Powerpoint slides - Center for Audit Quality
Download
Report
Transcript Powerpoint slides - Center for Audit Quality
CAQ WEBCAST
PCAOB Insights on Internal Control: A
Discussion on
Auditing Standard No. 5
The views expressed by the presenters do not necessarily represent the views, positions, or opinions of
the Center for Audit Quality or the presenters’ respective organizations. These materials, and the oral
presentation accompanying them, are for educational purposes only and do not constitute accounting or
legal advice or create an accountant-client or attorney-client relationship.
Slide 1
Join the CAQ today!
Visit www.thecaq.org/members
or call
1-888-817-3277
Slide 2
Today’s Objectives
Today’s program is designed to help you better
understand:
Notable changes made to the PCAOB’s
internal control auditing standard no. 2
Overview of AS 5 and insights on how it can
be scaled for smaller, less complex companies
Overview of SEC’s Management Guidance on
Internal Control
Overview of COSO’s Guidance on Monitoring
Internal Control
Slide 3
Today’s Presenters
Thomas Ray, CPA
Chief Auditor and Director of Professional Standards
PCAOB
Sharon Virag, CPA
Director of Technical Policy Implementation
PCAOB
Trent Gazzaway, CPA
Managing Partner of Corporate Governance
Grant Thornton LLP
**********
Cynthia M. Fornelli
Moderator & Executive Director
Center for Audit Quality
Slide 4
CAQ Webcast
PCAOB Insights on
Internal Control:
A Discussion on Auditing
Standard No. 5
Tom Ray
Sharon Virag
5
October 4, 2007
Caveat
The views expressed by Mr. Ray and Ms.
Virag are their own views and do not
necessarily reflect the views of the Board,
individual Board members, or other
members of the staff of the PCAOB.
6
Overview
7
Improvements resulting from Auditing
Standard No. 5
Successful implementation of
AS No. 5 - Next steps
Improvements
Resulting from the
Amendment to Auditing
Standard No. 2
8
Improvements Resulting from Auditing
Standard No. 5
9
Focus the internal control audit on the
most important matters
Eliminate procedures that are
unnecessary to achieve the intended
benefits
Make the audit clearly scalable to fit any
company’s size and complexity
Simplify the standard
Focus the Internal Control Audit on the Most
Important Matters
10
More clearly focuses auditors on
identifying control weaknesses before
they result in material misstatements
Clarifies how auditors should use risk
assessment to focus on the accounts,
disclosures and their relevant assertions
Emphasizes the importance of fraud risk
and anti-fraud controls to assessing risk
Focus the Internal Control Audit on the Most
Important Matters (cont.)
11
Outlines three broad categories of
entity-level controls
Emphasizes the importance of a
company’s control environment
Emphasizes higher risk stages of
financial statement preparation
Eliminate Procedures that Are Unnecessary
to Achieve the Intended Benefits
12
Removes the detailed requirements to
evaluate management's evaluation
process
Permits consideration of knowledge
obtained from the auditor's previous
years’ audits
Eliminate Procedures that Are Unnecessary
to Achieve the Intended Benefits (cont.)
13
Removes barriers to using the work of
others by eliminating the "principal
evidence" provision
Refocuses the multi-location direction on
risk rather than coverage
Clarifies that the top-down approach
describes the auditor’s sequential thought
process in identifying risks and the
controls to test
Eliminate Procedures that Are Unnecessary
to Achieve the Intended Benefits (cont.)
14
Allows auditors to tailor their top-down
approach to the facts and circumstances
of a particular engagement
Focuses the performance requirements
for a walkthrough on fulfilling certain
important objectives
Establishes a principle for evaluation and
communication to the audit committee of
control deficiencies
Make the Audit Clearly Scalable to Fit Any
Company’s Size and Complexity
Discussion of scaling concepts throughout
the standard
Discussion of the attributes of smaller and
less complex companies
15
Larger companies may have some business
units or processes that may be less complex
than others
Simplify the Standard
16
Reduces granularity and redefines key
terms in a simpler way
Clarifies that the auditor’s evaluation of
materiality for an internal control audit is
the same as the financial statement audit
Alignment of terms between the standard
and SEC’s management guidance
Effective Date
17
AS No. 5, Rule 3525, and the amendments will
be effective for audits of fiscal years ending on
or after November 15, 2007.
Earlier adoption is permitted for timely SEC
Filings on or after August 27, 2007.
If continue to comply with AS No. 2 until
superseded, then should apply the definition of
“material weakness” contained in AS No. 5
rather than the definition in AS No. 2.
Successful
Implementation of
AS No. 5 – Next Steps
18
Next Steps
19
Monitor firms response to AS No. 5
Continue outreach programs, including
Small Business Forums
Adjust the PCAOB inspection approach for
AS No. 5
Continue Coordination with SEC
Issue guidance for auditors of smaller
companies
Guidance for Auditors of Smaller Companies
20
Intended to address the
implementation of the internal
control auditing standard in a smaller
public company environment
Derived from practice experience
Developed with auditors and small
issuers
Continue PCAOB Forums on Auditing in the
Small Business Environment
21
Eight forums scheduled in 2007
New York – October 22-23
Chicago – November 9
Washington, DC – December 4
Meeting materials and registration
information posted on Board's Web site
Three legs to the “404-improvement” stool
Value to companies
through improved use of
monitoring
Value to auditors through
ability to focus on good
COSO’s
monitoring controls
Guidance on
Monitoring
SEC’s
Guidance
PCAOB’s
AS5
(for mgmt)
(for auditors)
Separate but
consistent
Slide 22
SEC’s new interpretive guidance
Interpretive guidance proposed in December 2006
comment period ended February 26, 2007
over 200 comment letters received
Approved by Commission on May 23, 2007
www.sec.gov/rules/interp/2007/33-8810.pdf
Slide 23
SEC's guidance
Key attributes:
Principles-based
Directs efforts to
highest risks of material
misstatement
Allows evaluation to be
tailored to facts and
circumstances
Provides guidance on
supporting evidence
and documentation
Provides guidance for
evaluating deficiencies
Does not replace
control frameworks
Voluntary
Slide 24
SEC's guidance
Encourages a focus on "entity-level" controls:
Indirect - those that have an indirect effect on
control system effectiveness (e.g., tone at the top)
Monitoring - those that monitor the effectiveness of
other controls (see the COSO monitoring guidance)
Precise - those that operate at a level of precision
that would adequately prevent or detect
misstatements on a timely basis
Slide 25
SEC's guidance
Discusses documentation and evidence:
Documentation of the design of identified controls
is an integral part of management's reasonable
support
Nature and extent will vary based on the size, nature
and complexity of the company
Evidence of operating effectiveness provided by
ongoing monitoring or separate evaluation activities
Slide 26
SEC's guidance
Also includes:
A framework for evaluating control deficiencies
Indicators of material weaknesses
Guidance regarding disclosures
Note, the four required disclosure components have not
changed (i.e., mgmt is responsible for ICFR, whether
ICFR is effective, the framework used, and a reference to
the auditor's opinion)
SEC continues to see disclosures that do not adequately
describe the nature and impact of identified deficiencies
Slide 27
SEC's Revised FAQ document
Released September 24, 2007:
Eliminated 12 FAQs the staff believed were no
longer relevant, necessary, or were addressed in the
interpretive guidance (#s 5, 7, 10–13, 15–20)
Renumbered remaining questions
Added four new questions pertaining to foreign
private issuers (see FAQs 12–15)
Slide 28
COSO's guidance on monitoring
Discussion
document
available at …
www.coso.org
Slide 29
COSO's guidance
Effective monitoring – value proposition:
Provides management with most of the evidence it
needs about ICFR effectiveness to support its
assertion
Encourages effective
control operation
Helps manage
and/or mitigate
risk
Slide 30
COSO's guidance
Let's look at a simple example of the concept …
assume:
a reconciliation control is deemed important to
financial reporting
the supervisor of the area performs an
appropriately detailed review of the
reconciliation each time it is prepared
Slide 31
COSO's guidance
Simple example (cont'd)
The supervisor's review (if it is effective)
accomplishes two things:
tells him or her whether the control is working
encourages continued effective operation of
the control
Slide 32
COSO's guidance
How do we often deal with this risk in today’s 404
environment?
Management’s
404 Process
Auditor’s
404 Audit Process
4. Test the
Review
6. Test the
Review
3. Test the
Recon.
2. Review
Reconciliation
1. Perform
Reconciliation
5. Test the
Recon.
Slide 33
COSO's guidance
How might it be done better in a large organization?
Management’s
Monitoring Process
3. Test the
Review
2. Review
Reconciliation
1. Perform
Reconciliation
Auditor’s
404 Audit Process
or
4a. Possibly
Use the
Work of
Others
4b. Test
the Review
Slide 34
COSO's guidance
How might it be done better in a small organization?
Auditor’s
404 Audit Process
Management’s
Monitoring Process
If the reconciliation review
is performed at the seniormanagement level, no
further evaluation may
be necessary
2. Review
Reconciliation
3. Test the
Review
1. Perform
Reconciliation
Slide 35
COSO's guidance
Two primary project goals:
Help companies recognize effective monitoring
when it is already present and “take credit” for it
Help companies identify places where effective
monitoring is lacking and provide guidance
regarding possible improvements
Slide 36
COSO's guidance
Two project phases:
Phase I: Proof-of-concept stage — issued a
discussion document presenting the fundamental
concepts of effective monitoring
Phase II: Practical examples and tools stage —
working to prepare case studies, examples and
tools to help organizations implement the
fundamental concepts
Slide 37
COSO's guidance
Key questions:
1. What to evaluate
2. How to evaluate it
3. When and how often to evaluate it
These decisions are influenced by the level of risk and
the corresponding importance of identified controls
Slide 38
COSO's guidance
Elements of effective monitoring:
Slide 39
SEC and COSO guidance
Location reminder:
SEC's Interpretive Guidance for Management
www.sec.gov/rules/interp/2007/33-8810.pdf
COSO's Discussion Document – Guidance on
Monitoring Internal Control
www.coso.org
Slide 40
Questions & Summary
Slide 41
Thank you for participating!
Please visit us at
www.theCAQ.org
Slide 42
CAQ WEBCAST
PCAOB Insights on Internal Control: A
Discussion on
Auditing Standard No. 5
Slide 43