New IIA Guidance Incorporates AS5, SEC Guidelines

The Institute of Internal Auditors has finally updated its internal control guidance to incorporate the new Auditing Standard No. 5 and the management guidelines published by the Securities and Exchange Commission last year.

Marks

The report entitled, “Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners,” builds on the original one published in 2006. According to Norman Marks, vice president of internal audit at Business Objects and author of the guide, the original document was downloaded more than 40,000 times.

“This new version puts the SEC guidelines and AS5 into context,” says Marks, whose firm was acquired by SAP last year. “While the first edition already had a top-down approach, this version updates the language and references and expands in a number of interesting areas,” including direct and indirect entity-level controls and IT internal controls, he says.

According to some, the new guidance is particularly critical as the credit crisis demonstrates the importance of improving risk-assessment processes and procedures.

Richards

“This [sub-prime mortgage] crisis speaks highly to the dynamics of internal control systems and the changing risks of organizations,” says Dave Richards, president of the IIA. “The operational decision to change products, operations, or systems within organizations should signal the need to reassess risks and related internal controls to ensure the right controls are being monitored.”

The need for closer assessment of change is perceived in the Sarbanes-Oxley Section 302 quarterly assessments by management. If done right, the organization will look at changes in operations, business processes, and new systems to confirm the integrity of their assessment.

Any business risk can change from low to high with a change in emphasis, volume of transactions, transition of staff, or new computer systems. “It is up to management to be on top of these changes and ensure proper disclosures are made,” Richards says. “The sub-prime mortgage situation is an example of where risks changed based on volumes and the marketplace, and were not properly evaluated by the organization regarding the change.”

Greater Flexibility, or Conflict?

The top-down approach to assessing risk that is discussed in the new IIA report uses key financial-reporting risks as the basis for determining which controls need to be assessed. This approach makes management responsible for assessing fraud risk within the organization and the controls in place to prevent, detect, or deter fraud from being perpetrated against the organization. Relying on this approach should continue to drive down the need for assessing less important risks and controls, Richards says.

But these risk assessments can seem tricky to companies, as they try to reconcile the SEC guidelines followed by management with the AS5 requirements for external auditors.

IT’S REQUIRED

The following excerpt from the Institute of Internal Auditors’ “Sarbanes-Oxley Section 404 Guide for Management” pinpoints 404 requirements.

Section 404 required the SEC to develop and publish rules for a management assessment of ICFR. These rules were completed in June 2003 and updated in June 2007. Changes included removing the requirement for the external auditor to assess management’s process for assessing the system of ICFR, as well as revising the definitions of significant deficiency and material weakness. The PCAOB followed with AS 2, which was approved by the SEC in June 2004. AS 2 was replaced in May 2007 by AS 5.

The SEC rules and PCAOB standard require that:

1. Management perform a formal assessment of its controls over financial reporting (see definition below), including tests that confirm the design and operating effectiveness of the controls.

2. Management include in its annual report on Form 10-K2 an assessment of ICFR.

3. The external auditors provide two opinions as part of a single integrated audit of the 3.

company:

An independent opinion on the effectiveness of the system of ICFR.

The traditional opinion on the financial statements.

The SEC rules are worth reviewing carefully. They “require a company’s annual report to include an internal control report of management that contains:

A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company.

A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting.

Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including a statement as to whether or not the company’s internal control over financial reporting is effective. The assessment must include disclosure of any “material weaknesses” in the company’s internal control over financial reporting identified by management. Management is not permitted to conclude that the company’s internal control over financial reporting is effective if there are one or more material weaknesses in the company’s internal control over financial reporting.

A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the registrant’s internal control over financial reporting.”

Source

SOX 404 Guide for Management (January 2008).

The SEC guidance allows management to adopt a different method of assessing their internal controls over financial reporting than is used by the external auditor under AS5—a major departure from the practices of the first years of SOX compliance.

The method used by management is not subject to the rigors demanded of the external auditor under AS5. This means that management can take advantage of their knowledge of internal controls and ongoing monitoring of those controls without the detailed documentation required under AS5, Richards says. Management, however, can’t make assertions under SOX without evidence of how they arrived at their conclusion, he says.

Under the SEC guidelines external auditors no longer need to assert the method used by management. They need only to state their opinion on the condition of internal controls.

In theory, AS5 gives external auditors more flexibility in establishing their approach to assessing internal controls.

Barken

“Part of the shift from AS2 to AS5 was really about focusing on things that are important,” says Lee Barken, IT practice leader at the accounting firm Haskell & White. “Focus on where the risk is. It requires more auditor judgment, not a checklist approach.”

The reality, however, is that the external auditor is still more likely to assess more of the basic risks and controls because of the liability associated with their opinion. They want to feel comfortable with their overall results, Richards says.

In addition, the external auditor is now charged with a higher degree of action with regard to the search for fraud. That continues to challenge the external auditor to have the right people, processes, and knowledge to determine what fraud schemes might occur in the organization being tested.

“This may mean that the external auditor is not going to change much in the way of their overall identification, documentation, testing, and evaluation of internal controls over financial reporting,” Richards says. “The challenge still remains to address the real risks associated with management override of internal controls or risks associated with fraudulent behavior.”

More Time Needed

The entity level controls, often known as “soft“ controls, require different approaches to ensure that the environment within the organization is supportive of an open interchange between management and employees regarding potential transactions, actions, or reporting that is perceived to be incomplete, unclear, or false.

The tone within the organization that supports revealing transactions of questionable nature is the only way an organization can best prevent inaccurate financial statements when deliberate methods are used to circumvent internal controls.

This may explain why some companies have raised doubts that AS5 offers more flexibility, since many auditors are still insisting on lots of testing or may not trust the testing the companies are doing themselves.

“AS5 allows the CPA firms to be far more efficient, but that doesn’t mean they’ll be that way,” Marks says. “It’s one thing to write the standard and another for everyone to get there. AS5 and the SEC guidelines are trying to say to only look where there is a reasonable possibility of fraud, not just a hypothetical. Audit firms are not used to doing that. Over time, they’ll get more comfortable, and their methodologies will become more in tune with the principles of AS5.”

Tootle

Some auditors say that AS5 is already showing signs of helping to improve efficiency. Nick Tootle, a principal at the accounting firm Kaufman, Rossin & Co., says his firm has found that their hours are being reduced as a result of changes related to AS5.

“We’re only one year into the implementation of AS5, and it may take a little more time to flesh out,” he says. Still, “you don’t need to go overboard. The consumer always has a choice. If you feel your auditor is doing the same thing year after year and you’re not getting the bang for your buck, there are tremendous amount of other firms that are waiting in line.”