AUDIT EFFICIENCIES: IS YOUR RELIANCE STRATEGY WORKING FOR YOU? Kyleen Wissell, CRISC, PHR, RCC

Transcription

1 AUDIT EFFICIENCIES: IS YOUR RELIANCE STRATEGY WORKING FOR YOU? Kyleen Wissell, CRISC, PHR, RCC

2 Today s Agenda Background: Audit Standard #5 adopted by PCAOB and approved by the SEC in 2007 was intended to reduce the overall effort to comply with Sarbanes-Oxley. Work is expected to be completed economically and expeditiously, with more discretion and flexibility. Judgment: Complex decision tasks that require professional judgment and may be influenced by a number of factors, both external (environment) and internal (cognitive and affective), including the auditors working style and previous experiences related to barriers to auditor cooperation, objectivity and / or competence. Session Goal: Assess whether your work as an Internal Auditor and/or Management can influence greater reliance by the External Auditor and where you may be able to strengthen reliance on your work, and thereby reduce the costs of compliance and duplicative efforts which overlap. Note: Perspective is limited to business and not as an external auditor. 2

3 Topics Summarized Expectations of the External Auditor (what Auditing Standard No. 5 allows) Auditor Reliance Strategy & Approach (factors and considerations) What is the opportunity? Auditor Reliance Summary Criteria Competence of the Internal Audit Function Audit Efficiencies: Example Plans Key Questions for Considering Whether You Are Capitalizing on Auditor Reliance Opportunities Sources Q&A 3

4 Summary Expectations of the External Auditor What AS5 Allows Requirement of the Auditor: The auditor must obtain appropriate evidence which is sufficient in order to obtain reasonable assurance about whether material weaknesses exist. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of internal control over financial reporting and the amount of audit attention that should be devoted to that area. Test of Controls: It is not necessary to test 100% of controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements. Risk: Auditors are required to critically review all the areas of high risk in order to ensure that the planned procedures are adequately covered. Tests Performed Properly: The Auditor must determine this through re-performance testing. External Auditors generally select approximately 20% of control activities and re-perform a sufficient portion (judgmental) of management s testing to conclude whether the test of controls was performed properly. 4

5 Auditor Reliance Strategy & Approach Factors and Considerations Reliance: The auditors may use the work performed by, or receive direct assistance from internal auditors, company personnel and third parties working under the direction of Management. A reliance strategy means that the auditor intends to rely on Internal Audit, or others, rather than performing more hands on audit procedures in order to obtain audit evidence for themselves. This offers more possibilities towards savings when considering the average blended rate for some of the Big 4 firms is upwards of $450 an hour. Accounts: Important factors to be considered includes nature and significance of items in the accounts within the balance sheet and income statement, by assessing the: Nature of the accounts and the volume of transactions which result in significant account balances, and Taking into account any audit risks identified when analyzing the client s business. Audit Efficiencies: Those items in the accounts, which because of the limited volume of transactions or other factors, can be audited more efficiently through substantive tests rather than reliance. Examples may include share capital, long term debt and related interest expense, investments and related income (except when a large portfolio of investments is held). 5

6 Auditor Reliance Strategy & Approach Factors and Considerations (cont d) Extent of Risk: The extent to which the auditor may use the work of others will depend on the risk associated with the control(s) in scope to be tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work increases. For example, Controls over complex areas of the business, significant transactions outside of the normal course of business, journal entries, related party transactions, and controls which mitigate incentives for and pressures on management to falsify or the potential for mismanagement of financial results. Risk related to a high probability of error for areas subject to estimation or susceptible to pilferage. Risk related to the structure of the organization, especially in cases of joint ownership of an organization, whether the owners are not equally represented in Management. Risk related to controls which are not operating effectively or problem areas. Processes which have recently been transformed or changed. Number of accounting locations and the likelihood of increasing the effect of cost and the similarity of processes from location to location. Number of adjusting entries. Types of unusual or complexity of transactions of which the client is engaged. IT Risks: Identification of the risks and controls within IT should not be a separate evaluation, as application systems are linked to financials. 6

7 Auditor Reliance: What is the Opportunity? Reliance Goal: Medium and Low Risk processes and controls, as well as on lower risk Walkthroughs. Dialogue should be initiated and/or ongoing with your external auditors to determine if it s reasonable to expect benefits for your company. A preliminary understanding and evaluation of the potential for reliance should be documented. Subsequently, a framework should be developed with your external auditor which outlines or regards what work Internal Audit or others could perform. A permanent and detailed record prepared and shared. Other considerations, where if improvements were made, reliance could be achieved. Auditors are allowed to incorporate the knowledge obtained during past audits into the decision-making process for determining the nature, timing and extent of testing necessary in the current year. They can roll forward prior year s testing when the control was sufficiently tested and found to be effective. It s reasonable to expect: 90-95% reliance on Internal Audit s work for non-public clients % is possible for public clients, however not more than 2/3 of work is allowed by PCAOB. 7

8 Auditor Reliance Summary Criteria Management: It all starts with establishing materiality at the account balance level so that risk can be quantitatively and qualitatively established before risk has meaning. Inherent risk implies that we can predict where errors are most likely and least likely within the financial statement segments. Competence & Objectivity: The auditor is required to assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may rely on their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. Perceptions about competence and objectivity, developed over years of interaction, also influence these judgments as well as working relationships and styles. Current & Previous Audits: External Auditors will evaluate their experience through results of current and previous audits (tests of controls and substantive tests) as well as the integrity exhibited by Management. 8

9 Competence of the Internal Audit Function External Auditors must evaluate the existence and quality: Education and professional experience, including professional certification and continuing education related to standards for the department. Resumes of everyone involved with the audit. Audit plan and scope including the nature and extent of audit procedures. Supervision and review of internal auditor activities and work including responsibility for day-to-day work and addressing issues. Procedures being performed to ensure recommendations issued are being implemented. Remediation and corrections are consistently reported to management and followed up for closure. Visibility and status with upper management. Interaction, association and organizational reporting relationship to those charged with governance in the organization. Reporting relationship to the Audit Committee and whether relationships extend past committee meetings. Rotation of auditors to significant areas and process and including locations within the business. Relevance of coverage as it relates to how the External Auditor. Deliverables prepared by the Audit Team including the sampling approach. 9

10 Audit Efficiencies Example Plan Year 1 External Auditor places little to no reliance on Internal Audit for the walkthrough documentation process. Firm attends and documents walkthroughs to gain an understanding of all processes. Year 2 External Auditor works with Internal Audit to incorporate the firm s audit walkthrough documentation template and relies on the work of Internal Audit for low risk processes. Year 3 External Auditor plans to increase reliance on Internal Audit for certain processes, by exploring ways to more effectively utilize the business process owner s time to reduce follow up questions regarding items such as; key reports and spreadsheets, SOC-1 processes, and audit request list items. Year 4 and beyond As planning begins, External Auditor works with Management and Internal Audit to evaluate requirement for walkthroughs of all processes, and determine if audit requirements can be achieved with adjustments to the walkthrough procedures.* Note: inquiry only would likely not be sufficient enough, as guidance requires review and documentation of evidence in order to validate no key changes. 10

11 Audit Efficiencies Control Testing Example Plan Reliance is determined based on risk and complexity of the control plus other judgments Location Year 3 (# of rely controls) Canada Year 4 (# of rely controls) Approximately 63-65% reliance achieved globally in Year 3** Hong Kong Ireland Japan United Kingdom We are at the maximum reliance for controls testing, and expect similar percentage in Year 4 and beyond (dependence on continued effectiveness of internal controls) United States 45 41* Corporate 27 26* Total *Change can be attributed to different factors including a change in the number of controls, and a change in control risk levels year-over-year. **Does not include application controls at this time. 11

12 Key Questions for Considering Whether You Are Capitalizing on Auditor Reliance Opportunities Where does direct assistance make sense? Is there is a spotlight on improving the efficiency of audit-related processes? Management s oversight of Sarbanes-Oxley activities? What is the competency of the Internal Audit function? Quality of deliverables? What is the objectivity of the Internal Audit function? Management? How effective is the working relationship between Internal Audit, External Audit & Management? What is the timing or period of Internal Audit coverage versus SOX deliverables? How adequate or effectively has your Sarbanes-Oxley program been scoped? How did the organization identify key internal control processes that are financially significant? Did you take a top-down, risk-based approach? Have you determined high, medium and low risk controls? Have you identified and use direct and indirect entity-level controls? Monitoring controls? Do you have a structured approach to evaluating deficiencies? Is your internal control environment effective and sustainable? 12

13 Sources Auditing Standard No. 5 AICPA Auditing Standards Board spx Sarbanes-Oxley Compliance Journal Security and Exchange Commission Release on Auditing Standard No. 5 The Wall Street Journal Deloitte Insights 13

14 Q&A Thank you! 14