| SARBANES-OXLEY WILL MEAN BIG CHANGES FOR
BOTH auditors and the companies they audit. The
former now will be required to certify a company’s internal
controls and will no longer be able to use certain common audit
strategies. Management faces the cost of implementing the new
ACCORDING TO THE EXPOSURE DRAFT OF A NEW SAS , the understanding of internal controls required for CPAs to express an opinion on financial statements is not adequate for them to offer an opinion on the controls themselves. This means auditors will have to make changes to the audit process.
THE AUDITOR MUST ATTEST TO MANAGEMENT’S assessment of the effectiveness of an entity’s internal controls using standards the Public Company Accounting Oversight Board issues or adopts. The auditor will require management to identify, document and evaluate significant internal controls—management cannot delegate this function to the auditor.
AUDITORS SHOULD ADVISE COMPANIES TO BEGIN the process of assessing the effectiveness of controls as early as possible. The task will be time-consuming, requiring management to determine which locations or business units to include in its evaluation.
AUDITORS SHOULD NOT BE TOO CLOSELY INVOLVED with a company’s assessment of its controls or they risk impairing their objectivity. The auditor cannot accept management’s responsibility to reach conclusions on the effectiveness of the entity’s controls nor can management base its assertion about the controls design and operating effectiveness on the results of the auditor’s tests.
|DONALD K. McCONNELL JR., CPA, CFE, PhD, is associate professor of accounting at the University of Texas at Arlington. His e-mail address is firstname.lastname@example.org . GEORGE Y. BANKS, CPA, is a partner of Grant Thornton in Dallas. His e-mail address is email@example.com .|
ongress enacted the Sarbanes-Oxley Act of 2002 in response to a spate of highly publicized business failures, allegations of corporate improprieties and financial statement restatements. Section 404 of the act requires management to acknowledge its responsibility for establishing and maintaining adequate internal controls, including asserting their effectiveness in writing. The financial statement auditor, in turn, must report on management’s assertion about the effectiveness of its internal controls as of the company’s yearend. These provisions apply to entities with market capitalization of more than $75 million for fiscal years ending on or after June 15, 2004. (Smaller companies must comply as of the first fiscal year ending on or after June 15, 2005.)
For businesses, following these seemingly innocuous provisions will be costly and time-consuming. For CPAs who audit public companies, the new rules will have a significant impact on how they do their job in the future. To provide guidance the AICPA Auditing Standards Board issued two exposure drafts: Auditing an Entity’s Internal Control Over Financial Reporting in Conjunction with the Financial Statement Audit (the SAS ED) and Reporting on an Entity’s Internal Control Over Financial Reporting (the SSAE ED). This article explains the impact these internal control certification requirements will have on the audit process, as well as the responsibilities management and external auditors have in meeting the act’s requirements.
|More specifically, the article
The extent to which auditors can be involved without compromising their independence.
How external auditors can make use of a company’s internal auditors.
Key proposals on auditor responsibilities to test controls and evaluate internal control deficiencies.
When management should consider outsourcing its internal control documentation activities.
CPAs should be aware the future roles of the Public Company Accounting Oversight Board (PCAOB) and the SEC in setting audit standards may change some of the rules described here.
HOW AUDITS WILL CHANGE
The two EDs describe a public company audit as an integrated activity consisting of an audit of the financial statements and of internal controls. This means the auditor must perform procedures to obtain sufficient evidence to express an opinion on both. In auditing internal controls, the auditor offers an opinion as to whether the entity maintained, in all material respects, effective internal control over financial reporting as of a point in time based on “control criteria.”
Control criteria. The generally accepted definition of this term, as outlined in Internal Control-Integrated Framework , issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), consists of five related components that must be present for an entity to achieve effective internal controls:
The control environment.
Information and communication.
The framework also includes three categories of controls—effectiveness and efficiency of operations, compliance with laws and regulations and reliability of financial reporting. Under section 404, the auditor’s primary focus is on reliability.
I n auditing public companies, CPAs have characteristically performed a mix of tests of controls and substantive procedures to reduce the risk of material misstatement of financial statements to an appropriately low level. However the SAS ED says the level of understanding of internal controls CPAs must have to express an opinion on financial statements is not adequate to offer an opinion on the controls themselves. The nature, timing and extent of the tests of controls the CPA performs would ordinarily not be enough to express an opinion on internal controls because
The range of tested controls is not sufficiently broad.
Tests of controls may not provide appropriate levels of assurance about operating effectiveness.
CPAs will find these points have a significant impact on the integrated audit process.
New audit approach. To enhance audit efficiency and effectiveness, auditors have in the past used a variety of methods that will no longer be acceptable for integrated audits of public companies. In some financial statement audits, auditors chose to perform only substantive procedures rather than testing controls, or a mixture of the two. In nonauthoritative guidance the AICPA specifically sanctioned cycle rotation as a way to test controls. This involved testing controls in several of an entity’s transaction cycles while doing a transaction “walk-through” to confirm the absence of control changes in the remaining cycles. Since auditors now must report comprehensively on the effectiveness of management’s internal control over financial reporting on an annual basis, cycle rotation is no longer acceptable in public company audits.
Another popular approach, minimizing testing of preventative controls, also generally will not be advisable in these audits. Preventative controls are transaction-level controls, frequently automated and principally focused on ensuring transactions are properly authorized and recorded (such as check disbursement controls). “Detective” controls, on the other hand, reveal problems after the fact. They usually focus on populations of transactions (such as bank reconciliations) and are characteristically more cost-effective to test. Primarily testing detective controls is acceptable in financial statement audits only where low or moderate assurance about the effectiveness of internal controls is adequate. However, when expressing an opinion on internal controls, the auditor must do sufficient tests of controls to obtain high levels of assurance about their effectiveness. The EDs suggest this ordinarily will require the CPA to adequately test preventative as well as detective controls.
In performing integrated audits, auditors will need to obtain significantly greater evidence about the operating effectiveness of controls for the reasons described earlier. CPAs can use this evidence to reduce the nature, timing and extent of substantive procedures they perform in reporting on audited financial statements. However, due to the inherent limitations of internal controls and the ever-present risk of management override, auditors will still have to perform substantive procedures, including tests of details and analytical procedures for each material account balance or class of transactions. This is true even though the auditor may not have identified any significant deficiencies or material weaknesses in internal controls.
THE AUDITOR AND MANAGEMENT
The auditor must attest to management’s assessment of the effectiveness of its controls using standards for attestation engagements the PCAOB issues or adopts. Statement on Standards for Attestation Engagements no. 10, Reporting on an Entity’s Internal Control Over Financial Reporting, imposed requirements, substantively unchanged in the SSAE ED, on an auditor to examine the effectiveness of an entity’s internal controls. To fulfill its responsibilities, management must
Accept responsibility for the effectiveness of its internal controls.
Evaluate their effectiveness using suitable control criteria.
Support this evaluation with sufficient evidence.
Present a written assertion about their effectiveness in either a separate report accompanying the auditor’s report or a representation letter to the auditor.
The auditor will require management to identify, document and evaluate significant internal controls. Management cannot delegate these functions to the auditors, nor can it rely on the auditor’s testing to support its assertion. The SSAE ED says such controls include
Controls over initiating, recording, processing and reporting significant account balances, classes of transactions and disclosures and related assertions embodied in financial statements.
Antifraud programs and controls.
Controls, including general ones, on which other significant controls depend.
Each control in a group that functions with another one to achieve a control objective.
Controls over significant nonroutine and nonsystematic transactions.
Controls over the period-end financial reporting process.
Auditors are urging their clients to begin the controls-effectiveness assessment as early as possible. The task will be arduous and time-consuming, requiring management to determine which locations or business units it should include in its evaluation. (The SSAE ED has a chart to help make this decision.) Management also will have to evaluate the design and operating effectiveness of controls, determine whether identified deficiencies are significant (previously called reportable conditions) or are material weaknesses and document the results, including the procedures it performed. Management cannot use inquiry alone to adequately evaluate the operating effectiveness of controls. It also must correct any identified deficiencies early enough to allow sufficient time before yearend for the auditor to adequately assess design and operating effectiveness. How much time depends on the nature of the control and the frequency of operation. Management’s failure to allow sufficient lead time could result in a qualified opinion.
The Foreign Corrupt Practices Act of 1977 requires all public companies to devise and maintain a system of internal controls to provide reasonable assurance assets are safeguarded and transactions properly authorized and recorded. Consequently, many public companies already have various forms of controls documentation such as policy manuals, accounting manuals, memorandums, flowcharts, decision tables and questionnaires. However, few have comprehensively and consistently documented and evaluated controls to the extent necessary to provide an assertion about their effectiveness. Also, entities often put more emphasis on preventative than detective controls, as it is usually more efficient to prevent misstatements than to detect and correct them. However, the EDs admonish CPAs that a well-run system should have an appropriate mix of both preventative and detective controls.
T o ensure a comprehensive and consistent entitywide process, many auditors are recommending clients establish project teams reporting directly to the CEO or CFO in light of the task’s importance. Team leaders should be respected employees and have experience dealing with large-scale projects. Consequently, the CFO, controller or internal audit director should head the team, which should consist minimally of adequately trained personnel from accounting, internal audit, information systems, finance, operations, legal and human resources.
If asked to be involved in a client’s project, an auditor must be careful not to impair his or her independence and objectivity. The SSAE ED says auditors may help prepare or gather information as long as management directs and takes responsibility for documenting controls in the process, including determining which controls to document. Auditors can help clients understand the process and advise them on how to identify significant accounts, processes and reporting units, as well as how to evaluate controls’ effectiveness. Indeed some auditors give clients electronic templates to ensure entitywide consistency in assessing controls. However, the auditor cannot be the person to determine which accounts or processes are significant, nor accept management’s responsibility to reach conclusions on the effectiveness of the entity’s internal controls; the auditor’s role is to report on management’s conclusions. Similarly, management cannot base its assertion about design and operating effectiveness on the results of the auditor’s tests.
|Smaller public companies may
face unique problems in complying with section 404. Frequently
these entities have less extensive documentation of their
control processes. Further, they may not have the same levels
of accounting or internal audit capabilities as larger
companies, which could require relatively greater external
auditor involvement in preparing controls documentation,
within the independence constraints described above, and a
proportionately greater increase in audit engagement hours.
Obtain an understanding and evaluate the design effectiveness of controls (determine whether the control is suitably designed to prevent or detect material misstatements on a timely basis).
Test and evaluate the operating effectiveness of controls (to see how the control was applied, the consistency of application and who applied it).
Form an opinion on the effectiveness of entity internal controls, based on the control criteria.
The auditor may consider the results of management’s tests of the operating effectiveness of controls, but never should rely on them as principal evidence. The same is true for testing by third parties or internal auditors. Contrary to guidance in SAS no. 65, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements, the SSAE ED proposes that when using internal auditor test results the external auditor must both reperform tests of controls and do independent tests for each significant account, class of transactions and disclosure. When using internal auditors for direct assistance, the external auditor should recognize that the former’s objectivity might be impaired where they routinely perform monitoring functions for management. The exhibit shows other key ED proposals on auditor tests of controls.
W hen giving an opinion on the effectiveness of the design and operation of an entity’s internal controls, the auditor should consider all evidence, including test results and any identified deficiencies. A material weakness precludes an unqualified opinion that controls are effective. Inadequate client documentation of controls design may result in a significant deficiency or material weakness and may be a scope limitation. A material weakness may exist when management has not obtained sufficient evidence to support its evaluation of operating effectiveness.
Ironically, it’s possible for an auditor to issue an unqualified opinion on a public company’s financial statements, while qualifying its opinion of the effectiveness of internal controls. This can happen when a CPA identifies a material weakness that did not cause a material misstatement of the financial statements. However, significant deficiencies in controls might be deemed material weaknesses, even though the auditor found no related misstatements.
The Sarbanes-Oxley internal control certification provisions impose significant responsibilities on both management and the auditor. The former will have to take ownership of the process of identifying, documenting and evaluating significant controls, as well as determining which locations or business units to evaluate. For auditors, providing an opinion on the effectiveness of an entity’s internal controls is a significant engagement. Few are familiar with the process, aside from those whose insured-depository-institution clients were mandated to do so by the Federal Deposit Insurance Corporation Improvement Act of 1991.
Management and auditors should recognize the process will be valuable for several reasons. Management’s assessment of internal controls should enhance the entity’s risk identification processes by lending entitywide consistency. The assessment also should enhance controls consciousness throughout the company and may reveal unnecessary or duplicate controls, as well as areas for improvement. Better control processes could result in operating efficiencies and reduced litigation and fraud.