SARBANES-OXLEY SECTION 404 AN OVERVIEW OF THE PCAOB S REQUIREMENTS APRIL 2004
SARBANES-OXLEY SECTION 404 AN OVERVIEW OF THE PCAOB S REQUIREMENTS 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 040167 APRIL 2004
PREFACE The Public Company Accounting Oversight Board (PCAOB) has approved its Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, and submitted the Standard to the Securities and Exchange Commission (SEC) for its approval. KPMG LLP presents this document to assist management of public companies in better understanding the provisions of the PCAOB s Standard and the provisions of section 404 of the Sarbanes-Oxley Act of 2002. This document provides details relating to management s overall responsibilities, including its required assessment and documentation of a public company s internal control over financial reporting. Further, this document provides information regarding the responsibilities of a public company s independent auditor in performing an audit of internal control over financial reporting in conjunction with an audit of financial statements. Readers should understand and appreciate that Auditing Standard No. 2 is presently with the SEC for approval and is therefore subject to change before becoming final. Management is responsible for complying with the provisions of the Sarbanes-Oxley Act, and specifically with section 404, and should consult with legal counsel, external auditors, and other professionals in meeting these obligations.
CONTENTS Executive Summary 1 Background 8 Management s Responsibilities 9 Management s Evaluation 10 Assessment of the Effectiveness of Internal Control Over Financial Reporting 10 Framework Used by Management to Conduct Its Assessment 10 Reasonable versus Absolute Assurance and Inherent Limitations 11 Example Management Assessment Process 12 Plan and Scope the Evaluation 12 Evaluation of IT Controls 14 Multi-Location Considerations 14 Consideration of Outside Service Organizations 14 Document Controls 15 Evaluate Design and Operating Effectiveness 16 Identify, Assess, and Correct Deficiencies 17 Report on Internal Control 18 Coordination with Section 302 of The Sarbanes-Oxley Act of 2002 19 The Audit of Internal Control Over Financial Reporting 20 Auditor s Responsibilities in the Audit of Internal Control Over Financial Reporting 21 Planning 21 Materiality and Fraud Considerations 21 Multi-Location Considerations 22 Evaluating Management s Assessment Process 24 Obtaining an Understanding of Internal Control 24 Evaluating the Effectiveness of the Audit Committee 25 Identifying Significant Account Balances and Disclosures 25 Identifying Relevant Financial Statement Assertions 26 Identifying Significant Processes and Major Classes of Transactions 26 Understanding the Period-End Financial Reporting Process 26 Performing Walkthroughs 26 Identifying Controls to Test 27 Testing and Evaluating Design and Operating Effectiveness 27 Timing of Tests of Controls 27 Using the Work of Others 28
Forming an Opinion 29 Required Communications of Deficiencies 29 Relationship of the Audit of ICOFR to an Audit of Financial Statements 29 Beyond Compliance 30 Appendixes Appendix A: Sample Auditor s Report 33 Appendix B: Management s Report 35 Appendix C: Reference Sources 37
EXECUTIVE SUMMARY The Public Company Accounting Oversight Board (PCAOB or the Board) has recently approved Auditing Standard No. 2. The time for compliance is drawing near and the Securities and Exchange Commission is expected to move rapidly in approving a final Standard. All parties responsible for implementation should now be well along in their preparation, feeling a keen sense of urgency. Implementation will be effective if all responsible parties are viewing the requirements through a similar lens. KPMG presents this summary to emphasize the importance of a common understanding between companies and their external auditors and to highlight what we see as the most likely areas where questions may remain. The credibility of public company financial reporting has been sharply questioned by a string of corporate reporting scandals that began with the collapse of a number of major corporations in late 2001. The results shook the financial markets and severely eroded investor confidence in the information being reported by companies with publicly traded securities. These historic events led to a number of proposals to improve the financial reporting process and restore investor confidence in the U.S. financial markets. Congress responded with the passage of the Sarbanes-Oxley Act of 2002 (the Act). When President George W. Bush signed the Act into law, he characterized it as the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt. The Act clearly represents the most significant change in reporting for U.S. publicly traded companies since the Securities Acts of 1933 and 1934. In addition, the Act has unprecedented reach both within the United States and internationally for foreign SEC registrants. It is aimed at restoring public confidence and protecting the public interest as well as improving the integrity of financial reporting the foundation on which the U.S. capital markets system is built and thrives. The passage of this Act represents a significant change in both management s reporting responsibilities and the scope and nature of the responsibilities of the independent auditor. Management is now required to both assess and report on the effectiveness of internal control over financial reporting, and the auditor is required to audit and report on the effectiveness of internal control over financial reporting, including management s assessment process. As a result, auditors will be evaluating and testing a company s internal control in a different light and in greater depth. The overall goal of these new requirements is to strengthen internal control over financial reporting, provide more reliable information to investors, and renew investor confidence in the U.S. capital markets. This document contains a general discussion only of the matters included and should not be relied on as advice for any particular company since no consideration is given to individual facts and circumstances, which vary greatly from company to company. 1
A MANAGEMENT PERSPECTIVE ON THE IMPACT OF THE SARBANES-OXLEY ACT In late 2003, KPMG set out to understand how senior executives from a cross-section of industries perceived the impact of the legislation. During a two-month period, beginning in October, we conducted 175 interviews among CEOs and CFOs, across a variety of industries, asking them for their opinions on various aspects of the Act. Nearly seven in 10 (68 percent) of the respondents said they believe the Act has boosted investor confidence in corporate America. Most (58 percent) said they believe the Act represents important regulatory legislation, with an additional 29 percent perceiving it as landmark. Do you believe that the Sarbanes-Oxley Act has helped boost investor confidence in corporate America? Yes 0 10 20 30 40 50 60 70 68% Interestingly, these executives representing the financial services, consumer and industrial products, healthcare and public services, and information, communication, and entertainment industries also said significant challenges relating to the Act still lay ahead. Although nearly all respondents (97 percent) reported being on or ahead of schedule with Sarbanes-Oxley readiness, less than a third of them (31 percent) said they have completed more than half of the section 404 preparation. The group identified two areas where they had the most challenges documentation and testing of internal controls. Which of the following best describes your enterprise s current state of Sarbanes-Oxley 404 readiness? Significantly ahead of schedule Ahead of schedule On schedule 0 10 20 30 40 50 60 70 7% 24% 66% 31% Ahead of schedule No Not sure 7% 25% Behind schedule Significantly behind schedule 0% 3% 3% Behind schedule Source: KPMG LLP, 2004 Source: KPMG LLP, 2004 Which of the following best describes your perspective on Sarbanes-Oxley? 0 10 20 30 40 50 60 Landmark legislation 29% Important regulatory legislation 58% Interim solution 10% Undecided 3% Source: KPMG LLP, 2004 2
MANAGEMENT S RESPONSIBILITIES Compliance obligations for publicly traded companies have significantly increased as a result of the Act. Management has a responsibility to report reliable information to public investors and should discuss fulfilling its responsibility under the Act with its attorneys and other advisers. For the auditor to satisfactorily complete an audit of internal control over financial reporting, management must fulfill a number of important responsibilities, including: Accepting responsibility for the effectiveness of the company s internal control over financial reporting Evaluating the effectiveness of the company s internal control over financial reporting using suitable control criteria (e.g., the COSO Committee of Sponsoring Organizations of the Treadway Commission criteria) Supporting its evaluation with sufficient evidence, including documentation Presenting a written assessment about the effectiveness of the company s internal control over financial reporting as of the end of the company s most recent fiscal year If the auditor concludes that management has not fulfilled these responsibilities, the auditor should communicate, in writing, to management and the audit committee that the audit of internal control over financial reporting cannot be satisfactorily completed and must disclaim an opinion. MANAGEMENT S ASSESSMENT PROCESS The process that management undertakes in its assessment should include determining which controls should be tested, evaluating the likelihood that failure of a control could result in a material misstatement, and determining the locations or business units to include in the evaluation, if the company has multiple locations or business units. Management also should evaluate the design and operating effectiveness of internal control over financial reporting and document the results of the evaluation. This process ordinarily would be considered incomplete unless it extended to controls over all relevant assertions (for example, existence and valuation of accounts receivable) related to all significant accounts and disclosures. As part of its assessment, management determines if identified deficiencies in design or operating effectiveness individually or in combination constitute significant deficiencies or material weaknesses. Management then communicates these findings to the auditor and others, if applicable, and evaluates whether those findings are reasonable and support its assessment. ASSESSMENT ENHANCES INTERNAL CONTROL As companies develop processes to assist management in its annual internal control assessment under section 404 of the Act and its annual and quarterly certifications under section 302, the process should result in a continuous strengthening of internal controls. Effective internal control over financial reporting is essential for a company to effectively manage its affairs and to fulfill its obligation to its investors. A company s management and its owners public investors and others must be able to rely on the financial information reported by companies to make decisions. 3
DOCUMENTATION SUPPORTING MANAGEMENT S ASSESSMENT Documentation that provides reasonable support for management s assessment of the effectiveness of internal control over financial reporting includes, but is not limited to: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements Information about how significant transactions are initiated, authorized, recorded, processed, and reported Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties Controls over the period-end financial reporting process Controls over safeguarding of assets The results of management s testing and evaluation INTERNAL CONTROL AUDIT AND FINANCIAL STATEMENT AUDIT THE IMPORTANCE OF INTEGRATED ACTIVITIES At its core, section 404 of the Act emphasizes the need of investors to have confidence not only in the financial reports issued by a company but also in the underlying processes and controls that are an integral part of producing those reports. The Board recognizes the relationship of the audit of internal control over financial reporting and the audit of the financial statements, and that the two should be viewed by auditors as integrated activities. The PCAOB concluded that the existing Standard governing an auditor s attestation on internal control was insufficient in addressing the requirements of section 404 of the Act. These integrated activities address both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. An understanding of the concept of integrated activities requires a common definition of the terms internal control and internal control over financial reporting as used in the context of the Standard. Internal control is a process designed to provide reasonable assurance regarding the achievement of a company s objectives in the areas of financial reporting reliability, operating efficiency and effectiveness, and compliance with applicable laws and regulations. Internal control over financial reporting consists of a company s policies and procedures that are designed and operated to provide reasonable assurance that is, a high but not absolute level of assurance about both the reliability of a company s financial reporting and its process for preparing and fairly presenting financial statements. Internal control over financial reporting includes policies and procedures that pertain to the maintenance of accounting records, the authorization of receipts and disbursements, and the safeguarding of assets. DIRECT EVIDENCE For auditors to form an opinion on the effectiveness of a company s internal control over financial reporting, the auditor must obtain direct evidence relating to the effectiveness of internal control over financial reporting. That means an auditor may not form an opinion on effectiveness solely by evaluating management s process for concluding on control effectiveness. Additionally, in concluding on operating effectiveness, the auditor needs to personally perform enough of the testing so that their work provides the principal evidence for their opinion. The PCAOB reasons that without direct evidence of control effectiveness, the auditor would not have a sufficiently high level of assurance that management s conclusion is correct. Further, the auditor also must evaluate the adequacy of management s documentation of the design of internal controls and their assessment of internal control effectiveness. The Standard provides the auditor with criteria to use in evaluating the adequacy of management s documentation. Inadequate documentation is considered an internal control deficiency. 4
LIMITATIONS Regardless of how well any system of internal control over financial reporting is designed and operating, it cannot provide absolute assurance of achieving financial reporting objectives because of inherent limitations. These inherent limitations exist because internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Consequently, controls can be intentionally or unintentionally circumvented. MAJOR ISSUES COMPANIES ARE FACING REGARDING MANAGEMENT S ASSESSMENT FOR SECTION 404 COMPLIANCE As part of the fall 2003 survey conducted by KPMG, 175 executives were asked the following question: What are the major issues you are facing regarding the work for management s assessment in connection with Sarbanes-Oxley 404 compliance? Here is a sampling of their responses: A lot of extra paperwork and clarification while trying to balance the workload. Additional disclosure requirements, review of document retention policies, [The need for] Clarity for what is required to do for SOX. Ensuring that any gaps are covered. Definition of [what constitutes] significant controls Going through system implementation; on top of changes of control structure. PCAOB Chief Auditor and Director of Professional Standards Douglas R. Carmichael on the issue of concerns being expressed by public companies that the costs of compliance with Sarbanes-Oxley outweigh its benefits: The greatest cost should be incurred the first time through for many reasons. Because it is the first time, and companies and auditors will be doing things they have never done before, the wise people will be erring on the side of doing too much rather than doing too little. All that will result in the first-year costs probably being the most significant, and it should be reduced in subsequent years. However, companies still need to do enough [to satisfy] the standard. Each year needs to stand on its own. You can t say it was good last year, so it must be good this year. However, having done the work the year before, the focus is on updating your understanding and on the changes. BNA, Securities Regulation & Law Report February 9, 2004 WHAT S DIFFERENT IN THE FINAL PCAOB STANDARD AS COMPARED WITH THE PROPOSED STANDARD? Highlights of the most significant changes to the final Standard are outlined below and discussed in more detail throughout the document. Appendix E of Standard No. 2 discusses the rationale for the changes and conclusions reached by the Board. USING THE WORK OF OTHERS The Board decided to change the provisions in the Proposed Standard regarding using the work of others. The Proposed Standard presented a three-bucket approach for using the work of others areas where audit evidence was required to be derived solely from the independent auditor s own work, limited in certain areas and without specific limitation in other areas. Standard No. 2 revises the categories of controls by focusing on the nature of the controls being tested and evaluating the competence and objectivity of the individuals performing the work. This change generally should result in the auditor exercising their judgment to a greater degree than under the provisions of the Proposed Standard. EVALUATION OF THE AUDIT COMMITTEE S EFFECTIVENESS The Proposed Standard required the auditor to evaluate the effectiveness of the audit committee s oversight of the external financial reporting process and the internal control over financial reporting. Although this concept was retained in Standard No. 2, it was clarified to emphasize that the auditor s evaluation of the audit committee is not required to be a separate evaluation. Instead, it should be made as part of the evaluation of the control environment and monitoring components of internal control over financial reporting. Standard No. 2 explicitly acknowledges 5
that the board of directors is responsible for evaluating the effectiveness of the audit committee. In addition, the Board concluded that, if the auditor determines that the audit committee s oversight is ineffective, the auditor should communicate the findings to the full board of directors. The Board also deleted certain factors that addressed compliance with listing standards and sections of the Act. WALKTHROUGHS The Proposed Standard included a requirement that the auditor perform walkthroughs for all of the company s significant processes. The Board decided in Standard No. 2 that the scope of transactions subjected to walkthroughs should be more narrowly defined. As a result, the scope of transactions for which auditors are required to perform walkthroughs pursuant to Standard No. 2 was narrowed by replacing the words all types of transactions with major classes of transactions. AUDITOR S REPORT The Proposed Standard required that the auditor s opinion state whether management s assessment of the effectiveness of the company s internal control over financial reporting, as of the specified date, is fairly stated, in all material respects, based on control criteria. The Board concluded that the expression of two opinions one on management s assessment and one on the effectiveness of internal control over financial reporting is a superior approach to the concept of one opinion on these elements. DEFINITIONS OF SIGNIFICANT DEFICIENCY AND MATERIAL WEAKNESS The definitions for what constitutes a significant deficiency and a material weakness have not changed. However, the Board clarified the term inconsequential with the following definition: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. The list of significant deficiencies and strong indicators of material weaknesses was retained and now also includes an ineffective control environment. SMALL AND MEDIUM-SIZED COMPANY CONSIDERATIONS The Proposed Standard discussed small and medium-sized company considerations in its Appendix E. That discussion was removed in the final Standard and replaced with a reference to the existing COSO guidance already tailored for special small and medium-sized company considerations. Standard No. 2 clearly emphasizes that while the cost benefit concerns were considered, the Board recognizes that this exercise will be burdensome in many instances, particularly for some small and medium-sized companies. However, the expected benefits to investors of improved internal control over financial reporting are warranted. The Board recognized that this Standard must appropriately balance the cost to implement the Standard s directions with the benefits of achieving theses important goals. As a result, all the Board s decisions about this Standard were guided by the additional objective of creating a rational relationship between costs and benefits. Investors further recognized that this kind of assurance would come at a price and expressed their belief that the cost of the anticipated benefits was reasonable. 6
NEXT STEPS Management should take time to study Standard No. 2 to facilitate a better understanding of their company s state of readiness and to better prepare for their respective reporting deadline. The remaining sections of this document present additional details to the discussion above. Executives would be well served to assign resources in their organization to become familiar with the details of the PCAOB s Auditing Standard No. 2 and with our additional thoughts presented below. Relying solely on the Executive Summary could result in an incomplete understanding of the PCAOB s positions expressed in Standard No. 2. It should be understood that management is responsible for complying with the provisions of the Sarbanes-Oxley Act of 2002, and specifically with section 404. KPMG LLP 7
BACKGROUND In July 2002 the president signed the Sarbanes-Oxley Act of 2002 into law. The Act came in response to a string of corporate scandals, including the collapse of a number of businesses that negatively affected the confidence of investors in the capital markets of the United States. The Act created the Public Company Accounting Oversight Board, a quasi-governmental agency that oversees the audits of public companies, intending to protect the interests of investors and other users of an issuer s financial statements. The Board, which is subject to SEC oversight, is empowered to establish auditing standards for public company audits, inspect accounting firms that audit public companies, investigate possible rule violations, and sanction violators. Section 404 of the Act has two parts: Section 404(a) describes management s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. It also outlines management s responsibility for assessing the effectiveness of internal control over financial reporting. Section 404(b) describes the independent auditor s responsibility for attesting to and reporting on management s internal control assessment. In passing the Act, Congress reasoned that the restoration of investors trust in public companies would depend on demanding that public companies possess strong internal controls over financial reporting. Section 404 of the Act requires that management first assess the effectiveness of the company s internal control over financial reporting (ICOFR) and then report on that assessment at the close of its fiscal year. The Act also requires a company s external auditor to attest to and report on the assessment made by management. 8
MANAGEMENT S RESPONSIBILITIES Section 404 of the Act describes management s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. It also outlines management s responsibility for assessing the effectiveness of the company s ICOFR, and that the company s external auditors attest to management s assessment. Under Standard No. 2, management must: Accept responsibility for the effectiveness of the company s ICOFR Evaluate the effectiveness of the company s ICOFR using suitable control criteria (e.g., the COSO criteria, defined below) Support the evaluation with sufficient evidence, including documentation of the design of controls related to all relevant assertions for its significant financial statement accounts and disclosures Present a written assessment of the effectiveness of the company s ICOFR as of the end of the company s most recent fiscal year If management has not fulfilled its responsibilities as noted above, the auditor is required to issue a disclaimer opinion. Management should fulfill its responsibilities by undertaking a comprehensive approach that includes thorough planning and evaluation of its system of internal controls. Once management has identified significant controls, it can document those controls and proceed with testing their effectiveness. Companies should allow sufficient time to complete this process in the event deficiencies are identified. Early identification of deficiencies may provide management sufficient time to correct deficiencies and determine operating effectiveness of the new control. DEFINITION OF INTERNAL CONTROL OVER FINANCIAL REPORTING Internal control is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a process effected by an entity s board of directors, management, and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, compliance with applicable laws and regulations, and reliability of financial reporting. The SEC rules implementing section 404(a) of the Act focus on those objectives related to the reliability of a company s external financial reporting. This subset of internal control is commonly referred to as internal control over financial reporting. Internal control over financial reporting is defined in Standard No. 2 as a process designed by or under the supervision of the company s principal executive and financial officers, or persons performing similar functions, and effected by the company s board of directors, management, and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). It also includes policies and procedures that pertain to maintenance of accounting records, authorization of receipts and disbursements, and safeguarding of assets. For purposes of an audit of internal control over financial reporting, internal control over financial reporting includes controls over the safeguarding of assets and controls related to the prevention or timely detection of unauthorized acquisition, use, or disposition of an entity s assets that could have a material effect on the financial statements. These safeguarding controls are a subset of the broader segment of internal control. 9
MANAGEMENT S EVALUATION ASSESSMENT OF THE EFFECTIVENESS OF INTERNAL CONTROL OVER FINANCIAL REPORTING Management must maintain sufficient evidence of its assessment of the effectiveness of ICOFR, including documentation. The development and maintenance of such documentation is an important element of effective internal control. The assessment of a company s ICOFR must be based on procedures sufficient to both evaluate design and test operating effectiveness. Controls subject to such assessment include, but are not limited to: Controls over initiating, authorizing, recording, processing, and reporting significant account balances and disclosures and related assertions included in the financial statements Controls related to the selection and application of accounting policies in accordance with GAAP Controls related to the prevention, identification, and detection of fraud Controls related to the initiation and processing of nonroutine and non-systematic transactions UNIQUE SYSTEMS OF INTERNAL CONTROL COSO recognizes that no two companies will, or should, have the same internal control system. Companies and their internal control needs differ dramatically by industry and size, and by culture and management philosophy. Consequently, each The nature of a company s testing activities will depend approach to implementing inter- company may take a different nal control. Nevertheless, the largely on the circumstances of internal control principles discussed in this document apply to the company and the significance of the particular control. all companies. However, inquiry only generally will not provide an adequate basis for management s determination of operating effectiveness. FRAMEWORK USED BY MANAGEMENT TO CONDUCT ITS ASSESSMENT Management is required to base its assessment on a suitable, recognized control framework established by a body of experts that followed public due-process procedures to develop the framework. In the United States, the Committee of Sponsoring Organizations of the Treadway Commission has published Internal Control Integrated Framework, which is commonly used for purposes of management s assessment. Because COSO is expected to be the most frequently used control framework in the United States, the guidance in Standard No. 2 is based on COSO concepts. A CONCISE DESCRIPTION OF THE FIVE COSO COMPONENTS OF INTERNAL CONTROL OVER FINANCIAL REPORTING Source: KPMG LLP, 2004 OPERATIONS FINANCIAL REPORTING COMPLIANCE ACTIVITY 2 ACTIVITY 1 UNIT B UNIT A Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk Assessment Every entity faces a variety of financial reporting risks from external and internal sources that must be assessed at both the entity and the activity levels. These risks include external and internal events and circumstances that may occur and adversely affect an entity s ability to initiate, record, process, and report financial data consistent with the assertions of management embodied in the financial statements. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Information and Communication Pertinent information must be identified, captured, and communicated in a form and time frame that supports all other control components. The quality of system-generated information, including the accounting system and other information technology applications, affects management s ability to make appropriate decisions in controlling the entity s activities and to prepare reliable financial reports. Monitoring Internal control systems need to be monitored a process that assesses the quality of the system s performance over time. 10
Internal control as defined by COSO consists of a number of interrelated components that are inherent in the way a company is managed. These components include the control environment, risk assessment, control activities, information and communication, and monitoring. COSO provides criteria for evaluating whether internal control is effective based on these components. Although the five internal control components are applicable to all entities, small and mid-sized organizations may implement them differently than large entities. Controls in a small entity may be less formal and less structured, yet a small company can maintain effective ICOFR. We believe that the underlying concepts regarding ICOFR apply to entities of all sizes. The application of auditing standards in general is subject to auditor judgment and is dependent on a number of factors, including the size and complexity of the particular entity. We believe that Standard No. 2 provides a framework for the audit of ICOFR for all entities, regardless of size. REASONABLE VERSUS ABSOLUTE ASSURANCE AND INHERENT LIMITATIONS ICOFR consists of company policies and procedures that are designed and operated to provide reasonable assurance but not an absolute level of assurance about the reliability of a company s financial reporting. Management s assessment of the effectiveness of ICOFR is expressed at the level of reasonable assurance. Reasonable assurance includes an understanding that there is a relatively low risk that material misstatements will not be prevented or detected on a timely basis. Although reasonable assurance is not absolute assurance, it provides a high level of assurance. WHY REASONABLE ASSURANCE AND NOT ABSOLUTE ASSURANCE? Regardless of how well any system of ICOFR is designed and operating, it cannot provide absolute assurance of achieving financial reporting objectives because of inherent limitations. These inherent limitations exist because ICOFR is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Consequently, ICOFR can be circumvented intentionally by collusion or improper management override. To ensure financial stability, a company must support the execution of its objectives with rigorous internal controls and effective risk management. An effective internal control apparatus is critical to provide reasonable assurance that the information produced by the organization is timely and reliable and that errors and irregularities are discovered and corrected promptly. Effective risk management is based on a foundation of good corporate governance and rigorous internal controls. Taking calculated risks is part of any business enterprise. That is well understood. At the same time, each company needs to have in place the technical systems and management processes necessary not only to identify the risks associated with its activities but also to effectively measure, monitor, and control them. An effective risk management and control structure is not sufficient, however, if it is not accompanied by an institutional culture that ensures that written policies and procedures are actually translated into practice. Ultimately, a company s culture is determined by the board of directors and the senior management it installs. In particular, the actions of senior management and the consistency of their decisions and behavior with the values and principles they articulate are critical to shaping company culture. William J. McDonough, Chairman, PCAOB at the January 14, 2004, meeting of Women in Housing and Finance 11
EXAMPLE MANAGEMENT ASSESSMENT PROCESS There are a number of methods a company may choose in developing an approach to fulfill its responsibilities relating to its assessment of ICOFR. The following is an example of one way a company may approach its assessment process: 1 Plan & Scope the Evaluation Establish internal control evaluation process. Determine significant controls and locations/business units to be included. Define project approach, milestones, timeline, and resources. Launch project. 2 Document Controls Document design of controls over relevant assertions related to all significant accounts and disclosures. 3 Evaluate Design & Operating Effectiveness Evaluate design and operating effectiveness of internal control over financial reporting and document results of evaluation. 4 Identify, Assess & Correct Deficiencies Identify, accumulate, and evaluate design and operating control deficiencies. Communicate findings and correct deficiencies. 5 Report on Internal Control Prepare written assertion of the effectiveness of internal control over financial reporting. The process of evaluating the effectiveness 1 Plan & Scope the Evaluation of ICOFR may require careful planning due to the complexity and breadth of the control structure within an entity. This evaluation plan may include a process to examine the overall approach to documentation, identification of controls and evaluation procedures, significant milestones, and anticipated time lines. The plan also may include the institution of policies and procedures that will be used in the evaluation process as well as appropriate internal communication processes. As part of the KPMG fall 03 Survey, CEOs and CFOs were asked: Which functions are involved in your Sarbanes-Oxley 404 planning activities? Internal audit External audit Legal IT Tax operations Source: KPMG LLP, 2004 0 20 40 60 80 100 53% 57% 60% 74% 86% 12
Management may identify the team responsible for performing the evaluation. The project may have an executive sponsor, a project manager, and personnel from operations, finance and accounting, human resources, information systems, tax, legal, and internal audit all of whom should have appropriate skills, knowledge of COSO, and an understanding of controls evaluation. Where necessary, management may consider training programs to supplement existing knowledge. Among the most important Period-end financial reporting, including preparing financial activities in the planning statements and disclosures process is one that identifies the controls to be included in the scope of the evaluation. According to the PCAOB, the evaluation should include controls related to all significant accounts and disclosures in the financial statements. Under Standard No. 2, an account is considered significant if there is more than a remote likelihood that it could contain misstatements that individually or when aggregated with others could have a material effect on the financial statements. In practice, we believe this will result ROLE OF INTERNAL AUDIT in a relatively low threshold Management may consider the role that the internal audit function will play during its assessnation of accounts that are over the selection and determiment process and, in particular, during the planning and scoping deemed to be significant. phase. Internal audit can be used to identify controls and test and A financial statement caption evaluate design and operating effectiveness, among other may consist of a number of things. Internal auditors normally have greater competence account balances, the components of which are subject to and objectivity with regard to ICOFR than other company differing risks or different controls that should be personnel. considered Controls over significant account balances and disclosures for purposes of evaluating the effectiveness of ICOFR include controls over: Initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements The selection and application of accounting policies in conformity with GAAP Antifraud programs and controls Information technology general controls or other controls on which other significant controls are dependent (i.e., pervasive controls) Significant non-routine and non-systematic transactions Significance in this context may be determined by the value, volume, or financial reporting risk associated with transactions processed. Management may consider establishing controls to review the appropriate application of new accounting pronouncements, interpretations, or emerging issues in a timely manner. It is management s responsibility to design and carry out programs and controls to prevent, deter, and detect fraud. Management, along with those who have responsibility for oversight of the financial reporting process, should set the proper tone by creating and maintaining a culture of honesty and high ethical standards. General computer controls support the effective functioning of many application controls by helping to ensure the continued proper operation of computer information systems. General computer controls commonly include controls over program development and changes, computer operations, and access to programs and data. These may include accounts involving significant judgments and estimates. Choosing which controls to evaluate may, for example, involve consideration of the complexity of the estimating process and any bias on the part of the estimator. Specific controls include those over procedures used to enter transaction totals into the general ledger to initiate, authorize, record, and process journal entries in the general ledger and to record recurring and nonrecurring adjustments to the financial statements. INCOME TAXES Taxes are often one of the largest expenses in a company s financial statements. This is why companies cannot ignore tax processes as part of their evaluation of internal controls. To comply with section 404, management will need to identify and evaluate all significant controls, including those related to taxation. The impact of tax operations is not associated only with corporate income taxes and provisions. In reality, tax-related activities range from sales or value-added taxes to accounting for inter-company, customs, and cross-border transactions. The complex and ever-changing rules of taxing jurisdictions and the estimated liabilities often will require that controls over these activities be included in management s evaluation process. In KPMG s survey of 175 CEOs and CFOs, only 24 percent reported increased spending in the last 12 months to address tax function financial control deficiencies 37 percent anticipate increased spending in the next 12 months. separately as potential significant accounts. For example, a financial institution may have several significant account balances within its loan portfolio (e.g., commercial and residential loans). These significant accounts are subject to different financial reporting risks and different controls. 13
EVALUATION OF IT CONTROLS Information technology controls represent an integral part of ICOFR. Management may determine which applications or systems are within the scope of ICOFR and which IT controls need to be evaluated (i.e., user-level and infrastructure). An evaluation of a company s IT controls also may determine whether existing systems have been changed or a new system has been put in place. Controls within the system are important, but so are the controls dealing with access to IT systems. Management would be well served by evaluating details of the following broad categories of the IT function: IT governance Change management Interface and application controls Security and access controls Systems development life cycle Data center operations The specific risks that IT poses to an entity s internal control may include reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. IT also may involve the risk of unauthorized access to systems, including unauthorized changes to existing applications as well as unauthorized changes to data, and the potential for loss of data. MULTI-LOCATION CONSIDERATIONS Companies with multiple business units, geographic locations, or reporting units may need to determine which locations are relevant and should be included in their assessment. Management may consider which locations are financially significant in terms of the potential for a material misstatement. It is likely that a relatively small number of locations or business units may encompass a large portion of the company s operations and financial position. Management also may consider whether there are locations that have specific significant risks or whether individual locations or business units that are not significant by themselves may be financially significant when aggregated with others. CONSIDERATION OF OUTSIDE SERVICE ORGANIZATIONS Many companies use outside service organizations to process a variety of transactions. Management may need to consider the controls at the service organization in its assessment of ICOFR. Management may take an inventory of all outside service organizations used to process data and determine which controls at each service organization are relevant for management s evaluation, document those controls, and obtain evidence of the design and operating effectiveness of the controls. Service organizations often obtain a report from a service auditor regarding the effectiveness of their internal control. Management would be well served by initiating discussions with outside service organizations about the scope of the service auditor s report, period covered, and timing for receiving the report. If a report is available, management may consider if the service auditor s report provides sufficient evidence to support an assessment of the operating effectiveness of the related controls. In particular, management may determine whether the report considers the operating effectiveness of controls (referred to in U.S. auditing standards as a Type II SAS 70 report) and the time period covered by the report. Management may need to ensure that the service organization provides Type II reports on a timely basis, preferably at or close to the company s fiscal year-end. 14
Documentation of a company s ICOFR is an 2 Document Controls essential part of management s evaluation process. It provides evidence that controls related to management s assertion including changes to those controls have been identified, can be communicated to those responsible for their performance, and can be monitored. Under Standard No. 2, management should provide documentation that provides reasonable support for its assessment of the effectiveness of ICOFR covering: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements, including documentation of the five components of ICOFR discussed in the COSO framework Information about how significant transactions are initiated, authorized, recorded, processed, and reported Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur Documentation of controls may take many forms and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. No one kind of documentation is required and the extent of documentation will vary depending on the size, nature, and complexity of the company. Management should consider establishing companywide documentation standards for capturing and reporting information. Documentation of processes and controls will be an important element in the test of internal control design effectiveness. PERFORMANCE OF WALKTHROUGHS FOR EACH MAJOR CLASS OF TRANSACTIONS Standard No. 2 states that the auditor should perform at least one walkthrough for each major class of transactions which means the auditor must trace the life of the transaction from its initiation through its publication in the financial statements. In a February 2004 interview with BNA s Securities Regulation & Law Report, PCAOB Chief Auditor and Director of Professional Standards Douglas R. Carmichael described the Board s thinking behind instituting walkthroughs: The goal there is to make sure that the auditor understands how the systems work and what the controls are. During the walkthrough, the questions auditors may ask company personnel include: What do they do when they find an error? What are they looking for to determine if there is an error? What kinds of errors have been found? What happened as a result of finding the errors? How were the errors resolved? Have personnel ever been asked to override the process or controls? Controls designed to prevent or detect fraud, including who performs the controls and the related segregation Although the extent to of duties which management Controls over the period-end documents its evaluation is financial reporting process a matter of judgment, such Controls over safeguarding documentation should go of assets beyond a simple conclusion The results of management s testing and evaluation that the control is designed and operating effectively. To provide a sufficient basis for its conclusion, management should document the procedures performed, the results, and other evidence obtained regarding operating effectiveness. Internal control deficiencies noted also should be documented along with appropriate remediation proposals. Inadequate documentation of the design of controls and the absence of sufficient documented evidence to support management s assessment of the operating effectiveness of ICOFR are control deficiencies under Standard No. 2. COSO provides example documentation that could be useful for management in documenting the results of its evaluation. The examples in COSO include numerous evaluation programs and worksheets. To collate and evaluate the documentation of the results of the evaluation, management may consider a manual approach, an automated approach, or a combination of the two. Whatever the choice, management may consider establishing enterprise-wide documentation standards for capturing the results. An automated tool may assist in ensuring that the documentation output of the evaluation process meets management s requirements. With the use of an automated tool, the information could be summarized and reported in a format tailored by management. An added benefit of using an automated tool may be to assist with project management; for example, to monitor the progress of the documentation and evaluation process and identify areas that need 15