Journal of Accountancy Large Logo
ShareThis
|
Auditing / Business & Industry

Opportunity Detected

By Samuel L. Fogleman, Bryce H. Peterson, William G. Heninger and Marshall B. Romney
december 2007

  

 
 

EXECUTIVE SUMMARY

The crux of the SEC’s interpretive guidance for management is a top-down, risk-based approach that puts risk first and foremost. Four key areas of opportunity can be used to reduce an organization’s overall SOX 404 compliance effort— risk assessment, entity-level controls, control selection and testing approach .

AS5 complements the SEC interpretive guidance to management and includes the following key points:

Risk assessment underlies the entire audit process.

Evaluation of entity-level controls can result in increasing or decreasing the testing that otherwise would be performed on controls at the process, transaction or application levels.

Auditors are specifically permitted to consider the nature, timing and extent of procedures performed in the prior year and the results of those procedures in determining the risk associated with a particular control.

The standard makes it easier to use the work of others and allows auditors to use direct assistance from other parties in performing walk-throughs.

The external auditor will no longer be required to opine on management’s assessment.

The definition of a material weakness was changed to conform to FASB Statement no. 5 and the definition of a significant deficiency was changed to focus the auditor on the communication requirements rather than scoping issues.

The authors recommend a “stop-rethink-reuse” strategy for implementing the new guidance: Stop. To avoid changing simply for the sake of change, risk should be at the center of any adjustments that are made to existing compliance frameworks. Rethink. With risk at the forefront, management should consider increasing the rigor of its existing risk assessment to focus on financial reporting elements that represent a higher risk of material misstatement to the financial statements. Reuse. Once a thorough risk assessment has been performed, management should consider revisiting the existing controls portfolio, starting with the entity-level controls. Carefully designed entity-level controls can reduce the number of supporting process-level controls that need testing.

Samuel L. Fogleman, CPA, is a partner and Bryce H. Peterson, CISA, is a senior associate in KPMG’s Risk Advisory Services practice in Phoenix; Fogleman also serves on the Arizona State Board of Accountancy. Their e-mail addresses are sfoglema@kpmg.com and bpeterson@kpmg.com , respectively. William G. Heninger, CPA, Ph.D., and Marshall B. Romney, CPA, Ph.D., CFE, are on the faculty of Brigham Young University in Provo, Utah. Their e-mail addresses are heninger@byu.edu and mbr@byu.edu , respectively.

Tired of the high cost of compliance with SOX 404? Here is some good news. The SEC’s new interpretive guidance and the PCAOB’s new Auditing Standard no. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements , are intended to reduce the time commitment and cost of compliance with section 404 of the Sarbanes-Oxley Act of 2002.

Controversy over the implementation of SOX 404 has led the SEC and the PCAOB to two basic, but important, conclusions:

SOX 404 has produced significant benefits, including a stronger focus on corporate governance and higher quality financial reporting.

These benefits, however, have come at a significant cost.

Based upon requested feedback, in May the SEC finalized guidance specifically for management, and the PCAOB released a new standard for auditors—AS5. The standard, which the SEC approved on July 25, replaces the existing Auditing Standard no. 2 (AS2) for auditing the effectiveness of management’s internal control over financial reporting (ICFR) beginning with fiscal years ending on or after Nov. 15, 2007.

The new guidance from the SEC and the PCAOB provides an opportunity for management and auditors to re-evaluate and refine their approach to SOX 404 compliance. This article provides tips for managers to streamline compliance processes. It also provides advice to auditors who want to help their clients understand how the SEC’s guidance interacts with AS5.

For those companies that have already achieved compliance in prior years, there is no requirement to align their compliance process with the new SEC guidance. Many companies may also find their initial SOX 404 risk assessments will only need updating rather than overhauling.

SEC GUIDANCE
The crux of the SEC’s interpretive guidance for management is a top-down, risk-based approach that puts risk first and foremost. While this approach is not new—AS2, released in May 2005, articulated such an approach—there has been considerable uncertainty about what constitutes a reasonable approach to management’s assessment; and the extent of applying the top-down, risk-based approach has varied widely. As a result, the magnitude of change to be brought about by the new, clearer guidance will vary dramatically by company.

In the past, many companies selected and tested their controls based upon achieving coverage over specified locations and financial statement line items and accounts. For example, companies would test controls over a specified percentage of accounts receivable or a specified percentage of assets and revenues at a given location. The SEC’s interpretive guidance is intended to focus company management on the internal controls that best protect against the risk of a material financial misstatement and to reduce unnecessary management procedures.

Four key areas of opportunity can be used to reduce an organization’s overall SOX 404 compliance effort:

Risk Assessment. Focusing on the risks, including those associated with fraudulent activity, that could result in a material misstatement, rather than on coverage, drives the remainder of management’s efforts and is the key to an efficient, risk-based approach to SOX 404 compliance.

Entity-level controls. Companies can take credit for entity-level controls that directly or indirectly reduce the risk of financial misstatement.

Control selection. Management should focus on identifying and documenting those controls, including entity-level controls, that adequately address the risks of a material misstatement to the financial statements.

Testing Approach. Management should consider re-evaluating the nature, timing and extent of its testing approach based upon the risk assessment and the strength of identified entity-level controls.

Although each of these key opportunities is interrelated, the core of an effective SOX 404 compliance program is risk assessment.

While the SEC is not prescriptive about the risk assessment process and allows management to leverage a chosen framework (COSO for example), a robust risk assessment will help identify the significant financial reporting risks and gaps in the control structure that would amplify these risks. Many of the factors that might readily be considered during a risk assessment such as complexity of accounting, transaction volume, susceptibility to fraud and errors, level of judgment and estimation are well known. A refinement to this process is to assess risks at the assertion level rather than the account level. For example, thinking about the risks surrounding the completeness of cash or the valuation of goodwill creates more rigor in the assessment process than thinking about the risks surrounding the balances in the cash and goodwill accounts.

Once specific assertion-level risks are identified, management can then identify the entity-level controls that best control these risks. The challenge in identifying entity-level controls is to determine the extent to which these controls reduce financial reporting risk at the assertion level. For example, many companies have robust entity-level controls such as rigorous analyses of sales and related allowances that they can, and should, take credit for. However, other companies with more general entity-level controls, such as management review of the cash account balance, have found that they will need to develop more precise controls.

Once the entity-level controls are identified and assessed, management can then determine the remaining risk to the financial statements and select the controls (and the related testing approach) that are necessary for management to make its assessment.

It is important to note that the SEC’s guidance is just that—guidance. The guidance is intended to help public companies—particularly smaller companies—strengthen their internal control over financial reporting while reducing unnecessary costs. Companies of all sizes will be free to apply their own professional judgments to scale and tailor evaluation procedures to their own facts and circumstances.

Communication Continues to Be Key

With new, and separate, guidance for management, communication between the external auditor and management continues to be the key to an effective, coordinated process. The following recommendations can help management and the external auditors stay in sync:

Review early and often. Management should involve the external auditors at each phase of the process. For example, once management has identified potential key risks, ask the auditors for their input. If they differ, explore the reasons they differ.

Realize that different guidance creates opportunities and risk. Because management has its own guidance, there is a greater probability that management’s approach and the external auditors’ approach could begin to drift further apart. By working together, management and the external auditors can review each other’s approaches and requirements to determine how best to coordinate efforts. For example, they can review:

Planned use of entity-level controls and planned and actual precision of these controls.

Nature, timing and extent of procedures to be performed by management and their intersection with those planned by the external auditors.

The external auditors’ planned use of the work of others—including internal audit—and how changes in management’s planned approach could result in greater efficiencies for the external auditors.

 

PCAOB STANDARD
AS5 complements the SEC interpretive guidance to management and includes the following key points:

Risk assessment underlies the entire audit process. A risk assessment is initiated at the audit planning stage and is continued at each decision point throughout the top-down approach. Scoping decisions in multilocation environments are focused on risk rather than on coverage.

Evaluation of entity-level controls can result in increasing or decreasing the testing that otherwise would be performed on controls at the process, transaction or application levels. AS5 identifies three categories of entity-level controls (control environment controls, controls that monitor the effectiveness of other controls, and direct controls) and explains how each category might affect the performance of tests of other controls.

Auditors are specifically permitted to consider the nature, timing and extent of procedures performed in the prior year and the results of those procedures in determining the risk associated with a particular control. This would enable auditors to reduce testing in areas using knowledge gained from prior-year audits. However, the standard does not permit “rotation testing” (the practice of testing certain controls every three years).

The standard makes it easier to use the work of others and allows auditors to use direct assistance from other parties in performing walk-throughs.

The external auditor will no longer be required to opine on management’s assessment. While auditors will still be required to understand management’s assessment, they will not need to perform a formal evaluation.

The definition of a material weakness was changed to conform to FASB Statement no. 5, Accounting for Contingencies , and the definition of a significant deficiency was changed to focus the auditor on the communication requirements rather than scoping issues.

Overall, these changes are designed to focus the auditors’ efforts on the areas of greatest risk to financial reporting, to eliminate unnecessary procedures, and to simplify the requirements.

OPPORTUNITY FOR CHANGE
To shorten the learning curve and avoid repeating mistakes made during the early stages of SOX 404 compliance, consider the following “stop-rethink-reuse” strategy for implementing the new guidance.

Stop. Before overhauling existing SOX 404 compliance practices and methodologies, consider why the additional guidance was released. The primary goal of the guidance is to refocus management and auditors on risk for purposes of increasing effectiveness and efficiency in SOX 404 compliance. To avoid changing simply for the sake of change, risk should be at the center of any adjustments that are made to existing compliance frameworks.

Rethink. With risk at the forefront, management should consider increasing the rigor of its existing risk assessment to focus on financial reporting elements that represent a higher risk of material misstatement to the financial statements. These risk criteria will differ between companies and industries. Engaging internal or external industry and process specialists may provide enhanced clarity to the risk assessment process. Once this risk assessment has been performed, management will be able to consider the differences from initial SOX 404 compliance risk assessments to determine what, if any, changes are warranted.

For example, an IT consulting company invested 260 hours performing a risk assessment that resulted in a clearer picture of key risks to their financial statements. This information was used to create a compliance plan that incorporated relevant entity-level and process-level controls. Based on its revised risk assessment approach, the company expects to reduce its future SOX 404 compliance effort by 1,100 hours, or 35%.

Reuse. Once a thorough risk assessment has been performed, management should consider revisiting the existing controls portfolio, starting with the entity-level controls. Carefully designed entity-level controls can reduce the number of supporting process-level controls that need testing. For example, revenue or cost analyses that use key performance indicators may be sufficient to significantly reduce the level of testing of related process-level controls.

After revisiting and perhaps updating the entity-level controls, the process and location controls are next. Management should focus on documenting and testing only those controls that most directly affect the remaining financial statement risks. For example, a large financial services company engaged internal and external specialists to streamline and automate complex revenue recognition processes and controls across multiple platforms. Since the risk of material financial misstatement was higher based on the manual nature of several key controls and the multiple platforms involved in the legacy revenue recognition processes, the company streamlined the associated business processes using both a functional and control mind-set.

The resulting process created greater visibility into the revenue recognition processes and enhanced the company’s ability to communicate internally and with customers. The new process also eliminated a legacy system requiring extensive manual intervention, reduced the associated control portfolio by 76 control instances, and redeployed 2.5 full-time equivalents (FTEs) to contribute value in other key business processes.

Management should consider evaluating their controls portfolio to identify the structure of controls (manual vs. automated; preventive vs. detective) and the cost (both direct and indirect) associated with each control. This type of evaluation can highlight controls that are candidates for immediate improvement or elimination (those that mitigate lower risks of material financial misstatement at a higher cost), controls that are candidates for needed improvement (those that mitigate higher risks of material financial misstatement at a higher cost), and controls that can be left as is (those that mitigate higher risks of material financial misstatement at a lower cost).

In addition to evaluating the nature of the overall control portfolio, management should consider standardizing the overall control portfolio. As controls are standardized across processes and locations (even though the implementation of the controls may differ for each process or location), the ability to understand, modify and improve the overall controls portfolio increases. For example, a large financial services company standardized the controls portfolio for several applications and processes and reduced the overall number of controls in 2006 from 561 unique controls, which included several duplicated and unnecessary controls, to 140 unique controls, which could be applied across each of the in-scope applications and locations, in 2007.

CONCLUSION
With the updated SEC and PCAOB guidance, now is the time for management and auditors to “stop, rethink and reuse” their SOX 404 compliance frameworks and continue to work together to determine if they can realize greater efficiencies and value from their compliance processes.

AICPA RESOURCES

JofA articles
Two Years and Counting,” June 07, page 74.
Internal Control Guidance: Not Just a Small Matter,” March 07, page 46.
Assessing and Responding to Risks in a Financial Statement Audit: Part II,” Jan. 07, page 59.
Assessing and Responding to Risks in a Financial Statement Audit,” July 06, page 43
Section 404 for Small Caps,” March 06, page 67.
Assessing Company-Level Controls,” June 05, page 65.
Trust Services: A Better Way to Evaluate I.T. Controls,” March 05, page 69.
  Evaluate the Control Environment,” May 04, page 75.

Publications
COSO Enterprise Risk Management— Integrated Framework (Paperback #990015JA, PDF #990015PDFJA).
Internal Control Over Financial Reporting—Guidance for Smaller Public Companies (PDF Download #990017PDF, three-volume set #990017, combined PDF download and three-volume set #990016HI).

CPE
Internal Control Essentials for Financial Managers, Accountants and Auditors , a CPE self-study course (#731853JA)
Applying COSO Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting , a CPE self-study course (#187210JA)

To place an order or register go to www.cpa2biz.com , or call the Institute at 888-777-7077.

OTHER RESOURCES

Web sites
SEC Interpretive Guidance, www.sec.gov/rules/final/2007/33-8809.pdf
PCAOB Auditing Standard no. 5, www.pcaobus.com/Standards

View CommentsView Comments   |  
Add CommentsAdd Comment   |   ShareThis
CPE Direct articles Web-exclusive content
AICPA Logo Copyright © 2013 American Institute of Certified Public Accountants. All rights reserved.
Reliable. Resourceful. Respected. (Tagline)