Reporting on Internal Controls
Download
Report
Transcript Reporting on Internal Controls
An Accountant’s Look at the Changing
Horizons within SOX 404
Presented to
Colorado Bar Association’s Securities Law Group
Presented by
Bill Evert
Hein & Associates LLP
September 21, 2006
Why should companies care about controls?
•
•
•
•
Fraud
Lost revenues
SOX 404 compliance
Personal liability
SOX 404 – Management Requirements
Currently effective for accelerated filers
($75MM public float, etc.):
• Incorporate within the Company’s Form 10-K
a report that:
– Acknowledges responsibility for establishing/
maintaining adequate internal controls over
financial reporting
– Identifies framework used (COSO)
– Assesses effectiveness at end of fiscal year
– Confirms independent auditors issued
attestation report on management’s assertion
Example Reporting Scenarios
Auditor’s Opinion on
Situation
Management’s
Report
Management’s
Assessment
Effectiveness
of ICOFR
No material
weakness
identified.
Internal
control
effective.
Unqualified
Unqualified
Material
weakness
identified by
management
and auditor.
Internal
control not
effective.
Unqualified
Adverse
Example Reporting Scenarios
Management’s
Report
Situation
Company has one or more
material weaknesses, but
management’s assessment
indicates internal control is
effective.
Issue adverse opinions on both
management’s assessment and
internal control.
Management fails to fulfill its
responsibilities regarding the
internal control assessment.
•
•
•
Communicate to management
and the Audit Committee.
Disclaim opinions.
Consider possible additional
auditor responsibilities.
Deficiencies – Conceptual Definitions
A deficiency is considered a significant
deficiency or material weakness if, either
individually or in the aggregate, after
considering compensating controls, the
following criteria are met:
Classification of
Deficiency
Likelihood of
Misstatement
Potential Magnitude
of Misstatement
Internal Control
Deficiency
Remote
OR
Inconsequential
Significant Deficiency
More than remote AND More than
inconsequential
Material Weakness
More than remote AND Material
Current Events – Moving Targets
New guidance:
• Remediation Standard (AS4)
• New SAS standard
• New COSO framework for small businesses
(July 11, 2006)
Coming soon:
• New SOX 404 guidance regarding non-accelerated
filers and IPOs
• Guidance for companies implementing SOX 404
• Revised AS2
Issues/Pitfalls Encountered
• Lack of:
― Lead time/resources/game plan
― Effective communication between auditor and client
― Motivation in second year
• Issues:
― Late start (prevents integrated audits and rising costs)
― Multiple operations/foreign subsidiaries
― Company’s GAAP and SEC expertise
― Consequences of adverse and disclaimer opinions
― Controls at outsourced service providers
Why is SOX 404 so difficult (and costly)?
1. Definition of significant deficiency “more than
inconsequential”:
A misstatement is inconsequential if a reasonable person would conclude,
after considering the possibility of further undetected misstatements, that
the misstatement, either individually or when aggregated with other
misstatements, would clearly be immaterial to the financial statements. If
a reasonable person could not reach such a conclusion regarding a
particular misstatement, that misstatement is more than inconsequential.
1. Must have controls over all of the relevant assertions over
all significant accounts and footnotes.
2. Materiality and deficiency evaluation.
3. Testing of attributes, not dollars - “What could go wrong;
not what does.”
4. Adjustments the auditor finds.
Why should private companies adopt SOX?
•
Better controls thereby:
― Decreasing the likelihood of fraud
― Increasing operational efficiency
•
Exit strategy?
•
SOX will eventually become the standard by
which companies are judged
•
New audit standards
CHANGE IS GOOD
YOU GO FIRST
Components of the Control Environment
1. Integrity and ethical values
2. Commitment to competence
3. Board of Directors and Audit Committee
4. Management’s philosophy and operating
style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resources policies and practice
Why control environment is so important
The following circumstances are at least a significant deficiency and a
strong indicator of the existence of a material weakness per AS2.
•
Restatement of previously issued financial statements.
•
Auditor’s identification of a material misstatement in the current year audit that
was not initially identified by the Company.
•
Ineffective Audit Committee oversight.
•
An ineffective internal audit or risk assessment function, if critical to reliability of
Company’s financial reporting process.
•
An ineffective regulatory compliance function in highly regulated companies if
functions could have a material effect on the reliability of financial reporting.
•
Identification of fraud of any magnitude on the part of senior management.
•
Previously communicated significant deficiencies that remain uncorrected
after a reasonable period of time.
•
An ineffective control environment.
Oversight by the Audit Committee and Board
•
Nature and frequency of meetings
•
Consideration of fraud when reviewing:
― Accounting principles
― Non-routine transactions
•
Evaluation of management’s assessment of
fraud risk
•
Discussion with auditor’s potential fraud
areas
Risk Assessment
•
•
Systematic process
Consideration of potential fraud schemes:
―
―
•
•
•
•
Types of fraud
Fraud triangle
Assessment of risk at all levels
Evaluate likelihood and significance of risks
Assessment of exposure
Document oversight by Audit Committee