No Slide Title
Download
Report
Transcript No Slide Title
Implications and Opportunities
Of the
PCAOB and SEC Proposals
Presented By:
AGENDA
Overview of Recently Issued SOX Guidance
Bruce Ring, Grant Thornton
Management Perspective on the Guidance
Bill McGee, GMAC Controller’s Staff
Internal Audit Perspective on the Guidance
Angie Chin, GM Audit Services
External Audit Perspective on the Guidance
Dan Langlois, KPMG
Considerations for Non-accelerated Filers
Bruce Ring, Grant Thornton
2
Recently Issued SOX Guidance (SEC)
Issued interpretive guidance for management on evaluating internal control over
financial reporting
Guidance organized around two overriding related principles
Management should evaluate the design of controls to determine whether they
adequately address the risk that a material misstatement in the financial
statements would not be prevented or detected
Describes a top-down, risk-based approach to this principle including the role
of entity level controls in assessing risks and the adequacy of controls
Guidance explicitly states there is no requirement to identify every control in a
process or to document the operating activities affecting internal control over
financial reporting
Management’s evaluation of the operation of its controls should be based on its
assessment of the risk associated with those controls
- Allows management to align the nature and extent of its procedures and the
evidence it obtains with the financial reporting areas that pose the greatest risk
to reliable financial reporting
SEC provided details to approach in four areas
Identifying risks and related controls
Evaluating operating effectiveness
Evaluating deficiencies and reporting
Evidence to support assessment
Comments on proposed rule are due by February 26, 2007
3
Recently Issued SOX Guidance (PCAOB)
Proposed a revised standard for audits of internal control over financial reporting
Would supersede Auditing Standard #2
Four objectives of guidance
Focus on matters most important to internal control
Top-down approach
Definitions of material weakness and significant deficiency revised
Eliminate unnecessary procedures
Evaluation of management’s process for assessing the effectiveness of
internal control eliminated
Knowledge from prior years can be used in risk assessment
Multi location testing requirements refocused on risk rather than coverage
Use of work of others commonized under one auditing standard
Walkthroughs only required for each significant process rather than major
class of transactions within a process
Scale the audit for smaller companies
Simplify the requirements
Auditors’ report would express only one opinion on internal controls, an opinion on
the effectiveness of the company’s internal control over financial reporting
Comments on proposed rule are due by February 26, 2007
4
Management Perspective on Recently Issued SOX Guidance
(SEC & PCAOB)
Interpretive guidance sets forth an approach by which management can
conduct a top-down, risk-based evaluation of internal control over
financial reporting (ICFR)
From managements perspective, there may be a opportunity to revisit the use of
financial statement coverage as the main factor in determining overall scope
Allows external auditors to consider prior period results in scoping current year risk.
Give full consideration to entity level controls in assessing financial reporting risks
and the adequacy of controls
If risk at individual locations is considered low, sufficient evidence may be obtained
from self assessment at the individual location combined with ongoing central
monitoring
Management’s evaluation of evidence about the operation of its controls
should be based on its assessment of risk
The lower the risk the less persuasive the evidence that is needed to conclude on
the effective operation of the control
Management may obtain evidential support through daily interaction with its controls
(good for smaller companies), self assessment procedures and other monitoring
procedures.
Evidence need not address all controls within every process that affects financial
reporting
5
Management Perspective on Recently Issued SOX Guidance
(SEC & PCAOB)
Elimination of independent public accountant’s requirement to
evaluate management’s process for assessing the effectiveness of
internal controls
Shouldn’t fees be adjusted accordingly?
Multi-location testing requirements refocused on risk rather than
coverage.
Independent Auditor allowed to use direct assistance of others when
performing walkthroughs
Also, walkthroughs only required for significant processes not for each
major class of transactions within a process
Shouldn’t fees be adjusted accordingly?
Now is the time to start planning for these changes.
While the proposed auditing standard may not be adopted until 2008, early
adoption may be encouraged.
6
Perspective from Internal Auditor (IA)
SEC Proposed Guidance
Leverage the guidance for IA’s:
- Annual risk assessment
- Control evaluation
- Control testing
Align audit plan and coverage with SOX 404 plan to achieve optimal
coverage
Preliminary Assessment on Implication for IA
No major changes to IA methodology and practices
Continue to increase focus on ICFR
Need to hire additional technical accountants
7
Perspective from Internal Auditor (IA), cont’d
PCAOB Exposure Draft (AS2 Replacement)
Leverage the guidance for IA’s:
- Annual risk assessment
- Control evaluation
- Control testing
Increase opportunities to rely on IA work to the greatest extent
- Conduct walkthroughs
- Continuous monitoring/auditing
- Control evaluation and testing
Align new definitions of control deficiency, significant deficiency, and material
weakness with IA methodology and control rating system
Preliminary Assessment on Implication for IA
Increase opportunities to coordinate audit work with external auditor to achieve
optimal reliance
Could increase/decrease IA scope and coverage
Need to hire additional technical accountants
8
Perspective from External Auditor
SEC proposed guidance
Management has a broad array of alternatives for use in making its
assessment
Should provide management with greater flexibility which may result
in time and cost savings
In some circumstances, the documentation management creates
specifically for the evaluation of ICOFR may be limited
The more informal management’s testing and documentation,
the more likely the auditor will not be able to use the work of
management
9
Perspective from External Auditor, cont’d
PCAOB Exposure Draft (AS 2 replacement) may provide opportunities for
reduction in auditor effort
Opportunities
Potential Obstacles
Reduced procedures relative to management’s
assessment process
Still need to understand management’s process to
understand internal control, assess risk, determine
extent of reliance on work of others and perform tests of
controls
Consider prior year results when assessing current
year risks
Does not imply cycle or rotating test work or eliminate
the requirement that each audit must stand on its own
Leveraging of company-level controls
Must be directly linked to F/S assertions or process level
controls and must operate at level of precision to
prevent or detect material F/S misstatements
Reduced walkthrough requirements
May involve IA or others only if working in a direct
supervision mode; may need clarification on distinction
between processes & classes of transactions
More flexibility for scoping multi-location
environment
Scoping more focused on risk; increased likelihood of
diverging approaches by management and auditor
Potential for increased use of work of others
May not be able to use work of others if competency
and objectivity criteria are not met
10
Considerations for Non-Accelerated Filers
Current Requirements
Management assessments for fiscal years – December 15, 2007
Auditor's attestation report for fiscal years – December 15, 2008
Transition period for newly public companies – after one annual report
is filed with the SEC
Guidance
COSO: Internal Control over Financial Reporting – Guidance for
Smaller Public Companies
- Designed to provide a cost efficient and practical application of
COSO
11
Considerations for Non-Accelerated Filers
An Approach for Smaller Companies
Focus on top-down, risk based process to drive efficiency in SOX
readiness
Take a practical approach to "right-sizing" documentation of internal
controls
Identify the key monitoring controls upfront that are critical in
managing smaller companies
Integrate information technology and business process tracks to
ensure appropriate leveraging of automated and manual controls
Build your SOX structure with an eye towards minimizing future
compliance costs
12
Contact Information
Angie Chin
General Director, GM Audit Services
[email protected]
313-665-3729
Bill McGee
Manager, Controller’s Staff, GMAC
[email protected]
313-667-4527
Bruce Ring
Partner, Grant Thornton LLP
[email protected]
248-213-4280
Dan Langlois
Partner, KMGP LLP
[email protected]
313-230-3426
Pam Bishop
Engagement Manager, Jefferson Wells
[email protected]
248-226-1200