Section 404 Audits of Internal Control and Control Risk

1
Section 404 Audits of Internal Control and
Control Risk
October 27, 2007
2
RESPONSIBILITY GUIDELINES PCAOB Auditing
Standard no. 2, (Revised by Standard 5) An Audit
of Internal Control Over Financial Reporting
Performed in Conjunction with An Audit of
Financial Statements, provides guidance for a
section 404 audit. The performance and reporting
directions are based on the framework developed
by the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission. COSOs 1992
report Internal ControlIntegrated Framework
describes five key components of internal control
(the control environment, risk assessment,
control activities, information and
communication, and monitoring) and provides
businesses with evaluation tools.
3

• The SEC requires that companies management
  design an internal control system that can
  substantiate every assertion in their financial
  statements. To do that, management has to analyze
  the companys system of internal control over
  financial reporting and provide evidence
  sufficient to support its conclusions.
• The external auditors responsibility is to do
  the following
• Critically evaluate managements assessment
  process.
• Evaluate both the design and effectiveness of
  the internal control system.
• Perform independent testing.
• Form an opinion on the internal control system.
  
• Communicate significant deficiencies and
  material weaknesses to both management and the
  audit committee.

4

• The primary
• objectives of effective
• internal control.

5
Internal Control Objectives
1. Reliability of financial reporting
2. Efficiency and effectiveness of operations
3. Compliance with laws and regulations
6

• Managements
• responsibilities for maintaining
• and reporting on internal controls.
• The auditors responsibilities
• for understanding, testing, and
• reporting on internal controls.

7
Management and Auditor Responsibilities
Relatedto Internal Control

• Managements responsibility
• for establishing internal control

• Reasonable assurance

• Inherent limitations

8
Management and Auditor Responsibilities
Relatedto Internal Control

• Managements Section 404
• reporting responsibilities

• Design of internal control

• Operating effectiveness of controls

9
Management and Auditor Responsibilities
Relatedto Internal Control

• Auditor responsibilities for
• understanding internal control

• Controls over the reliability
• of financial reporting

• Control over classes of transactions

• Auditor responsibilities for testing
• internal control

10

• Five components
• of the COSO internal
• control framework.

11
Five Components of Internal Control
Control Environment
Risk assessment
Information and communication
Monitoring
Control activities
12
The Control Environment

• Integrity and ethical values

• Commitment to competence

• Board of directors or audit
• committee participation

13
The Control Environment

• Managements philosophy and operating style

• Organizational structure

• Human resource policies and practices

14
Risk Assessment

• Identify factors that may increase risk

• Estimate the significance of the risk

• Assess the likelihood of the risk occurring

• Determine actions necessary to manage the risk

15
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and
activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
16
Adequate Separation of Duties
Custody of assets
Accounting
from
Authorization of transactions
The custody of related assets
from
Operational responsibility
Record-keeping responsibility
from
IT duties
User departments
from
17
Proper Authorization of Transactions and
Activities

• General authorization

• Specific authorization

18
Adequate Documents and Records

• Prenumbered consecutively

• Prepared at the time of transaction

• Designed for multiple use

• Constructed to encourage correct preparation

19
Physical Control Over Assetsand Records
The most important type of protective measure for
safeguarding assets and records is the use of
physical precautions.
20
Independent Checks on Performance
The need for independent checks arises because
internal control tends to change over time unless
there is a mechanism for frequent review.
21
Information and Communication
The purpose of an accounting information and
communication system is to
initiate, record, process, and report the
entitys transactions and to maintain accountabili
ty for the related assets.
22
Monitoring
Monitoring activities deal with
managements ongoing and periodic assessment of
the quality of internal control performance
to determine whether controls are operating as
intended and modified when needed.
23
SEC and COSO Focus on Smaller Public Companies
The SEC has extended the deadline for small
public companies compliance with Section 404
requirements.
COSO issued guidance in Internal Control Over
Financial Reporting for Smaller Public Companies.
24

• Obtain and document an
• understanding of internal control.

25
Process for Understanding Internal Control and
Assessing Control Risk
Phase 1
Obtain an understanding of internal
control design and operation
Phase 3
Design, perform, and evaluate tests of controls
Phase 2
Assess control risk
Phase 4
Decide planned detection risk and
substantive tests
26
Obtain and Document Understanding of Internal
Control
SAS 109 and PCAOB Standard 2 both require
auditors to obtain an understanding of internal
control for every audit.

• Procedures to obtain an understanding
• Design of internal controls
• Whether placed in operation
• Uses this information as a basis for the
• integrated audit

27
Methods Used
Narrative
Flowchart
Internal control questionnaire
28
Narrative
1. The origin of every document and record in
the system
2. All processing that takes place
3. The disposition of every document and
record in the system
4. An indication of the controls relevant to
the assessment of control risk
29
Evaluating Internal Control Operation

• Update and evaluate auditors previous
• experience with the entity

• Make inquiries of client personnel

• Examine documents and records

• Observe entity activities and operations

• Perform walk-throughs of the accounting system

30

• Assess control risk by linking key
• controls, significant deficiencies,
• and material weaknesses to transaction-related
  audit objectives.

31
Assess Control Risk
Assess whether the financial statements are
auditable.
Determine assessed control risk supported by the
understanding obtained assuming the controls are
being followed.
Use of a control risk matrix to assess control
risk.
32
Control Risk Matrix
Many auditors use the control risk matrix to
assist in the control risk assessment process.
33
Control Risk Matrix

• Identify audit objectives

• Identify existing controls

• Associate controls with related audit objectives

• Identify and evaluate control deficiencies,
• significant deficiencies, and material weaknesses

34
Evaluating Significant Control Deficiencies
SIGNIFICANCE
Material
Material Weakness
LIKELIHOOD
Probable
Remote
Immaterial
35
Identify Deficiencies and Weakness

• Identify existing controls

• Identify the absence of key controls

• Consider the possibility of compensating
  controls

• Decide whether there is a significant
  deficiency
• or material weakness

• Determine potential misstatements that could
  result

36
Communications

• Communications to those
• charged with governance

• Management letters

37

• Describe the process of designing
• and performing tests of controls.

38
Tests of Controls
The procedures to test effectiveness of
controls in support of a reduced assessed
control risk are called tests of controls.
39
Procedures for Tests of Controls
1. Make inquiries of client personnel
2. Examine documents, records, and reports
3. Observe control-related activities
4. Reperform client procedures
40
Extent of Procedures

• Reliance on evidence from prior years audit

• Testing of controls related to significant risks

• Testing less than the entire audit period

41

• Understand Section 404
• requirements for auditor
• reporting on internal control.

42
Section 404 Reporting on Internal Control
1. The auditors opinion on whether
managements assessment of the effectiveness of
internal control over financial reporting as of
the end of the fiscal period is fairly stated, in
all material respects.
2. The auditors opinion on whether the
company maintained, in all material respects,
effective internal control over financial
reporting as of the specified date.
43
Types of Opinions

• Unqualified

• Adverse

• Qualified or disclaimer of opinion

44
404 ROAD MAP

• A typical section 404 project plan should not
  be rushed.
• Ideally, the first phase should commence 12 to 18
  months before the companys reporting deadline.
• The last phase will coincide with the fieldwork
  for the fiscal year-end financial statement
  audit.

45
Phases

• Phase one Planning and scoping. Company
  management assigns a project leader and project
  team, establishes a time line, engages outside
  assistance if necessary, sets scoping criteria,
  performs risk assessment and reviews the section
  404 plan with the audit committee and external
  auditors.
• Phase two Documentation and evaluation. Company
  management documents, reviews and updates all
  control activities, prepares flowcharts, seeks
  feedback from external auditors and remediates
  control deficiencies.
• Phase three Management testing. Company
  management tests key controls, documents the
  results of testing and fixes any control
  deficiencies.

46
Phases

• Phase four Interface with external auditors.
  Company management performs complete
  walk-throughs of systems with external auditors.
  It reviews its test results with the external
  auditors and presents an initial management
  assessment to them.
• Phase five External auditor testing. The
  external auditor completely reviews all internal
  control documentation including narratives,
  flowcharts and walk-throughs. Then the external
  auditor identifies areas of risk and related key
  controls, verifies the scope of testing, designs
  test plans and determines sample sizes. The
  external auditor then tests the controls
  operating effectiveness and evaluates the test
  results with management and the audit committee.
• Phase six Reporting. Management prepares its
  section 404 assessment for inclusion in Form
  10-K, reviews the document with external auditors
  and determines who within the company should sign
  the section 404 certifications. The attestation
  could include the companys general counsel
  and/or chief information officer if they are
  heavily involved in the system of internal
  control over financial reporting. At this stage
  the external auditors summarize their testing,
  review the test results and prepare a draft
  opinion. After that they report their conclusions
  to the audit committee, obtain a management
  representation letter and prepare a final opinion
  for inclusion in Form 10-K.

47
Questions???
48
End