If there were ever a time in the Sarbanes-Oxley era for companies to take the bull by the horns, now would be it.
For the largest public companies, the first reporting cycle under new rules for internal control over financial reporting may be months away. But audit experts say now is the time for companies to take the initiative on Auditing Standard No. 5, the new audit standard governing the SOX-required internal control audit, to assure the best implementation possible.
DeLoach
“It is not in management’s best interests for there to be a significant difference between management’s and the auditor’s risk assessments,” says Jim DeLoach, managing director for Protiviti. “It’s time to minimize the disconnect. That’s what companies should do now.”
Now that companies are armed with guidance from the Securities and Exchange Commission on how to do their own assessment of risk and internal controls, management should take the lead, DeLoach says. He believes companies should make several crucial decisions sooner rather than later to guide the coming year’s reporting and auditing process toward a more reasoned, risk-based approach than most companies have experienced in the past few audit cycles.
DeLoach is telling companies to focus on the most significant elements of their financial reporting and identify the relevant assertions for each, then identify the key controls tied to those assertions. That would give the company a top-down view of entity-level controls, consistent with regulators’ directives to management and auditors alike, he says.
Management then must decide which and how much documentation is necessary, he says. Larger companies likely already have more than enough documentation in place, but smaller companies or newly public companies complying for the first time may have some work to do.
Then comes the critical risk assessment, says DeLoach, to identify where controls may fail and material misstatement may result. Under the now defunct Auditing Standard No. 2, every control was tested regardless of risk; under AS5, the risk assessment drives decision making around what and when to test, who should perform the testing, and how it should be done.
Keith Newton, partner in charge of audit methodologies for Grant Thornton, says he worries companies may believe that the relaxed audit rules mean management can simply do less this coming year than has been done in years past.
Newton
“The way this will work best is if management continues to do a robust evaluation themselves to enable the auditor to use their work to the maximum extent possible,” he says. “If a company stops or slows down and puts in less effort to support their assessment of internal control, that limits the auditor’s ability to use their work and means the auditor will probably have to do more testing.”
Newton says a balance must be struck between how much work management will need to do to support its assessments and how much auditors will be able to rely on that work to support their own conclusions. “That gets harder if management cuts back too much,” he says. “Obviously everyone needs to cut back some, but don’t cut back too far.”
USE OF OTHERS
Below is an excerpt from AS5, regarding how external auditors can rely on the work of others when auditing internal controls.
The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, applies in an integrated audit of the financial statements and internal control over financial reporting.
For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements.
The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The auditor should apply paragraphs .09 through .11 of AU sec. 322 to assess the competence and objectivity of internal auditors. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use.
For purposes of using the work of others, competence means the attainment and maintenance of a level of understanding and knowledge that enables that person to perform ably the tasks assigned to them, and objectivity means the ability to perform those tasks impartially and with intellectual honesty. To assess competence, the auditor should evaluate factors about the person’s qualifications and ability to perform the work the auditor plans to use. To assess objectivity, the auditor should evaluate whether factors are present that either inhibit or promote a person’s ability to perform with the necessary degree of objectivity the work the auditor plans to use.
The auditor should not use the work of persons who have a low degree of objectivity, regardless of their level of competence. Likewise, the auditor should not use the work of persons who have a low level of competence regardless of their degree of objectivity. Personnel whose core function is to serve as a testing or compliance authority at the company, such as internal auditors, normally are expected to have greater competence and objectivity in performing the type of work that will be useful to the auditor.
The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases.
Source
PCAOB (June 12, 2007).
DeLoach says companies will also need to determine the scope of testing, including which locations or units to include, and to determine where the auditor might rely on management’s work to support audit conclusions.
Seizing Momentum
Audrey Gramling, a professor at Kennesaw State University, says companies should take the initiative to prod auditors regarding their reliance on management’s work. “The external auditors have ultimate responsibility for their opinion so they need to be confident that management’s work in the area of testing controls was performed appropriately, and by component and objective individuals,” she says.
According to Gramling’s research, prior to Sarbanes-Oxley a strong relationship existed between external auditors’ reliance on management’s work and audit fees; as reliance by the external auditor on internal audit’s work increased, the external audit fee decreased. “I would expect to see the same type of relationship in audits conducted under AS5,” she says.
Gramling says now is an ideal time for companies to focus on whether controls are as efficient as they could be: whether manual controls should be automated, and whether decentralized controls should be centralized. “Early under AS2, we found a lot of manual controls,” she says. “If they were automated controls, it would result in a lot less testing. Where companies have decentralized controls, if there’s not a business reason for those controls to be decentralized, they should consider centralizing them. That also would result in less testing.”
Schrock
Kathy Schrock, partner and national SOX solution leader for the executive services firm Tatum, says communication with external auditors is vital at this early stage. “If the lines of communication are not open yet, get them open. Schedule a meeting as soon as possible,” she says.
The agenda, according to Schrock, should include questions like where reliance can be increased, where entity-level controls can be more effective, how risk will be assessed, and how the audit will include or exclude specific company locations. Companies also should get some auditor support for any changes management may be contemplating.
“Some companies’ modification ideas in implementing SEC guidance could lead them down a path that may impair the auditor’s ability to rely on the work performed by management,” she says.
Richard Ueltschy, head of Crowe Chizek’s financial services audit practice, said some tension still exists between the SEC management guidance, which says less documentation is acceptable, and AS5, which says auditors can rely more on management’s documentation.
The intention behind the SEC’s guidance “is to help management groups understand that they do not need to document their own assessment of internal controls the same way an auditor would,” he says. “However, for a company to minimize the auditor’s cost in applying AS5, they need to perform test work that meets the auditor’s needs, which might require more testing. The more the auditor attempts to rely on the work of others, the more documentation the client needs to provide.”
Amy Daly, a managing director for SolomonEdwards Group, says companies also should have an early discussion with auditors about how material weaknesses will be viewed and defined. “There’s been a lot of disagreement over the years about what really is a material weakness,” she says; the SEC’s and the PCAOB’s new definitions may or may not help clarify the issue.
Daly
“There should be an upfront handshake that says, ‘This is how we are going to define risk in this organization,’ so there’s agreement before anything is done,” she says. “Think it all the way through before you get to March 25, you have to file the next day, and you’re still arguing about the definition of material weakness.”
No comments yet