the center of any adjustments that are made to existing compliance frameworks. Rethink re·think tr. & intr.v. re·thought , re·think·ing, re·thinks To reconsider (something) or to involve oneself in reconsideration. re . With risk at the forefront, management should consider increasing the rigor rigor /rig·or/ (rig´er) [L.] chill; rigidity. rigor mor´tis the stiffening of a dead body accompanying depletion of adenosine triphosphate in the muscle fibers. of its existing risk assessment to focus on financial reporting elements that represent a higher risk of material misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state ment n. to the financial
statements. Reuse reuse - Using code developed for one application program in another application. Traditionally achieved using program libraries. Object-oriented programming offers reusability of code via its techniques of inheritance and genericity. . Once a thorough risk assessment has been performed,
management should consider revisiting the existing controls portfolio,
starting with the entity-level controls. Carefully designed entity-level
controls can reduce the number of supporting process-level controls that
need testing.
********** [ILLUSTRATION OMITTED] Tired of the high cost of compliance with SOX 404? Here is some good news. The SECs new interpretive guidance and the PCAOB's new Auditing Standard no. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, are intended to reduce the time commitment and cost of compliance with section 404 of the Sarbanes-Oxley Act See SOX. of 2002. Controversy over the implementation of SOX 404 has led the SEC and the PCAOB PCAOB Public Company Accounting Oversight Board to two basic, but important, conclusions: * SOX 404 has produced significant benefits, including a stronger focus on corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and higher quality financial reporting. * These benefits, however, have come at a significant cost. Based upon requested feedback, in May the SEC finalized See finalization. guidance specifically for management, and the PCAOB released a new standard for auditors--ASS. The standard, which the SEC approved on July 25, replaces the existing Auditing Standard no. 2 (AS2) for auditing the effectiveness of management's internal control over financial reporting (ICFR ICFR Internal Control Over Financial Reporting (SOX compliance, financial reporting) ICFR Institute for Commercial Forestry Research (South Africa) ) beginning with fiscal years ending on or after Nov. 15, 2007. The new guidance from the SEC and the PCAOB provides an opportunity for management and auditors to re-evaluate and refine their approach to SOX 404 compliance. This article provides tips for managers to streamline compliance processes. It also provides advice to auditors who want to help their clients understand how the SEC's guidance interacts with ASS. For those companies that have already achieved compliance in prior years, there is no requirement to align their compliance process with the new SEC guidance. Many companies may also find their initial SOX 404 risk assessments will only need updating rather than overhauling. SEC GUIDANCE The crux of the SEC's interpretive guidance for management is a top-down, risk-based approach that puts risk first and foremost. While this approach is not new--AS2, released in May 2005, articulated such an approach--there has been considerable uncertainty about what constitutes a reasonable approach to management's assessment; and the extent of applying the top-down, risk-based approach has varied widely As a result, the magnitude of change to be brought about by the new, clearer guidance will vary dramatically by company In the past, many companies selected and tested their controls based upon achieving coverage over specified locations and financial statement line items and accounts. For example, companies would test controls over a specified percentage of accounts receivable accounts receivable n. the amounts of money due or owed to a business or professional by customers or clients. Generally, accounts receivable refers to the total amount due and is considered in calculating the value of a business or the business' problems in paying or a specified percentage of assets and revenues at a given location. The SEC's interpretive guidance is intended to focus company management on the internal controls that best protect against the risk of a material financial misstatement and to reduce unnecessary management procedures. Four key areas of opportunity can be used to reduce an organization's overall SOX 404 compliance effort: * Risk Assessment. Focusing on the risks that could result in a material misstatement, rather than on coverage, drives the remainder of management's efforts and is the key to an efficient, risk-based approach to SOX 404 compliance. * Entity-level controls. Companies can take credit for entity-level controls that directly or indirectly reduce the risk of financial misstatement. * Control selection. Management should focus on identifying and documenting those controls, including entity-level controls, that adequately address the risks of a material misstatement to the financial statements. * Testing Approach. Management should consider re-evaluating the nature, timing and extent of its testing approach based upon the risk assessment and the strength of identified entity-level controls. Although each of these key opportunities is interrelated in·ter·re·late tr. & intr.v. in·ter·re·lat·ed, in·ter·re·lat·ing, in·ter·re·lates To place in or come into mutual relationship. in , the core of an effective SOX 404 compliance program is risk assessment. While the SEC is not prescriptive pre·scrip·tive adj. 1. Sanctioned or authorized by long-standing custom or usage. 2. Making or giving injunctions, directions, laws, or rules. 3. Law Acquired by or based on uninterrupted possession. about the risk assessment process and allows management to leverage a chosen framework (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) for example), a robust risk assessment will help identify the significant financial reporting risks and gaps in the control structure that would amplify these risks. Many of the factors that might readily be considered during a risk assessment such as complexity of accounting, transaction volume, susceptibility susceptibility the state of being susceptible. Refers usually to infectious disease but may be to physical factors such as wetting or to psychological factors such as harassment. to fraud and errors, level of judgment and estimation estimation In mathematics, use of a function or formula to derive a solution or make a prediction. Unlike approximation, it has precise connotations. In statistics, for example, it connotes the careful selection and testing of a function called an estimator. are well known. A refinement to this process is to assess risks at the assertion level rather than the account level. For example, thinking about the risks surrounding the completeness of cash or the valuation of goodwill creates more rigor in the assessment process than thinking about the risks surrounding the balances in the cash and goodwill accounts. Once specific assertion-level risks are identified, management can then identify the entity-level controls that best control these risks. The challenge in identifying entity-level controls is to determine the extent to which these controls reduce financial reporting risk at the assertion level. For example, many companies have robust entity-level controls such as rigorous analyses of sales and related allowances that they can, and should, take credit for. However, other companies with more general entity-level controls, such as management review of the cash account balance, have found that they will need to develop more precise controls. Once the entity-level controls are identified and assessed, management can then determine the remaining risk to the financial statements and select the controls (and the related testing approach) that are necessary for management to make its assessment. It is important to note that the SEC's guidance is just that--guidance. The guidance is intended to help public companies--particularly smaller companies--strengthen their internal control over financial reporting while reducing unnecessary costs. Companies of all sizes will be free to apply their own professional judgments to scale and tailor evaluation procedures to their own facts and circumstances. PCAOB STANDARD AS5 complements the SEC interpretive guidance to management and includes the following key points: * Risk assessment underlies the entire audit process. A risk assessment is initiated at the audit planning stage and is continued at each decision point throughout the top-down approach Top-down approach A method of security selection that starts with asset allocation and works systematically through sector and industry allocation to individual security selection. . Scoping decisions in multilocation environments are focused on risk rather than on coverage. * Evaluation of entity-level controls can result in increasing or decreasing the testing that otherwise would be performed on controls at the process, transaction or application levels. AS5 identifies three categories of entity-level controls (control environment controls, controls that monitor the effectiveness of other controls, and direct controls) and explains how each category might affect the performance of tests of other controls. * Auditors are specifically permitted to consider the nature, timing and extent of procedures performed in the prior year and the results of those procedures in determining the risk associated with a particular control. This would enable auditors to reduce testing in areas using knowledge gained from prior-year audits. However, the standard does not permit "rotation testing" (the practice of testing certain controls every three years). * The standard makes it easier to use the work of others and allows auditors to use direct assistance from other parties in performing walkthroughs. * The external auditor will no longer be required to opine on management's assessment. While auditors will still be required to understand management's assessment, they will not need to perform a formal evaluation. * The definition of a material weakness was changed to conform to FASB Statement no. 5, Accounting for Contingencies, and the definition of a significant deficiency was changed to focus the auditor on communication requirements rather than scoping issues. [ILLUSTRATION OMITTED] Overall, these changes are designed to focus the auditors' efforts on the areas of greatest risk to financial reporting, to eliminate unnecessary procedures, and to simplify the requirements. OPPORTUNITY FOR CHANGE To shorten (audio, compression) Shorten - A form of lossless audio compression. the learning curve and avoid repeating mistakes made during the early stages of SOX 404 compliance, consider the following "stop-rethink-reuse" strategy for implementing the new guidance. Stop. Before overhauling existing SOX 404 compliance practices and methodologies, consider why the additional guidance was released. The primary goal of the guidance is to refocus Verb 1. refocus - focus once again; The physicist refocused the light beam" focus - cause to converge on or toward a central point; "Focus the light on this image" 2. management and auditors on risk for purposes of increasing effectiveness and efficiency in SOX 404 compliance. To avoid changing simply for the sake of change, risk should be at the center of any adjustments that are made to existing compliance frameworks. Rethink. With risk at the forefront, management should consider increasing the rigor of its existing risk assessment to focus on financial reporting elements that represent a higher risk of material misstatement to the financial statements. These risk criteria will differ between companies and industries. Engaging internal or external industry and process specialists may provide enhanced clarity to the risk assessment process. Once this risk assessment has been performed, management will be able to consider the differences' from initial SOX 404 compliance risk assessments to determine what, if any, changes are warranted. For example, an IT consulting company Noun 1. consulting company - a firm of experts providing professional advice to an organization for a fee consulting firm business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a invested 260 hours performing a risk assessment that resulted in a clearer picture of key risks to their financial statements. This information was used to create a compliance plan that incorporated relevant entity-level and process-level controls. Based on its revised risk assessment approach, the company expects to reduce its future SOX 404 compliance effort by 1,100 hours, or 35%. Reuse. Once a thorough risk assessment has been performed, management should consider revisiting the existing controls portfolio, starting with the entity-level controls. Carefully designed entity-level controls can reduce the number of supporting process-level controls that need testing. For example, revenue or cost analyses that use key performance indicators Key Performance Indicators (KPI) are financial and non-financial metrics used to quantify objectives to reflect strategic performance of an organization. KPIs are used in Business Intelligence to assess the present state of the business and to prescribe a course of action. can be used to significantly reduce the level of testing of related process-level controls. After revisiting and perhaps updating the entity-level controls, the process and location controls are next. Management should focus on documenting and testing only those controls that most directly affect the remaining financial statement risks. For example, a large financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. company engaged internal and external specialists to streamline and automate To turn a set of manual steps into an operation that goes by itself. See automation. complex revenue recognition processes and controls across multiple platforms Refers to two or more operating environments, which typically include the CPU family and operating system. For example, if versions of a program run on Windows and the Macintosh, the software is said to support multiple platforms. . Since the risk of material financial misstatement was higher based on the manual nature of several key controls and the multiple platforms involved in the legacy revenue recognition processes, the company streamlined the associated business processes using both a functional and control mind-set. The resulting process created greater visibility into the revenue recognition processes and enhanced the company's ability to communicate internally and with customers. The new process also eliminated a legacy system requiring extensive manual intervention, reduced the associated control portfolio by 76 control instances, and redeployed 2.5 full-time equivalents Full-time equivalent (FTE) is a way to measure a worker's involvement in a project, or a student's enrollment at an educational institution. An FTE of 1.0 means that the person is equivalent to a full-time worker, while an FTE of 0.5 signals that the worker is only half-time. (FTEs) to contribute value in other key business processes. Management should consider evaluating their controls portfolio to identify the structure of controls (manual vs. automated; preventive vs. detective) and the cost (both direct and indirect) associated with each control. This type of evaluation can highlight controls that are candidates for immediate improvement or elimination (those that mitigate lower risks of material financial misstatement at a higher cost), controls that are candidates for needed improvement (those that mitigate higher risks of material financial misstatement at a higher cost), and controls that can be left as is (those that mitigate higher risks of material financial misstatement at a lower cost). In addition to evaluating the nature of the overall control portfolio, management should consider standardizing the overall control portfolio. As controls are standardized standardized pertaining to data that have been submitted to standardization procedures. standardized morbidity rate see morbidity rate. standardized mortality rate see mortality rate. across processes and locations (even though the implementation of the controls may differ for each process or location), the ability to understand, modify and improve the overall controls portfolio increases. For example, a large financial services company standardized the controls portfolio for several applications and processes and reduced the overall number of controls in 2006 from 561 unique controls, which included several duplicated and unnecessary controls, to 140 unique controls, which could be applied across each of the in-scope applications and locations, in 2007. CONCLUSION With the updated SEC and PCAOB guidance, now is the time for management and auditors to "stop, rethink and reuse" their SOX 404 compliance frameworks and continue to work together to determine if they can realize greater efficiencies and value from their compliance processes. Communication Continues to Be Key With new, and separate, guidance for management, communication between the external auditor and management continues to be the key to an effective, coordinated process. The following recommendations can help management and the external auditors stay in sync: Review early and often. Management should involve the external auditors at each phase of the process. For example, once management has identified potential key risks, ask the auditors for their input. If they differ, explore the reasons they differ. Realize that different guidance creates opportunities and risk. Because management has its own guidance, there is a greater probability that management's approach and the external auditors' approach could begin to drift further apart. By working together, management and the external auditors can review each other's approaches and requirements to determine how best to coordinate efforts. For example, they can review: * Planned use of entity-level controls and planned and actual precision of these controls. * Nature, timing and extent of procedures to be performed by management and their intersection with those planned by the external auditors. * The external auditors' planned use of the work of others--including internal audit--and how changes in management's planned approach could result in greater efficiencies for the external auditors. AICPA AICPA See American Institute of Certified Public Accountants (AICPA). RESOURCES JofA articles * "Two Years and Counting," June 07, page 74. * "Internal Control Guidance: Not Just a Small Matter," March 0'7, page 46. * "Assessing and Responding to Risks in a Financial Statement Audit: Part II," Jan. 07, page 59. * "Assessing and Responding to Risks in a Financial Statement Audit," July 06, page 43. * "Section 404 for Small Caps See Small capital ,' March 06, page 67. * "Assessing Company-Level Controls," June 05, page 65. * "Trust Services: A Better Way to Evaluate I.T. Controls," March 05, page 69. * "Evaluate the Control Environment," May 04, page 75. Publications * COSO Enterprise Risk Management--Integrated Framework (Paperback #990015JA, PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. #990015PDFJA). * Internal Control Over Financial Reporting--Guidance for Smaller Public Companies (PDF Download PDF Download is an extension for the Mozilla Firefox web browsers which allows to choose if you want to view a PDF file inside the browser (as PDF or HTML), if you want to view it outside Firefox with your default or custom PDF reader, or if you want to download it. #990017PDF, three-volume set #990017, combined PDF download and three-volume set #990016HI). CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment * Internal Control Essentials for Financial Managers, Accountants and Auditors, a CPE self-study course (#731853JA) * Applying COSO Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting, a CPE self-study course (#187210JA) For more information or to make a purchase, go to www.cpa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com or call the Institute at 888-777-7077. OTHER RESOURCES Web sites * SEC Interpretive Guidance, www.sec.gov/rules/final/2007/ 33-8809.pdf * PCAOB Auditing Standard no. 5, www.pcaobus.com/Standards Samuel L. Fogleman, CPA, is a partner and Bryce H. Peterson, CISA (Certified Information Systems Auditor) The award for successful completion of an examination in information systems audit, control and security from the Information Security Audit and Control Association. See ISACA. , is a senior associate in KPMG's Risk Advisory Services advisory services advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal practice in Phoenix; Fogleman also serves on the Arizona State Board of Accountancy. Their e-mail addresses See Internet address. e-mail address - electronic mail address are sfoglema@kpmg.com and bpeterson@kpmg.com, respectively. William G. Heninger, CPA, Ph.D., and Marshall B. Romney, CPA, Ph.D., CFE CFE Conventional Forces in Europe (treaty) CFE Cash Flow to Equity (finance/accounting) CFE Comisión Federal de Electricidad (México) CFE Certified Fraud Examiner , are on the faculty of Brigham Young University Brigham Young University, at Provo, Utah; Latter-Day Saints; coeducational; opened as an academy in 1875 and became a university in 1903. It is noted for its law and business schools. in Provo, Utah. Their e-mail addresses are heninger@byu.edu and mbr@byu.edu, respectively. |
|
Printer friendly
Cite/link
Email
Feedback
Reader Opinion