Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect. A Smaller Public Company Perspective

Transcription

1 Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect A Smaller Public Company Perspective

2

3 Smaller public companies were required to comply with the management assertion requirement of Section 404 of the Sarbanes-Oxley Act for their annual report filings for fiscal years ended on or after December 15, These companies will be subject to the auditor attestation requirement of Section 404 for those annual reports filed for fiscal years ended on or after December 15, This paper explores considerations for smaller public companies as they prepare for their first auditor attestation of internal control over financial reporting. Introduction Many smaller public companies will soon be subject to their first auditor attestation. For those holding out hope that the U.S. Securities and Exchange Commission (SEC) might eliminate, or limit in some way, the attestation requirement for smaller public companies, insights as to the SEC s likely future actions were suggested in written responses by SEC chairwoman, Mary Schapiro, to questions she received from Senator Carl Levin during her confirmation process. In her letter to Senator Levin, Ms. Schapiro provided insight into how she will differ from her predecessor, Christopher Cox. With respect to Sarbanes-Oxley compliance, she noted that it s time we bring uniformity to the system. This point virtually assures the markets that the auditor attestation of management s assertion on the effectiveness of internal control over financial reporting (ICFR) eventually will become a reality for smaller public companies. Many smaller public companies are already reporting on ICFR. AuditAnalytics.com released a report detailing its analysis of Year Four Sarbanes-Oxley filings. The analysis revealed that for filings through September 10, 2008, the SEC received 3,435 annual reports with an unattested management assertion on the effectiveness of ICFR, i.e., an internal control report was filed by management without an accompanying auditor attestation. Of those management assessments, 1,053 provided an adverse assessment regarding the effectiveness of ICFR, an adverse opinion rate of 30.7 percent. This is significantly higher than the 16.9 percent adverse opinion rate for first-year filings by larger accelerated filers several years ago. The higher percentage suggests that smaller public companies are having more difficulty establishing and maintaining effective ICFR than larger companies. In the first four years of Sarbanes-Oxley filings to date, the rate of adverse opinions for accelerated filers has declined year-to-year. If nonaccelerated filers were to experience the same trend, a smaller percentage of adverse opinions would occur in future filings. However, an important factor to consider is the potential effect of auditor attestations. The emergence of the additional Sarbanes-Oxley attestation requirement, which is the context for the Public Company Accounting Oversight Board s (PCAOB) Guidance for Auditors of Smaller Public Companies issued in January 2009, all but changes the dynamics of the assessment of ICFR for smaller public companies. The additional scrutiny of the external auditor directed to a company s ICFR may impact the rate of adverse opinions for smaller public companies, which have now begun filing their second wave of internal control reports. This paper explores considerations for smaller public companies as they prepare for their first external auditor attestation over ICFR. Protiviti Auditor At testation of icfr 1

4 The External Auditor s Role What You Can Expect In January 2009, the PCAOB published its final staff guidance on Auditing Standard No. 5 (AS5) An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies. While AS5 provides direction to auditors on scaling the audit based on the company s size and complexity, many were of the view that more practical guidance was needed to achieve the goal of reducing the disproportionate cost burden of Section 404 attestation requirements on smaller companies in relation to their larger counterparts. The guidance represents the PCAOB staff s views on how auditors can apply certain aspects of AS5 to audits of smaller, less complex public companies. It also explains and illustrates how auditors can address some of the particular challenges for performing audits of ICFR in these challenging environments. Although the PCAOB s guidance is directed toward the auditing community, there are some key takeaways for management of smaller companies as they prepare for their first external auditor attestation of ICFR. 1. Emphasize tone at the top The control environment and its impact on behavior and the integrity of financial reporting are important areas to an auditor. Auditors will look for evidence of the tone set by management. The entity s code of ethics, management s operating style, clarity of roles and responsibilities, and a strong audit committee are examples of what the auditor will be looking for in this regard. 2. Start at the top when identifying key controls Understand how entity-level controls can affect the evaluation of controls at the process level. Management can rely on entity-level controls in lieu of process-level controls if the precision of these controls is sufficient in terms of detecting and correcting material errors and omissions. Strong entity-level controls could translate into less work assessing controls at the process level. That, in turn, can translate into less external auditor testing because it can affect the nature, timing and extent of the auditor s procedures. In addition to the control environment, entity-level controls include controls to monitor results of operations, controls over the period-end financial reporting process and controls to monitor other controls. 3. Focus on risk Each risk and each control are not created equal. Management should focus on risk throughout the assessment process and modify the evaluation approach with respect to controls operating effectiveness according to both the risk of material misstatement and the risk of control failure (collectively referred to as ICFR risk ). If a matter is significant from an ICFR risk standpoint, then focus on it. If it does not relate to risk, then it is not relevant to management s assessment under Section Understand the risk of management override Many smaller companies have a strong leader, which is why they are successful. This leader often has the knowledge and authority to override financial reporting procedures. The auditor knows that management override of established controls can occur more easily in a smaller company than in a larger one. Accordingly, auditors will look for controls that prevent or detect management override and ensure fair and reliable financial reporting. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance specifically for smaller companies, entitled Internal Control over Financial Reporting Guidance for Smaller Public Companies, that was developed at the SEC s request to make COSO s Internal Control Integrated Framework easier and more cost-effective for smaller companies to apply. In that guidance, COSO points out four things management of smaller companies can do to mitigate the risk of management override: Maintain a corporate culture emphasizing high integrity and ethical values. Have an effective whistleblower program. Leverage an internal audit function to detect instances of wrongdoing and ensure the function has a direct line of reporting to the board of directors or audit committee. Have a qualified board of directors and audit committee that take their responsibilities seriously. Management should anticipate that auditors will consider the above during the audit process. 2 Auditor At testation of ICfr Protiviti

5 5. Recognize the impact of having less formal documentation Documentation is a source of evidence. The form, extent and availability of documentation can affect not only management s body of evidence to support its assessment, but also can impact the auditor s testing strategy. It is more challenging to audit the effectiveness of ICFR as an outsider when less documentation is available. This does not mean that management must create volumes of documentation solely for the purpose of providing evidence for the external auditor to review and test. However, management of smaller companies should meet with their auditors early in the process to enable the auditors to develop an effective audit strategy for processes or controls where minimal documentation exists. During those meetings, management may identify relatively minor changes in how controls are executed or evidenced that will limit issues during the testing process. 6. Segregate incompatible duties or identify alternative controls There are inherent limitations in segregating incompatible functions in companies that have fewer employees. However, management needs to understand the risks associated with a lack of segregation of duties and assess whether there are any alternative controls that achieve the same objective, such as the use of external resources and additional management oversight and review. The COSO guidance gives some practical examples of controls to help reduce the risk when incompatible duties are not segregated: Review reports of detailed transactions managers review system reports of the detailed transactions on a regular and timely basis. Review selected transactions managers select transactions for review of supporting documents. Take periodic asset counts managers periodically conduct counts of physical inventory, equipment or other assets and compare them with the accounting records. Check reconciliations managers from time to time review reconciliations of account balances such as cash, or perform them independently. Segregation of duties is not an end in itself, but rather a means of mitigating a risk inherent in processing transactions. When assessing ICFR in a company with limited ability to segregate duties, management should consider whether there are other controls that reduce the risk to an acceptable level. 7. Know your information technology controls Every company relies on technology, at least to some extent, to operate its business and report financial results. Smaller companies with less complex IT infrastructure may have challenges with maintaining general and application controls of computer information systems. To be well-prepared for the auditor attestation, management should be familiar with the PCAOB s guidance related to how the IT environment impacts the auditor s risk assessments, selection of controls to test, tests of controls, and other audit procedures. The PCAOB staff discusses the characteristics of a less complex IT environment, how to determine the scope of the evaluation of IT controls (including IT-related risks), controls dependent on IT, and the impact of IT control deficiencies on tests of other controls. Finally, the staff details the various types of IT controls and how they may operate in a smaller company. 8. Anticipate an evaluation of your financial reporting competencies Smaller companies may have difficulty recruiting and retaining certain competencies in addition to having resource constraints that might prevent them from hiring those same competencies. The auditor is required to evaluate a company s financial reporting competencies, including evaluating any external resources involved in a smaller company s financial reporting process. Management will be a step ahead if it has already made the assessment and addressed any gaps. The bottom line related to the auditor attestation is this: Knowing the rules that the external auditor is required to play by and engaging the auditor early in the process puts management in the best position for success. Protiviti Auditor At testation of icfr 3

6 Applying 20/20 Hindsight: What We Have Learned So Far What can be learned from the smaller company management assessments of ICFR that have already taken place? The AuditAnalytics.com report of Year Four Sarbanes-Oxley filings included an analysis of the material weakness disclosures for companies filing an unattested management assertion. That analysis noted the following types of internal control issues that were cited most frequently (listed in order of the highest prevalence): 1. Inadequate accounting documentation and policies 2. Accounting personnel issues 3. Segregation of duties 4. Material and/or numerous auditor year-end adjustments 5. Information technology, software, security and access issues To dig a little deeper, 849 companies disclosed an issue with accounting documentation and policies, which translates into one in every four companies that filed only a management assertion. In addition, one in every five companies disclosed accounting personnel issues. Recognizing that these issues, as well as others, are ones that smaller, less complex companies have encountered historically, it seems likely that they are not going away anytime soon. Smaller companies will continue to struggle in these areas due to a variety of challenges that make maintaining cost-effective internal control more difficult than at larger companies: Lack of resources to achieve adequate segregation of duties Limited technical resources to assure controls over data and information systems Management s ability to dominate activities, which increases the opportunity for management to override established controls Recruiting and retaining personnel with appropriate experience and skill in accounting and financial reporting matters Because of these challenges, management of some smaller public companies may conclude that the cost of internal control in certain financial reporting areas may outweigh the benefits of adding resources the company simply cannot afford. If so, such internal control deficiencies, along with management s rationale for accepting them, must be disclosed. The Section 404 reporting process provides a platform for such disclosures. Following are examples: A technology company reported in its 2008 management ICFR assessment: Due to the Company s small size and lack of resources and staffing, the Chief Financial Officer is actively involved in the preparation of the financial statements and therefore, cannot provide an independent review and quality assurance function within the accounting and financial reporting group. The limited number of accounting personnel results in an inability to have independent review and approval by the Chief Financial Officer of financial accounting entries. There is a risk that a material misstatement of the financial statements could be caused, or at least not be detected in a timely manner, due to this insufficient segregation of duties. A company that plans, designs, builds and maintains mission-critical facilities reported in its K the following management ICFR assessment: The following material weaknesses in our internal control over financial reporting were noted at December 31, 2007: (I) we did not have the ability to segregate duties; (II) we lacked the formal documentation of policies and procedures that were in place; (III) we lacked adequate financial personnel; (IV) we lacked general computer controls and adequate procedures involving change management, and; (V) controls are inadequate to reasonably assume compliance with generally accepted accounting principles related to revenue. A construction company reported in its K the following assessment: Based on our assessment described above, management has concluded that our internal control over financial reporting was not effective during the year ended December 31, Management has determined that (I) insufficient staffing and supervision resources and (II) inability to detect the inappropriate application of United States GAAP principles are material weaknesses in our internal control over financial reporting. 4 Auditor At testation of ICfr Protiviti

7 The Company historically has had limited staff and financing. In December 2007, we appointed a new Interim CFO, who is a CPA and has significant experience in accounting operations, auditing, and internal control systems. In the future, we intend to hire additional qualified personnel to allow for adequate separation of duties. The above control deficiencies, as reported, resulted in material weaknesses, leading to a conclusion that ICFR is ineffective. Management must decide if these deficiencies should be remediated. If not, management must disclose the rationale why, which almost always will be due to limited staff and resources and a conclusion that it is not economically feasible to add additional staff and resources at the present time. If management is of the view that the deficiencies will be remediated, disclosure of the remediation plan, as illustrated in the third example above, is appropriate. If material weaknesses continue unabated, it is up to shareholders and prospective investors and lenders to assess whether management s assessment and plan, as disclosed, makes sense given the size and scale of the business or is evidence the company is not willing to pay the price of being a public company. Preparing for the Attestation Process Where to Start? Due to the unique aspects of a smaller public company, there are six key decision points along the Section 404 compliance process that represent areas for aligning management s assessment approach and the auditor s attestation process in the early stages. START File Internal Control Report Establish methodology to assess severity of control deficiencies at the conclusion of the evaluation process Determine locations and units to include into scope Consider ICFR risk to determine extent of evidence required to evaluate operating effectiveness of key controls Decide documentation standards at different levels of risk Select effectively designed key controls addressing each relevant financial reporting objective Select significant financial reporting objectives and related accounts Why are these decision points so important? It is critical that smaller public companies understand the potential differences in the way the external auditor may approach these decisions as opposed to management. If one lesson has been learned by larger companies in working with external auditors in the Section 404 space, it is this: There is no upside to significant disconnects between the company s and the auditor s risk assessments and scoping processes. Although, in theory, the SEC guidance and COSO guidance allow management of smaller companies much more flexibility in exercising judgment during the risk assessment and scoping process, any significant disconnects between management and the auditor on the six decisions cited above will usually drive up costs and present problems if issues should arise. Therefore, management should take the necessary steps to ensure the auditor fully understands the company s rationale driving the approach and scopes applied during the compliance process. Protiviti Auditor At testation of icfr 5

8 The six decisions provide a context for management s dialogue with the external auditor. The risk of disconnects between management and the auditor increases if any of the following occur: The auditor does not obtain an understanding of management s assessment process. Management does not involve the auditor at specific checkpoints, as management applies a top-down, risk-based approach. Management does not document the rationale for company decisions when applying the top-down, risk-based approach. (See inset on page 8 for further commentary on documentation.) It is best practice for management to engage the auditor in dialogue throughout the compliance process, particularly during the early stages. The effective and efficient application of the top-down, risk-based approach advocated by both the PCAOB and the SEC makes this communication critical. The external auditor s application of a top-down, risk-based approach can be greatly augmented by and reach the highest level of efficiency when the auditor understands management s application of that approach. While obviously important, the determination of materiality is not included in the list of decisions. The assessed level of materiality is implicit in all of the six decisions and is explicitly considered in some of them. There is another vitally important reason why the six decision points introduced here are so critical. If management and the external auditor can agree on these six decisions, it leaves open the one remaining critical decision the testing of operating effectiveness. This particular decision is the most natural point of divergence between management and the auditor in their respective evaluations of ICFR. Since management is an insider and the auditor is not, the two parties do not begin at the same point of knowledge when designing the necessary tests of operating effectiveness. The key point is this: The difference between management and the auditor in their respective approaches to testing operating effectiveness will be much smaller if there is convergence on the six decision points. A well thought-out and repeatable (structured) management assessment process maximizes audit cost-effectiveness. To be repeatable, management must generally document the supporting rationale for its decisions about the key financial reporting objectives and key controls. The good news is that much of this rationale documentation is a one-time investment. Commentary Learn the Lingo It s generally understood that Sarbanes-Oxley is primarily about preventing material misstatements in financial reports through effective internal control. However, if you read different authoritative guidance on the topic, you ll notice different terms are used when discussing how to scope Sarbanes-Oxley compliance efforts. For example, the PCAOB talks about assertions, the SEC refers to financial reporting risks, and COSO focuses on financial reporting objectives. Why the difference? The PCAOB guidance is directed to financial statement auditors who look to accounting and auditing standards to guide their work. Financial reporting assertions (e.g., completeness, presentation, valuation, etc.) are the language of accountants and auditors. COSO and the SEC have a broader audience and therefore use less accounting-specific terms. The PCAOB sums it up nicely in AS5 when it states the auditor can use assertions different than those listed in the standard as long as the auditor has selected and tested controls over the pertinent risks in each significant account and disclosure that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated. 6 Auditor At testation of ICfr Protiviti

9 Following is a detailed review and discussion of each of the six key decisions and how they apply to the smaller company. Decision 1: Select significant financial reporting objectives and related accounts Companies can gain the most efficiency by focusing only on those financial reporting objectives that are material to the financial statements. To do this, start with the company s financial statements and identify relevant business activity and process objectives that can materially impact the financial statements. This ensures the focus is on those objectives that really matter. When identifying whether a financial reporting objective is materially relevant under a top-down, risk-based approach, management should consider both quantitative materiality as well as such qualitative factors as the susceptibility of the financial statements and supporting account balances, transactions or other supporting information to a material misstatement. This means that it is not appropriate to consider a financial reporting objective or related account as high risk solely on the basis of quantitative factors alone. The goal is to evaluate the inherent risk of material misstatement, without considering the effective operation of controls. Risk factors relevant to the risk of material misstatement include, among others: Size and composition of the underlying account balances or transactions Susceptibility to misstatement due to error or fraud Volume of activity, complexity and homogeneity of the transactions processed Nature of the disclosure or underlying accounts Complexities in accounting and reporting Exposure to losses, as well as to significant contingent liabilities Existence of related-party transactions As noted above, management should document the rationale for the company s choices when selecting significant financial reporting objectives and related accounts. Decision 2: Select effectively designed key controls addressing each relevant financial reporting objective The top-down approach starts with entity-level controls and progresses to the most important processing controls. This decision is about selecting those controls and only those controls that address the most critical financial reporting objectives, and evaluating the effectiveness of their design. This is an important decision because it addresses what accelerated filer experience has shown to be the most significant cost driver of the process the number of key controls to evaluate and test. If management s understanding of the control environment is sufficient and that understanding is documented in reasonable detail, then it is more likely that the application of the top-down approach will result in selecting the control set that is the most effective in mitigating financial reporting objective risks. There are two key areas of focus for this decision point. First, entity-level controls are the starting point for selecting key controls. Second, if additional evidence is necessary to provide reasonable assurance that a financial reporting objective is met, other necessary controls must be identified and evaluated. The SEC identified three categories of entity-level controls: 1. Controls with an important, but indirect, effect on the likelihood a misstatement will be detected or prevented many controls in the control environment fall into this category 2. Controls that monitor the effectiveness of other controls, allowing reduction in controls testing 3. Controls designed to operate at a sufficient level of precision to prevent or detect misstatements The absence of the first category of entity-level controls the controls having an indirect effect on significant financial reporting elements increases the risk of control failure. The existence of the second and third categories of entity-level controls reduces the scope of testing process-level controls. Protiviti Auditor At testation of icfr 7

10 With respect to identifying other key controls after entity-level controls are considered, management should identify the process-level monitoring controls used to manage the important processes affecting financial reporting and determine their level of precision. If a monitoring control operates at an appropriate level of precision to address a financial reporting objective, additional controls may not need to be identified or assessed for that objective. Decision 3: Decide documentation standards at different levels of risk Similar to Decision 2, a decision about documentation starts at the entity level. From there, it works down to the process level. Many large companies have extensive documentation to support their more complex and often decentralized operations. For smaller companies, however, extensive documentation may not exist. Smaller companies generally have fewer people working more closely together and their more frequent interaction results in less reliance on formal policies and procedures to ensure financial reporting objectives are met. That is why inadequate accounting policies and documentation have been the number one cause of material weaknesses for smaller public companies, followed by accounting personnel and segregation of duties issues. The SEC s Sarbanes-Oxley Section 404 A Guide for Small Business states, In a smaller company with centralized financial reporting, management s daily involvement with the business may provide it with adequate knowledge to identify the financial reporting risks and related controls. Smaller companies that are more complex may need to develop additional documentation of major processes within the accounting systems and important control activities to support management s assertions regarding the effectiveness of internal controls. A new consideration with the introduction of the auditor attestation process is that management s documentation likely will be used by the auditor to support the auditor s assessment of the effectiveness of ICFR. Therefore, if management has more ICFR documentation that is available for the auditor to use, audit fees probably would be lower. The nature and extent of the documentation should be a function of the risk and complexity of the financial reporting objectives and related accounts, as well as the ability to facilitate an understanding of the likely sources of misstatements (i.e., What can go wrong?) and identify the key controls. An overall understanding is needed of the control environment and the flow of major transactions. An adequate understanding of the flow of major transactions and of the control environment at the process level enables management, and the auditor, to properly source the risk of material error or fraud and determine whether the selected key controls are properly designed to mitigate that risk. To achieve that understanding, management can use walkthroughs and discussions with, and involvement of, process owners who are sufficiently knowledgeable about the processes and systems underlying the critical financial reporting accounts and disclosures. However, if company personnel are Commentary The Documentation Dilemma How Much is Enough? Many companies have concerns about the time and expense associated with creating documentation for the sole purpose of supporting their assessment of ICFR. Protiviti does not advocate a blanket more-is-better approach to documentation; rather we believe management needs to have enough documentation to ensure the assessment is a repeatable process and to avoid any second-guessing in the fourth quarter when management may be asked by the auditor to justify scoping decisions made months earlier. When it comes to documentation at smaller companies, there is no cookie-cutter approach. The SEC reinforces this point in their Sarbanes-Oxley Section 404 A Guide for Small Business when it states, Management is responsible for maintaining reasonable support for its assessment. The SEC s guidance doesn t make this decision for you because we recognize that what s reasonable will depend on the nature, size, and complexity of each company. It will also vary based on the internal control risk that management has identified. (Obtain this SEC guidance at 8 Auditor At testation of ICfr Protiviti

11 not sufficiently knowledgeable of the control environment or lack a sufficient fact base supporting their input to the top-down approach, then the company must document the control environment sufficiently to obtain the requisite understanding. In summary, the top-down approach is easier to apply when there is an understanding of the flow of critical processes affecting the significant financial reporting objectives and the interface of such processes with the company s key systems. Decision 4: Consider ICFR risk to determine extent of evidence required to evaluate operating effectiveness of key controls This decision relates to understanding whether controls actually work in practice and the type of evidence management must gather to make that determination. Under the SEC s interpretive guidance for management, ICFR risk is considered when determining the evidence management needs. This determination will impact the nature, extent and timing of tests of controls. ICFR risk has two components: The risk of misstatement The risk of control failure These two components drive management s determination of what to test, who does the testing, when to perform testing and how testing should be done. The higher the risk, the more persuasive the evidence needs to be. The lower the risk, the less persuasive the evidence needs to be. See the figure below for a visual depiction provided by the SEC. How Much Evidence Do You Need to Establish that Internal Controls Are Effective? HIGH Risk of Misstatement in Financials MEDIUM LOW MEDIUM HIGH Risk of Control Failure Source: The SEC s Sarbanes-Oxley Section 404 A Guide for Small Business, If more persuasive evidence is required, there is a greater need to identify and document controls and to complete objective tests of those controls. If less persuasive evidence is required, management can rely on self-assessment and process-owner supervision. Under a top-down approach, the extent of robust entity-level controls and monitoring plays a strong role in this important assessment. When accelerated filers initially implemented Section 404 compliance, most of the evidence gathered to formulate a conclusion on operating effectiveness was through detailed manual testing. As the compliance process evolved over the years for accelerated filers, they applied a more top-down, risk-based approach. They also Protiviti Auditor At testation of icfr 9

12 moved to an increased reliance on self-assessment, entity-level and process-level monitoring, as well as automated controls, all of which reduced the extent of their reliance on detailed manual testing. This transition is illustrated in the schematic below and was accomplished through a well-managed control environment that is more systems-based and preventive in nature. The message is that management must have improved transparency in the performance of the key controls. OPTIMIZE CONTROLS Preventive Self-Assessment Monitoring Automated Controls Testing Testing of Manual Controls Self-Assessment Entity-Level Monitoring Process-Level Monitoring Testing of Automated Controls INCREASED TRANSPARENCY Testing of Manual Controls COST SUSTAINABILITY One of the keys to applying a top-down, risk-based approach is the evaluation of control failure risk, which should be explicit for each key control. For example, factors that affect the risk of control failure include: The nature and materiality of misstatements that the control is intended to prevent or detect Whether there is a history of errors The effectiveness of entity-level controls, especially controls that monitor other controls The complexity of the control, the frequency with which it operates and the degree to which it is dependent on other controls Whether the control is people-based or systems-based The competence of the personnel performing the control Whether there have been significant changes in personnel, processes or systems, or in the volume or nature of transactions processed Based on this assessment, management might differentiate higher risk, normal risk and lower risk of control failure. The key is to understand the impact of these assessments on testing scope decisions so that management can choose the appropriate way to evaluate controls operating effectiveness. Management should also be aware that the type and extent of testing performed by the company can impact the extent of testing performed by the external auditor, particularly if the testing is performed by a competent and objective party. If the external auditor reduces audit testing, there will be a corresponding reduction in audit fees. PCAOB Auditing Standard No. 5 requires auditors to consider whether and how to use the work of others. If management is interested in having the external auditor use its testing as audit evidence which could reduce the amount of auditor testing otherwise required it needs to understand the principles and rules the auditor intends to apply when making scoping decisions so that management can plan the company s evaluation approach appropriately. Obviously, this is an area that warrants dialogue with the auditor. The primary criteria for using the work of others continue to be around competence and objectivity. According to the PCAOB: Competence means the attainment and maintenance of a level of understanding and knowledge that enables personnel to perform ably the assigned tasks. Objectivity means the ability to perform assigned tasks impartially and with intellectual honesty. 10 Auditor At testation of ICfr Protiviti

13 Companies interested in the potential efficiencies realized when the auditor relies on management s testing should talk to their auditors about it sooner rather than later. They also should be familiar with the PCAOB s criteria around objectivity and competency. Decision 5: Determine locations and units to include into scope When it comes to deciding which locations should be included in the scope of testing, all locations are not created equal. Use ICFR risk when evaluating multilocation scoping decisions. The focus on the degree of ICFR risk suggests the following: Business units or locations that contribute significantly to financial results and company operations typically are selected in scope if they include critical processes that impact key financial reporting objectives. A location or unit that is not individually important from a financial reporting standpoint may present specific risks that create a reasonable possibility of a material misstatement. If management determines that the ICFR risk of the controls at individual locations or business units is low, management may gather evidence through self-assessment routines or other ongoing monitoring activities, combined with the evidence derived from a centralized control that monitors the results of operations at individual locations. Entity-level controls also may provide sufficient evidence in certain circumstances. For example, the SEC states: Management may determine that financial reporting risks are adequately addressed by controls which operate centrally. Decision 6: Establish methodology to assess severity of control deficiencies at the conclusion of the evaluation process The primary focus of the ICFR assessment is on identifying material weaknesses and the process of evaluating deficiencies should incorporate this focus. As discussed earlier, many smaller companies encounter unique challenges when implementing cost-effective ICFR. Therefore, it may be difficult to design cost-effective solutions to address deficiencies due to many factors, including lack of resources to achieve segregation of duties, limited technical resources and the potential for management to override established controls. The existence of these challenges at smaller companies may, by itself, cause some to conclude there is at least a significant deficiency or, at worse, a material weakness. Therefore, it is extremely important to not only consider, but to also document the rationale, for evaluating deficiencies. Furthermore, the evaluation process should assess internal control in its totality, including the impact of entity-level controls, monitoring controls and compensating controls, if any. With respect to the latter point, the SEC states in its interpretive guidance for management, Compensating controls are controls that serve to accomplish the objective of another control that did not function properly, helping to reduce risk to an acceptable level. If compensating controls are considered in this regard, management must have evidence that they are operating effectively. A deficiency must be evaluated in the context of risk. In other words, how likely is it that a misstatement would occur and what is the magnitude of a potential misstatement? However, companies should not use the evaluation process to systematically rationalize away deficiencies. The ultimate test is one of a reasonable and prudent person applying his or her judgment based on the facts available. Be prepared for the external auditors to ask tough questions about the results of the company s deficiency evaluation. Protiviti Auditor At testation of icfr 11

14 Summary of the six decisions One of the most commonly asked questions about Section 404 compliance relates to the cost of the initial auditor attestation of the effectiveness of ICFR at a smaller public company. The answer is, It depends. Many factors come into play, including the nature and complexity of operations and financial reporting, the extent of ICFR documentation, the nature and timing of testing performed by management, as well as the extent of testing documentation. Following is a brief summary of the six decisions: Key Section 404 Decision Points 1. Select significant financial reporting objectives and related accounts 2. Select effectively designed key controls addressing each relevant objective 3. Decide documentation standards at different levels of risk 4. Consider ICFR risk to determine extent of evidence required to evaluate operating effectiveness 5. Determine locations and units to include into scope 6. Establish methodology to assess severity of control deficiencies at the conclusion of the evaluation process Key Points for Implementing a Top-Down, Risk-Based Approach Use quantitative and qualitative factors to identify only those objectives that are material. Take the time to document rationale it will save time in the long run. Begin top-down, starting with entity-level controls. Take credit for monitoring controls that operate at a sufficient level of precision. Start at the entity level and work down; documentation is driven by ICFR risk. Management s documentation will likely be used by the auditor to support their assessment of ICFR. When determining tests of controls, consider ICFR risk. If the company is interested in the potential efficiencies realized when the auditor relies on management s testing, talk to the auditor about it sooner rather than later. Be familiar with the PCAOB s criteria around objectivity and competency. Use ICFR risk when evaluating multilocation scoping decisions. Focus solely on material weaknesses, looking at internal control in its entirety, but be careful not to systematically rationalize away deficiencies. To reiterate the premise of this paper, if management and the external auditor can agree on these six decisions, life will be easier during the attestation process. 12 Auditor At testation of ICfr Protiviti

15 A simple approach We recommend a straightforward, six-step approach that is consistent with COSO s guidance for smaller companies. This approach will help smaller companies execute a cost-effective Sarbanes-Oxley compliance process that is rightsized for their organization and the level of complexity of their environment. The approach emphasizes focused attention on completing each of the six steps according to recommended time frames (e.g., see the fiscal-year quarters noted in the schematic below). The idea is to help management of smaller companies avoid the year-end fire drills experienced by accelerated filers during their first auditor attestation. The 20 Principles from COSO s ICFR Guidance for Smaller Public Companies Plan Scope Document Evaluate Test Assess identify roles and responsibilities Develop project plan and timeline Define reporting requirements Set the tone identify financial reporting objectives and related processes and business units identify key it applications Complete entity-level control assessment Document key processes, risks and controls Link entity-level controls to process risks and financial reporting objectives Assess segregation of duties Evaluate controls design Determine plan to remediate design deficiencies track remediation efforts test key controls identify ineffective controls track remediation efforts to address ineffective controls re-test key controls as necessary Evaluate severity of remaining control deficiencies Evaluate effectiveness of overall control environment Formulate final conclusion Develop report Q1 Q1 Q1/Q2 Q1/Q2 Q3/Q4 * Q4/Beyond Ongoing Communication with Management, Process Owners, External Auditors and Audit Committee Certain quarterly controls and year-end controls may be tested subsequent to the end of the fiscal year. See Exhibit 1 for a more detailed explanation of the activities for each step in this approach and the keys to success. Protiviti Auditor At testation of icfr 13

16 The Keys to Success: Avoid Delay, Become Educated, Be Prepared There certainly is not a cookie-cutter approach to Sarbanes-Oxley compliance for smaller public companies. Each company s situation is unique. We suggest that companies become educated about the six decisions and the six-step approach we have outlined herein. What it all boils down to is that the Section 404 compliance process may take a new twist now that the auditors are joining the playing field at smaller public companies. As outsiders, they will have a different perspective from management, which has day-to-day involvement in the running of the company. Companies that are most knowledgeable about the authoritative guidance and that understand their options are best positioned to increase the cost-effectiveness of their compliance process while minimizing surprises resulting from too many cooks in the kitchen. A focus on the six decisions and the six-step approach will help ensure a successful outcome to the process. In closing, we recommend the following: Don t delay. Engage your external auditor in substantive discussion about the six key decision points. Educate yourself and insist that your evaluation team (including your internal auditors) do likewise. For example, ask your evaluation team to understand the SEC interpretive guidance for management as well as the PCAOB s An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies. Knowledge is power. Apply a well thought-out and repeatable, top-down, risk-based approach. Protiviti can help with this, using the six-step approach. Don t do more than what you have to do. Compliance with Section 404 requires the exercise of considerable judgment, which can lead the evaluation team to do more work than necessary if the thought process for rationalizing the scope of work is not top-down and risk-based. Focus on risk throughout the process. A risk-based approach maximizes the cost-effectiveness of the Section 404 process. Look at how you manage and monitor your business and give yourself credit for what you do. Reliance on effective monitoring can reduce the extent of reliance on detailed manual testing. Learn from others mistakes. Take a close look at your controls by carefully considering the top weaknesses identified by smaller companies in Year Four of Sarbanes-Oxley compliance. These areas of weakness are prime targets for auditors. Don t forget to focus on the risk of fraud and management override. It will help you manage the audit process. Exploit identified deficiencies by turning them into process and control improvements. Timely remediation of deficiencies reduces the risk of a material weakness. Finally, be prepared to: - Challenge the status quo. - Proactively engage in a dialogue with the external auditor. - Answer questions your audit committee may ask about the dynamics of having your external auditor evaluating your ICFR. Remember that time is of the essence. Start now if you want to ensure you are prepared for your first auditor attestation of the effectiveness of ICFR. 14 Auditor At testation of ICfr Protiviti

17 Exhibit 1 Six-Step Approach Plan Scope Plan Document Scope Plan Document Evaluate Plan Scope Document Scope Evaluate Test Plan Plan Document Scope Evaluate Assess Test Scope Document Evaluate Assess Test Document Evaluate Test Assess Evaluate Assess Test Test Assess Assess Key Activities Identify project sponsor and team members and define roles, responsibilities and resources. Develop project plan, approach and reporting requirements. Establish tone and importance of the project. Identify/prioritize key financial reporting objectives. Identify key IT systems and applications affecting financial reporting as well as their interfaces. Identify process owners and communicate their Sarbanes-Oxley-related responsibilities. Define documentation standards. Identify key financial reporting risks (including fraud). Complete entity-level control assessment. Document targeted processes, including risks and controls. Link entity-level controls to key financial reporting risks. Determine key controls in each process. Identify key spreadsheets and reports. Evaluate user access and segregation of duties linking unavoidable conflicts to key controls. Evaluate control design effectiveness. Prioritize control gaps for remediation and identify responsible owners. Track remediation efforts and establish accountability with senior management. Revise documentation based on remediation efforts as necessary. Document test plans and strategy relative to both components of ICFR risk. Test operating effectiveness of key controls. Identify control operating effectiveness issues and design remediation for significant issues. Track management remediation efforts. Re-test all control gaps as necessary based on testing strategy. Formulate final conclusions on individual controls. Provide final documentation and test results to external auditors. Formulate final conclusion on overall control environment. Plan and formulate public disclosures. Keys to Success Start early. Ensure ownership and commitment by management and process owners (i.e., treating Sarbanes-Oxley commitment to reliable reporting as an ongoing process and a way of life ). Think risk throughout the planning process. Entity-level controls are a critical component, not an afterthought. Link entity-level controls directly to the specific risks to which they relate. Leverage operational reporting (KPIs) already utilized to manage the business as part of management s monitoring controls. Minimize overdocumentation and testing by using risk-based scoping. Emphasize appropriate controls and use of key reports and spreadsheets in key processes. Integrate assessment of IT systems impact on the selection of key controls. Don t do more than what you have to do to comply with Section 404. Standardize processes across business units and centralize common activities. Take a cost versus benefit approach about what s reasonable to document during controls operation. Direct attention to improving the operational efficiency and effectiveness of upstream financial reporting processes. Increase reliance on entity-level and process-level monitoring controls to reduce transaction testing. Evaluate use of comprehensive testing techniques, such as data mining, to minimize test efforts and provide value-added insight beyond sample-based testing. Modify the evaluation approach according to ICFR risk. A deficiency only matters if it could result in a material weakness. Protiviti Auditor At testation of icfr 15