Earlier this year, the Securities and Exchange Commission (SEC) released guidance specifically for management on conducting an assessment of internal controls over financial reporting. However, the requirements for the external auditor under Public Company Accounting Oversight Board's Auditing Standard #5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AS5), should also be taken into account by management. AS5 supersedes Auditing Standard #2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, and provides more clarity for the auditor. And while the external auditor is not required to make its attestation on the effectiveness of the organization's internal controls under AS5 until the second year of compliance, non-accelerated filers should consider AS5 while planning their initial year of Sarbanes-Oxley (SOX) compliance efforts. Such an approach will help keep management's efforts focused and should increase the auditor's ability to leverage the work of management in subsequent years.
An open line of communication between executive management and the external auditor always should be strongly encouraged. That concept has significant relevance with the SEC's recent approval of AS5. Management's compliance efforts should begin by facilitating a conversation with the external auditor, during which management should gain an understanding of the auditor's interpretation of AS5 and its impact on the scope and approach for the annual audit.
What Can The External Auditor Expect During Management's First Year Of Compliance?
For years beginning on or after December 15, 2007, management is required to make an assertion about the effectiveness of internal controls over financial reporting (ICFR) with the filing of Form 10-K. Although there is no requirement for an attestation by the company's external auditor for this period, the external auditor must still validate certain information contained within Form 10-K. Accordingly, management can expect that the auditor will want to review some of the documentation relating to management's assessment process.
According to the SEC guidance, management should complete its assessment using a suitable framework for effective internal control. The primary objective of the assessment process is to ensure that management considered the risk of material misstatement to the organization's financial statements and evaluated the design and operating effectiveness of controls in place to mitigate those risks.
There is no requirement for management to document every control within the organization, and - in keeping with the concept of applying a risk-based approach - management should refrain from creating what one might refer to as a comprehensive "control catalogue." In fact, executing a risk-based approach and focusing compliance efforts on primary controls in the areas most at risk for misstatement should enable the external auditor to better focus his efforts as well.
At a minimum, management should expect the external auditor to review what is now commonly referred to as the "scoping document" as well as management's assessment of the control environment. The external auditor will also likely review a sample of the documentation that management prepared for significant high-risk processes including evidential matter validating the operating effectiveness of the internal controls. The auditor will want to verify that management's assessment process appears robust and focused on the areas of greatest risk.
Where Should Management's Assessment Begin?
A risk-based approach should begin with a quantitative and qualitative evaluation at the financial statement level to determine which significant accounts, processes and locations to include within the scope of management's evaluation. The consideration of the risk level should persist throughout the evaluation and documentation process, allowing management to continually focus efforts on the areas of greatest risk. The greater the risk of potential financial statement misstatement, the more focus the controls to mitigate those risks should receive during the documentation and evaluation process.
The financial reporting process should be one of the first areas of focus for management's assessment process. Considering the primary intent of SOX - and the directives put forth by the SEC and PCAOB for adequately assessing the effectiveness of ICFR - the right place to start is with the financial reporting process. As such, applying a risk-based approach should begin with an evaluation of the risks that could negatively impact the organization's objective of issuing complete, accurate and timely financial information.
Conceptually, the financial reporting process is a broad category encompassing such sub-processes as the financial close process; significant estimates; footnotes and disclosures; equity; and intercompany and related party transactions, among others. Management can better focus on high-risk areas by beginning with the financial reporting process and documenting the risks and related controls in place. For example, documenting and testing controls over significant estimates will most certainly overlap other processes - such as Revenue and Accounts Receivable - and it will bring the areas of highest concern and complexity to the forefront of management's assessment process.
A critical mistake many organizations made in the past was in applying a "blanket" approach. Documentation was created and testing of controls was executed at the same level of detail for each process regardless of the comparable risk level. Using this approach, a process involving routine transactions such as payroll, e.g., might receive the same level of time, effort and focus in creating evidential matter as the process relating to significant estimates in financial reporting.
How Important Is It To Improve And Emphasize Entity-level Controls?
A renewed focus on entity-level controls should also be a priority for management and for the external auditor, particularly for the non-accelerated filer. Identifying opportunities to implement entity-level controls will improve the organization's control environment and should also impact the work level required to document and test controls at the process level. Often these controls already exist within the organization but have not been formalized.
AS5 indicates that certain entity-level controls might be at the right level of precision to adequately prevent or detect a material misstatement of the financial statements. For example, executive management might conduct an analytical review of the monthly financials. Typically, the issue from a SOX 404 perspective is that the review (i) might not occur at an appropriate level of detail, (ii) lacks documentation of anomalies and unexpected results and (iii) the investigation and resolution is conducted through verbal communication.
Management should focus on improving entity-level controls, including increasing their precision level. Management should also emphasize maintaining proper documentation in evidencing such controls to reduce additional work at the process level in documenting and testing the controls to mitigate the risk. Management should voice its plans to increase the precision level and operation evidence of entity-level controls in the first discussion with the external auditor. This allows the auditor to give management feedback on how the evidential matter on the effectiveness of entity-level controls may impact the auditor's assessment process.
Also at the entity level, AS5 emphasizes the importance of the audit committee. In fact, ineffective oversight of the company's external financial reporting and ICFR by the organization's audit committee is cited as a strong indicator of a material weakness. During management's assessment process, the audit committee should receive status reports as well as details relating to deficiencies in the design and operating effectiveness of internal controls to keep them well informed.
It is important to note that both AS5 and the SEC guidance have aligned the definition of material weakness in internal controls to that defined in Exchange Act Rule 12b-2 as a deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.
How Can Management Effectively Address The Auditor's Ability To Leverage The Work Of Others To The Greatest Extent?
Still among the most challenging areas in the new guidance is the concept that increasing the auditor's ability to use the work of others should reduce duplication of effort and the hours required to test and document the operating effectiveness of internal controls. In order for management to capitalize on this concept, a critical conversation with the external auditor must occur at the onset of management's assessment process.
The most important factors that the external auditor must consider are the qualifications and the objectivity of the individuals testing the operating effectiveness of the controls on behalf of management. Testing performed by an internal audit function or external consultant reporting directly to the audit committee, as opposed to management, can provide a layer of independence that the external auditor might require.
Finally, management should ask the external auditor if there are elements required within the documentation that would allow the auditor to place greater reliance on the work performed by others. For example, documentation created during the testing of the operating effectiveness of the controls might be better received by the external auditor if specific elements are captured during the testing process. Management should be encouraged to gain an understanding of the auditor's testing and documentation requirements. This understanding will allow management to modify their own documentation, if needed, or use templates provided by the auditor in order to reduce duplication of effort.
Published September 1, 2007.