|
 |
|||||||
|
|
|
|
|||||||||||||||||
|
|||||||||||||||||||
|
|
|||
|
Feature
Continue Sharpening Your Risk Assessment With new SEC and PCAOB guidance on the table, here are suggested next steps for performing your annual assessment of Internal Controls over Financial Reporting. By Lynn Bruneau Just in time for the holidays, the SEC proposed for public comment draft guidance to assist management in planning and performing its annual assessment of Internal Controls over Financial Reporting (ICFR) as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). A week later, the PCAOB proposed for public comment a new standard — Auditing Standard 5 (AS5) to replace Auditing Standard 2 (AS2) — for the audit (by the external auditors) of ICFR. Key aspects of these draft documents are highlighted below, followed by a number of suggestions for management “next steps.” Draft SEC Guidance: Highlights — If a company follows the SEC guidance, it would satisfy the annual SOX 404 internal control evaluation requirements. — An audit opinion will no longer be required regarding management’s ICFR assessment. — Guidance supports a top-down, risk-based approach to identification and assessment of internal controls needed to prevent or detect a material misstatement in the financial statements. — Nature and extent of evaluation process should be closely aligned with risk assessment: increased risk, increased focus on controls. — Top-down, risk-based approach should result in greater efficiency, with custom-tailored approach, fitting each company’s “facts and circumstances.” — Assess risk based on a standard of providing “reasonable assurance” regarding the reliability of financial reporting. — Leverage effective entity-wide controls (e.g., detailed budgeting with periodic variance analysis) and IT general controls (e.g., change control and system access controls) where appropriate to reduce reliance on manual controls. — Determine multi-location control assessment requirements based on risk (not a pre-determined level of “coverage”). — Use a risk-based approach to determine the level of testing and evidence required (more risk, more testing, more evidence). — Higher risk areas often include related party transactions, complex accounting, increased judgment or estimates, management override. — Clarity provided regarding the definition of a “material weakness” (material error is “reasonably possible”). Revised PCAOB Auditing Standard: Highlights — Objective of the revised Auditing Standard: provide more focus for the ICFR audit; eliminate unnecessary steps; provide guidance for scaling the audit to fit “facts and circumstances”; simplify the text of the standard. — Provides more flexibility regarding the use of external auditors for internal control-related work. — More flexibility regarding using the work of others to support the audit. — Re-focuses auditors on a top-down, risk-based approach to identification and assessment of ICFR. — Eliminates the need for an opinion regarding the effectiveness of management’s assessment of internal controls. — Although “rotation of testing” is not permitted, the auditors are encouraged to leverage what they know from prior years (e.g., nature, scope and focus of review and test results), as well as any subsequent changes in controls. — Multi-location control assessment requirements should be risk-based (the “coverage” requirement has been eliminated). — Walkthroughs are still required; however, at a higher level (key processes rather than all transaction types). Further, auditors may rely on others for walkthroughs, under auditor guidance; and walkthroughs may replace testing for low risk areas. — More guidance will be provided in 2007 regarding “scalability” of SOX 404 audit procedures (e.g., for smaller companies). — As above, clarity was provided regarding the definition of a “material weakness,” the use of “materiality” in scoping, and the use of quarterly vs. annual materiality. Suggested “Next Steps” for Management • “Rationalize” risks and sharpen the risk assessment to ensure primary focus is on critical risk areas. • Determine which entity-level controls can be relied on and assess their impact on the internal control evaluation. • Identify effective monitoring controls for critical risks for key processes and assess their impact on the internal control evaluation. • Identity effective general IT controls linked to critical applications that support the in-scope business processes; look for more automated controls to replace manual controls. • Plan, develop and implement an effective self-assessment approach; report findings, and follow up. • Convert identified impacts on the internal control evaluation process to specific revisions to documentation and test strategies. • Leverage value-added opportunities by analyzing observations and insights accumulated through prior year efforts and current planning processes as a basis for improving process effectiveness (cost, quality, efficiency). And along the way — talk to your external auditors. It’s unlikely that the draft SEC and PCAOB materials will change significantly prior to implementation. No reason to wait too long to get started! |
|||
| Lynn
Bruneau is Managing Director, Northeast Sarbanes-Oxley Services Leader,
and heads the Technology Risk Practice at Protiviti Inc., a leading
provider of independent internal audit and business and technology risk
consulting services, http://www.protiviti.com.
She focuses on high-tech and manufacturing clients and develops
Protiviti services related to corporate governance. Having spearheaded
the firm’s Sarbanes-Oxley initiative, she advises clients on compliance
and the regulatory environment. Bruneau is a frequent speaker on Sarbanes-Oxley, corporate governance, and IT risk-related topics. She is a Certified Information Systems Auditor and a member of The Institute of Internal Auditors, Information Security and Privacy Advisory Board, Information Systems Audit and Control Association, and the Academy of Women Achievers. She received a B.S. in theoretical mathematics from MIT. She can be contacted at lynn.bruneau@protiviti.com. Copyright © 2007 Directors & Boards, P.O. Box 41966 Philadelphia, PA 19101-1966. All rights reserved. Contact the webmaster. < Privacy Notice > |
||||
