CAQ Lessons Learned. Performing an Audit of Internal Control. In an Integrated Audit

Transcription

1 CAQ Lessns Learned Perfrming an Audit f Internal Cntrl In an Integrated Audit February 2009

2 Table f Cntents CAQ LESSONS LEARNED PERFORMING AN AUDIT OF INTERNAL CONTROL IN AN INTEGRATED AUDIT NOTICE TO READERS INTRODUCTION AND PURPOSE EXECUTIVE SUMMARY ORGANIZATION OF THE DOCUMENT SECTION 1: UNDERSTAND AND USE MANAGEMENT S ASSESSMENT AND DOCUMENTATION AS A STARTING POINT LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # SECTION 2: INTEGRATE THE AUDITS LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # SECTION 3: ESTABLISH THE RIGHT TEAM LESSON LEARNED # LESSON LEARNED # SECTION 4: IDENTIFY MATERIAL RISKS TO RELIABLE FINANCIAL REPORTING LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # SECTION 5: IDENTIFY CONTROLS NECESSARY TO SUFFICIENTLY ADDRESS IDENTIFIED RISKS LESSON LEARNED # th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs ii

3 Table f Cntents SECTION 6: TAKE A RISK-BASED APPROACH TO TESTING IDENTIFIED CONTROLS LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # LESSON LEARNED # th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs iii

4 CAQ Lessns Learned Perfrming an Audit f Internal Cntrl in an Integrated Audit Ntice t Readers The Center fr Audit Quality (CAQ) was created t serve investrs, public cmpany auditrs and the markets. The CAQ s missin is t fster cnfidence in the audit prcess and t aid investrs and the capital markets by advancing cnstructive suggestins fr change rted in the prfessin s cre values f integrity, bjectivity, hnesty and trust. The CAQ cnsists f apprximately 800 member firms that audit r are interested in auditing public cmpanies, and is affiliated with the American Institute f Certified Public Accuntants (AICPA). This Lessns Learned publicatin has been prepared by representatives f member firms f the CAQ and is intended t be used as a reference surce fr auditrs f public cmpanies. The infrmatin may help auditrs imprve the effectiveness and efficiency f their audits and is based n existing prfessinal literature, the infrmatin gathered by members f the CAQ task frce that drafted the dcument, and the experiences f CAQ member firms. This infrmatin represents the views f the members f the task frce, has nt been apprved by any regulatry bdy r any senir technical cmmittee f the AICPA, and des nt set standards fr any purpse. As nted belw, auditrs are required t adhere t Auditing Standard N. 5 (AS 5), An Audit f Internal Cntrl Over Financial Reprting That is Integrated with An Audit f Financial Statements, issued by the Public Cmpany Accunting Oversight Bard (PCAOB r the Bard) and assciated guidance published by the PCAOB. Public cmpanies shuld fllw related guidance published by the Securities and Exchange Cmmissin (SEC r Cmmissin). Dcuments published by the CAQ, n the ther hand, are nt authritative. If an auditr applies the materials included in a CAQ publicatin then he r she shuld be satisfied that, in his r her judgment, it is bth apprpriate and relevant t the circumstances f his r her audit. The materials and views herein are nt intended as a substitute fr the prfessinal judgments applied by practitiners. The applicability and sufficiency f the material in particular circumstances are matters fr such judgment. Users f this dcument shuld be familiar with AS 5 and the terms and cncepts used in AS 5, as they are frequently used r referred t within this dcument. Users f this dcument als are encuraged t read ther publicatins issued by the PCAOB, SEC, and The Cmmittee f Spnsring Organizatins f the Treadway Cmmissin (COSO) that prvide further guidance t auditrs and management in perfrming Sectin 404 evaluatins. These dcuments are listed in the Intrductin and Purpse belw. This dcument is nt a substitute fr authritative technical literature and users are urged t refer directly t applicable authritative prnuncements fr the text f the technical standards. Any references t r qutatins frm authritative technical literature included in this dcument are intended nly t illustrate certain matters and t help users lcate certain infrmatin, nt t serve as a substitute fr careful study f th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 1

5 the relevant prnuncements. The infrmatin that is the subject f this dcument may change in material respects, and the CAQ is under n bligatin t update this dcument fr such changes. Intrductin and Purpse The effective and efficient executin f reprting n internal cntrl ver financial reprting (ICFR) pursuant t Sectin 404 f the Sarbanes-Oxley Act f 2002 (SOX) has been a fcus and pririty f issuers, auditing firms, investrs, the PCAOB, and the SEC since SOX was enacted. Regulatry fcus n the imprved implementatin f Sectin 404 by bth management and auditrs culminated with the 2007 issuance f the SEC s Cmmissin Guidance Regarding Management s Reprt n Internal Cntrl Over Financial Reprting Under Sectin 13(a) r 15(d) f the Securities Exchange Act f 1934 and the PCAOB s AS 5. Fr auditrs, AS 5 superseded Auditing Standard N. 2 (AS 2) and is intended t fcus auditrs n the mst imprtant matters in the audit f internal cntrl ver financial reprting and eliminate prcedures that the Bard believes are unnecessary t an effective audit f internal cntrl. One f the areas f specific cnsideratin in AS 5 is scalability f the audit f ICFR fr smaller, lesscmplex cmpanies. In applying the prvisins f AS 5 fr these cmpanies, careful cnsideratin is given t their unique attributes. In additin t AS 5 and the SEC s Guidance Regarding Management s Reprt, the fllwing guidance has been published t aid in Sectin 404 evaluatins and assessments: In 2009, the PCAOB published applicatin guidance fr auditrs f smaller, less-cmplex cmpanies in its publicatin Staff Views An Audit f Internal Cntrl Over Financial Reprting That Is Integrated with An Audit f Financial Statements: Guidance fr Auditrs f Smaller Public Cmpanies (PCAOB Guidance n AS 5). In 2006, COSO published guidance fr smaller cmpanies that applies the cncepts f the 1992 Internal Cntrl Integrated Framewrk and demnstrates hw these cmpanies may achieve their financial reprting bjectives. In 2009, COSO als released its Guidance n Mnitring Internal Cntrl Systems designed t clarify the mnitring cmpnent f internal cntrl (COSO Mnitring Guidance). T further supprt the bjective f perfrming effective and efficient integrated audits that benefit investrs, and particularly t assist in the initial implementatin f integrated audits by smaller auditing firms, auditrs with extensive experience implementing and executing integrated audits were assembled t share their insights and experiences btained as a result f the perfrmance f internal cntrl audit prcedures f bth accelerated and nn-accelerated filers. Als, pilt prjects f internal cntrl audit prcedures f certain nn-accelerated filers participants wh wuld nt therwise be required t have an integrated audit until fiscal years ending n r after December 15, and f smaller cmpanies that became accelerated filers fr the first time in 2007 were cnducted in rder t further understand th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 2

6 implementatin challenges that might be unique t the initial integrated audit fr a smaller, less-cmplex cmpany. This dcument is the result f the CAQ s effrts t cnvey the resulting practical knwledge btained. It is nt intended t duplicate r supplant the standards f the PCAOB r the PCAOB s guidance fr auditrs f smaller public cmpanies. This cllective knwledge is presented here as a series f Lessns Learned -- practical insights cllected frm auditrs t benefit auditrs. Althugh the primary intent f this dcument is t assist auditrs perfrming integrated audits fr the first time, many f these Lessns Learned may be applicable and relevant t recurring integrated audits. Executive Summary Perfrming an integrated audit requires that the auditr frm numerus judgments abut an entity s internal cntrl ver financial reprting and hw well it addresses risks f material misstatements in that entity s financial statements. As part f this prcess, the auditr must determine the amunt and type f evidence necessary t supprt a cnclusin by the auditr that an entity s system f internal cntrl is effective. Sectin 404 reprting requirements challenge bth management and auditrs t evaluate and assess the effectiveness f entities internal cntrl systems that cntribute t their financial reprts. This fcus n internal cntrl, and crdinating the internal cntrl audit in cnjunctin with the existing audit f the financial statements, presents a new envirnment fr auditrs. In the initial year f an integrated audit, cmparatively mre effrt may be necessary fr the auditr t frm judgments abut an entity s internal cntrl ver financial reprting, build up the auditr s experience, and btain supprt fr judgments. In subsequent years, as the auditr becmes mre prficient and btains mre experience in frming these judgments, the auditr s effectiveness and efficiency in executing an integrated audit generally increase. Each year the auditr nt nly re-evaluates his r her judgments, including risk assessments, but als may incrprate and build n knwledge btained in previus years audits. Auditrs als peridically may review the publicatins highlighted in the Intrductin and Purpse, which cntain valuable infrmatin and guidance. Certain cncepts are fundamental t perfrming an effective and efficient integrated audit in accrdance with AS 5. These cncepts are present thrughut this dcument and are summarized belw. The backgrund discussin and suggestins included in each f the individual Lessns Learned prvide insight int hw these cncepts have been applied. Cmmunicating and crdinating with management As nted in the Intrductin and Purpse, in 2007 the SEC published guidance t help management f public cmpanies, including small businesses, make assessments in accrdance with Sectin 404(a) f th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 3

7 SOX. Althugh there is a clse relatinship between the wrk perfrmed by management fr the purpses f its assessment and that perfrmed by the auditr fr the audit f ICFR, differences may exist between the evaluatin prcess and the level f dcumentatin management may cnsider necessary t supprt its annual assessment f ICFR and the audit prcess and the level f dcumentatin necessary fr the auditr t supprt his r her pinin n ICFR. Fr example, management s judgment regarding the cnduct f its evaluatin and the level f dcumented evidence necessary t supprt its assessment may be based n its daily interactin with its system f internal cntrls. The auditr, n the ther hand, is respnsible fr cnducting an independent audit. An auditr frms an pinin f the cntrl system nly after analysis and testing is cnducted with required prfessinal skepticism and dcumented supprt fr a prfessinal pinin in accrdance with prfessinal standards. This may require the auditr t take a different apprach t the evaluatin f the internal cntrl system and t perfrm mre tests and t btain mre extensive evidence t supprt an pinin n the effectiveness f ICFR than management needs fr its assessment. Despite differences that may exist in the evaluatin prcesses and in the level f dcumentatin management cnsiders necessary t supprt its assessment versus that required by the auditr t supprt the pinin n ICFR, ne f the best pprtunities fr efficiency in the audit f ICFR arises when the auditr can use the dcumentatin already prepared and testing already perfrmed by management. In pursuing these efficiencies, hwever, the auditr shuld be careful t avid even the appearance f attempting t limit the flexibility available t management in designing and implementing its prcess; bth the Cmmissin and the PCAOB have made it clear that the auditr shuld nt be attempting t direct management in the design r implementatin f its evaluatin prcess r assessment decisin. Nnetheless, the Cmmissin has nted that it agree(s) with thse cmmenters that suggested crdinatin between management and auditrs n their respective effrts will ensure that bth the evaluatin by management and the independent audit are cmpleted in an efficient and effective manner. 1 Balancing the ntins f nt interfering with management s prcess with trying t achieve the 1 SEC Release Ns ; ; FR-77; File N. S (June 20, 2007). In additin, in a May 16, 2005 press release, the Securities and Exchange Cmmissin stated: We encurage frequent and frank dialgue amng management, auditrs and audit cmmittees with the gal f imprving internal cntrls and the financial reprts upn which investrs rely. Management f all cmpanies - large and small - shuld nt fear that a discussin f internal cntrls with, r a request fr assistance r clarificatin frm, the auditr will, itself, be deemed a deficiency in internal cntrl. Mrever, as lng as management determines the accunting t be used and des nt rely n the auditr t design r implement the cntrls, we d nt believe that the auditr's prviding advice r assistance, in itself, cnstitutes a vilatin f ur independence rules. Bth cmmn sense and sund plicy dictate that cmmunicatins must be nging and pen in rder t create the best envirnment fr prducing high quality financial reprting and auditing; cmmunicatins must nt be s restricted r frmalized that their value is lst th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 4

8 mst effective and efficient audit may mean that nt nly shuld the auditr use the wrk f management and thers when apprpriate and as permitted by the current prfessinal standards, but als that the auditr shuld have an pen line f cmmunicatin with management and the audit cmmittee s that they may discuss hw changes in either the cmpany s r the auditr s prcedures might save verall time, effrts r csts withut diminishing the effectiveness f each prcess and assessment, r the cntrl each has ver its wn prcess and assessment. Auditrs histrically have had such cmmunicatins with management regarding the dcumentatin and prcedures related t the preparatin f the cmpany s financial statements, which have been expanded t include the audit f internal cntrl ver financial reprting. In the years befre the auditr is required t issue an attestatin reprt in accrdance with SOX Sectin 404(b) fr nn-accelerated filers, when the auditr is nt pining n the effectiveness f ICFR (unless requested t d s by management), the auditr nevertheless is required t btain an understanding f internal cntrl in designing audit prcedures fr the audit f the financial statements 2. Management f nn-accelerated filers is required t file an assessment f internal cntrl ver financial reprting in accrdance with SOX Sectin 404(a) in annual reprts fr fiscal years ending n r after December 15, 2007 and, therefre, even prir t perfrming the first integrated audit the auditr may cnsider hw t use management s dcumentatin and testing f internal cntrl in cnjunctin with the audit f the financial statements. The auditr als is encuraged t begin t plan and discuss with management and the audit cmmittee any areas where crdinatin between management and auditrs culd increase the auditr s ability t use management s dcumentatin and testing t increase the efficiency in the first integrated audit. Althugh it is slely management s decisin f whether t implement any changes t its evaluatin prcess, the auditr may be able t prvide valuable feedback t management regarding its evaluatin prcess as a result f experience the audit firm has btained in cnducting ther audits f internal cntrl ver financial reprting. As a separate but related matter, auditrs shuld be cgnizant that in the reprting perids befre they are required t issue an attestatin reprt in accrdance with SOX Sectin 404(b), if the auditr becmes aware f infrmatin that gives rise t the belief that management s assertin n the effectiveness f 2 Under the rules f the Securities and Exchange Cmmissin, management f each nn-accelerated filer is required t file its reprt n the cmpany s internal cntrl ver financial reprting under SOX 404(a) in annual reprts fr fiscal years ending n r after December 15, Thse rules require nn-accelerated filers t prvide auditr attestatin reprts under SOX 404(b) in annual reprts fr fiscal years ending n r after December 15, See SEC Release N ; (June 26, 2008). In accrdance with AU the auditr is t btain an understanding f internal cntrl sufficient t plan the audit by perfrming prcedures t understand the design f cntrls relevant t an audit f financial statements and determine whether they have been placed in peratin th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 5

9 internal cntrl cntains a material misstatement f fact, the auditr has certain respnsibilities in accrdance with AU 550 and Sectin 10A f the Securities Exchange Act f Planning an integrated audit Planning requires a significant amunt f judgment, and the decisins made in planning are critical t the effectiveness and efficiency f an audit. The principles invlved in the identificatin f risk and determinatin f significant accunts and disclsures and their relevant assertins, are the same fr the audit f the financial statements and the audit f ICFR (refer t AS 5, paragraph 31). Therefre, planning perfrmed n an integrated basis helps t achieve the bjective f an integrated audit and eliminates redundancy. Once the determinatin f significant accunts and disclsures and their relevant assertins have been made, the auditr decides hw he r she will gather sufficient evidence fr the purpses f frming pinins bth n the effectiveness f ICFR and n the fairness f the financial statements. T effectively and efficiently integrate the audit f the financial statements and the audit f ICFR, the auditr needs t decide whether t test cntrls: (1) thrughut the perid f reliance fr purpses f the audit f the financial statements 4 (cmmnly referred t as a cntrls reliance apprach) 5 which, t the extent apprpriate, may reduce the amunt f substantive wrk necessary t supprt the audit f the financial 3 Auditrs can refer t CAQ Alert # December 19, 2007 with respect t cnsideratins regarding the auditr s rle relative t management s reprt n its assessment f internal cntrl ver financial reprting when, under the SEC s transitin prvisins fr nn-accelerated filers, an auditr attestatin is nt required. Auditrs als shuld cnsider the requirements under AU 325, Cmmunicatin f Internal Cntrl Related Matters Nted in an Audit, t reprt certain cnditins related t an entity s internal cntrl bserved during an audit f financial statements t the audit cmmittee r t thse with equivalent authrity in rganizatins that d nt have an audit cmmittee. 4 AS 5 paragraph B4 states: T express an pinin n the financial statements, the auditr rdinarily perfrms tests f cntrls and substantive prcedures. The bjective f the tests f cntrls the auditr perfrms fr this purpse is t assess cntrl risk. T assess cntrl risk fr specific financial statement assertins at less than the maximum, the auditr is required t btain evidence that the relevant cntrls perated effectively during the entire perid upn which the auditr plans t place reliance n thse cntrls. Hwever, the auditr is nt required t assess cntrl risk at less than the maximum fr all relevant assertins and, fr a variety f reasns, the auditr may chse nt t d s. 5 Nte that a planning decisin t use a cntrls reliance apprach assumes that cntrls are perating effectively ver the perid f reliance, which can nt be validated until the perating effectiveness is tested thrughut the perid. Therefre, fr the purpses f planning where a cntrls reliance apprach may be apprpriate, the auditr makes planning decisins cnsidering infrmatin btained frm management s testing f cntrls fr its assessment and/r the auditr s testing f the cntrls in previus year s audits (if the cntrls were tested in prir years) th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 6

10 statements 6 ; r (2) nt take a cntrls reliance apprach fr the audit f the financial statements (cmmnly referred t as a substantive apprach) and nly test ICFR fr the purpse f expressing an pinin n internal cntrl ver financial reprting at the as-f date (the latest balance sheet date) 7. An auditr might decide t use a cntrls reliance apprach fr certain aspects r prtins f the integrated audit and a substantive apprach fr ther aspects r prtins f the integrated audit. The auditr s decisins with respect t testing f cntrls will depend n facts and circumstances and will be affected by varius factrs including the nature f the risk f misstatement due t ineffective cntrls, the reliability f evidence f the effectiveness f the cntrls, inherent risk with respect t the accunts being tested and the incremental cst f perfrming sufficient tests f cntrls during the perid f reliance t supprt a cntrls reliance apprach. Using a tp-dwn, risk-based apprach Appraching the audit f ICFR frm a tp-dwn, risk-based perspective (as described in AS 5) effectively crrelates the amunt f audit effrt expended with the degree f risk that a material weakness culd exist in a particular area f an entity s ICFR. Using this apprach, greater attentin is fcused in the areas f greater risk. A tp-dwn apprach directs the auditr initially t cnsider risk at the financial statement level and cntrls at the entity level befre mving dwnward t cnsider risk -- and cntrls that address thse risks -- t the significant accunts and disclsures and relevant assertins. The tp-dwn, risk-based apprach has been a fcal pint in imprving the implementatin f Sectin 404. Many f the early integrated audits and management assessments were cnducted using what is cmmnly referred t as a bttms-up apprach. A bttms-up apprach generally starts with an evaluatin f risks, and testing f cntrls t address thse risks, at the prcess, significant accunt r relevant assertin level. This apprach can result in the unnecessary testing f cntrls that address risks that are nt material t the financial statements verall. A significant amunt f guidance n applying a tp-dwn, risk-based apprach has been published fr bth auditrs and management by the PCAOB, SEC and COSO as well as by the auditing prfessin. Sme practical suggestins t assist auditrs in 6 AS 5 paragraph B7 states: Regardless f the assessed level f cntrl risk r the assessed risk f material misstatement in cnnectin with the audit f the financial statements, the auditr shuld perfrm substantive prcedures fr all relevant assertins. Perfrming prcedures t express an pinin n internal cntrl ver financial reprting des nt diminish this requirement. 7 AS 5 paragraph B2 states: T express an pinin n internal cntrl ver financial reprting as f a pint in time, the auditr shuld btain evidence that internal cntrl ver financial reprting has perated effectively fr a sufficient perid f time, which may be less than the entire perid (rdinarily ne year) cvered by the cmpany s financial statements th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 7

11 successfully applying a tp-dwn, risk-based apprach have been listed belw and are addressed in further detail in Lessn Learned #13. Cnsider what infrmatin may already be available t prvide a starting pint with respect t assessing the risks t the financial statements. Management s evaluatin prcess is likely the best and mst natural starting pint assuming that management has applied a tp-dwn, risk-based apprach as encuraged in the SEC s guidance fr management. Discussins with tp-level management and the audit cmmittee abut the risks they perceive t the financials statements may als prvide valuable insight. Inherent risk assessments made fr the purpses f the financial statement audit shuld be the same as the audit f ICFR and infrmatin frm recent quarterly reviews and prir year audits can infrm current year risk assessments. Lk fr the cntrls that address the mst risks. Management r the audit cmmittee may be mnitring r perfrming activities that address the risk t numerus financial statement line items, significant accunts r disclsures r relevant assertins. These types f entity-level cntrls may directly address identified risks. Mre ften, hwever, these entity-level cntrls will functin tgether with ther cntrls at the prcess r transactin-level t address the material risks t accurate financial reprting. Therefre, when identifying and evaluating these cntrls the auditr shuld cnsider whether the entity-level cntrl itself sufficiently addresses identified risks r whether testing the identified entity-level cntrl culd result in a reduced level f testing f related transactin-level cntrls. Again, management s evaluatin prcess is likely the mst apprpriate starting pint fr this prcess because management likely will have identified these entity-level cntrls fr the purpses f its wn assessment. Identifying cntrls t address identified risks in a tp-dwn, risk-based apprach is discussed further in Lessn Learned #17. Cnsider rating identified risks n a cntinuum frm lwer t higher risk. Once a risk has been identified, the nature, timing and extent f testing necessary t address that risk may vary. Rating risks will help the auditr t ensure the amunt f audit wrk being cntemplated is apprpriate and cmmensurate with the amunt f risk invlved 8. Risk rating is discussed further in Lessn Learned #19. 8 AS 5 paragraph 11 states: A direct relatinship exists between the degree f risk that a material weakness culd exist in a particular area f the cmpany s internal cntrl ver financial reprting and the amunt f audit attentin that shuld be devted t that area. The auditr shuld fcus mre f his r her attentin n the areas f highest risk. On the ther hand, it is nt necessary t test cntrls that, even if deficient, wuld nt present a reasnable pssibility f material misstatement t the financial statements th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 8

12 Organizatin f the Dcument Fr the purpses f quick reference and t facilitate ease f use, the Lessns Learned have been aggregated and rganized int relevant sectins as fllws: Sectin 1 (Lessns Learned 1-5): Understand and Use Management s Assessment and Dcumentatin as a Starting Pint. This sectin discusses hw auditrs can start t prepare fr an audit f ICFR, the imprtance f cmmunicating with management, using management s wrk in the audit f ICFR, identifying risks and cntrls that may have a pervasive impact n the audit f ICFR, and cnsidering the effect f any unremediated deficiencies. Sectin 2 (Lessns Learned 6-10): Integrate the Audits. This sectin discusses planning the audit f ICFR and the audit f the financial statements in an integrated manner, cnsidering the apprach fr the audit f the financial statements and audit prcedures that may meet the bjectives f bth audits, and hw the results f substantive prcedures infrms the auditr s risk assessments fr the audit f ICFR. Sectin 3 (Lessns Learned 11 & 12): Establish the Right Team. This sectin utlines cnsideratins in selecting and assigning a team t an audit f ICFR and the relevant skills and experience that will help t ensure the effectiveness and efficiency f the audit. Sectin 4 (Lessns Learned 13-16): Identify Material Risks t Reliable Financial Reprting. This sectin discusses applying a tp-dwn, risk-based apprach, effectively perfrming risk assessments, understanding the likely surces f ptential misstatement and tailring the audit prcedures t achieve the bjectives f an audit f ICFR, and cnsidering IT in the risk assessment prcess. Sectin 5 (Lessn Learned 17): Identify Cntrls Necessary t Sufficiently Address Identified Risks. This sectin discusses hw cntrls are effectively identified in a tp-dwn, risk-based apprach and discusses the evaluatin f entity-level cntrls versus transactin-level cntrls. Sectin 6 (Lessns Learned 18-21): Take a Risk-based Apprach t Testing Identified Cntrls. This sectin discusses crdinating with management fr use f the wrk f thers, varying the nature, timing and extent f cntrl testing at an apprpriate level cmmensurate with identified risks, and the extent f testing necessary when cntrl deficiencies are identified th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 9

13 Sectin 1: Understand and Use Management s Assessment and Dcumentatin as a Starting Pint Lessn Learned #1 Take advantage f the cmpany s internal cntrl evaluatin prcess and dcumentatin, where practical, in cnnectin with financial statement audits perfrmed in years prir t the first integrated audit. Backgrund: Nn-accelerated filers were required t reprt n their ICFR under sectin 404(a) f SOX and the Cmmissin s rules beginning with annual reprts fr fiscal years ending n r after December 15, Hwever, under SEC reprting requirements, nn-accelerated filers are nt required t file auditr attestatin reprts n ICFR under sectin 404(b) until the filing f annual reprts fr fiscal years ending n r after December 15, In a financial statement audit, under AU an auditr is required t gain an understanding f internal cntrl sufficient t plan the audit f the financial statements. (Nte: Fr purpses f pining n the effectiveness f ICFR in an integrated audit, the evaluatin f the design f ICFR ften is mre rigrus in terms f identifying the likely causes f significant misstatements and related cntrl activities than may be perfrmed when understanding the design f internal cntrl fr purpses f planning a financial statement audit.) The auditr als decides whether t test internal cntrls t enable the auditr t take a cntrl reliance apprach in the audit f the financial statements. In years prir t the first integrated audit fr accelerated filers, sme auditrs began r expanded their testing f internal cntrls, where practical, in cnnectin with the audit f the financial statements (e.g., particularly fr thse areas where management was significantly cmplete with their 404(a) 9 AU (relevant t audits f financial statements) states the fllwing: In all audits, the auditr shuld btain an understanding f internal cntrl sufficient t plan the audit by perfrming prcedures t understand the design f cntrls relevant t an audit f financial statements and determining whether they have been placed in peratin th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 10

14 readiness activities and the additinal testing f internal cntrl wuld likely result in sme level f reductin f the substantive testing effrts). These effrts ften resulted in the fllwing benefits: A reductin in the substantive testing fr the financial statement audit in the current year. A fundatin t enhance the effectiveness and efficiency f the integrated audit in the fllwing year. Fr example: A mre thrugh understanding f the cmpany s ICFR, including the nature f dcumentatin available frm the cmpany. As a result, the auditrs were better able t crdinate and use management s evaluatin prcess and dcumentatin t realize greater efficiencies in the first year f perfrming an integrated audit. An established cntrl reliance apprach that facilitated efficiencies in the integrated audit in the first year (refer t Lessn Learned #7). Nn-accelerated filers represent an added pprtunity (as cmpared t the accelerated filers) in that management fr nn-accelerated filers began cmplying with Sectin 404(a) f SOX in cnnectin with annual reprts fr fiscal years ending n r after December 15, Therefre, management will evaluate ICFR in the current year, which may prvide mre f an pprtunity fr the auditr t begin benefiting frm management s evaluatin prcess and dcumentatin while cnducting an audit f a nn-accelerated filer s financial statements and befre an attestatin reprt is required. Suggestins: As part f the financial statement audit in years prir t perfrming an integrated audit, cnsider pprtunities t expand the auditr s cnsideratin and testing f internal cntrl. Fr example: Begin by understanding management s evaluatin prcess and the underlying dcumentatin. Educate management and the audit cmmittee abut the pprtunities, cnsideratins, and benefits f the auditr utilizing the wrk perfrmed by management r by thers in supprt f management s assessment. Discuss with management any suggestins as t hw mdificatins in their evaluatin prcess and dcumentatin might enhance the efficiency f the integrated audits fr fiscal years ending n r after December 15, 2009 (refer t Lessn Learned #2). Fr example, discuss with management the cncepts f sample sizes fr cntrl testing cmmnly accepted thrughut the auditing prfessin t maximize the pprtunity fr the use f management s wrk. Utilize management s dcumentatin fr purpses f gaining an understanding f internal cntrl sufficient t plan the financial statement audit. Cnsider beginning r expanding the testing f internal cntrls, where practical, in cnnectin with the audit f the financial statements. In particular cnsider thse areas where th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 11

15 the additinal testing f internal cntrl wuld likely result in sme level f reductin f the substantive testing effrts, using management s wrk, where apprpriate. Lessn Learned #2 Early and frequent cmmunicatin and crdinatin between management and the external auditrs create a mre effective and efficient audit prcess. Backgrund: Management and the auditr have wrked tgether fr years in terms f streamlining the auditr s infrmatin gathering effrts and dcumentatin requirements (e.g., trial balances, schedules, analyses and recnciliatins and supprting evidence) in the audit f the financial statements. The integrated audit expands the scpe f these crdinatin effrts t the audit f internal cntrl; i.e. fr the auditr t efficiently btain the infrmatin t perfrm the necessary audit prcedures t cmply with AS 5. It is imprtant t recgnize that the crdinatin f effrts is nt fr the purpse f dictating t management hw they shuld perfrm their evaluatin; rather it is fr the purpse f infrming management as t hw management s existing evaluatin prcess either currently supprts the auditr s efficiency r hw it culd be enhanced. Accrdingly, it is management s decisin as t what enhancements t make t their evaluatin apprach and dcumentatin. Thse accelerated filer and pilt engagement teams that interacted early and ften with management t help management understand the auditrs bjectives were able t maximize the use f management s dcumentatin, which reduced the need fr auditrs t create their wn dcumentatin. Management is respnsible fr determining what is required t supprt its assessment cnclusin abut the effectiveness f ICFR, which may be different frm what auditrs need t have t supprt their pinin. Accrdingly, the extent t which management s wrk and dcumentatin will meet the auditr s needs will vary. Under AS 5, the auditr des nt evaluate the adequacy f management s assessment prcess; hwever, the quality f management s dcumentatin can impact the auditr s efficiency. Sme cmpanies decided t supplement their expertise and resurces by engaging third party advisrs t assist them, fr example, in implementing an evaluatin prcess, enhancing dcumentatin r perfrming testing th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 12

16 Many accelerated filers frequently review their apprach t evaluating ICFR in rder t imprve the effectiveness and efficiency f their assessment prcess f ICFR. Because each cmpany s evaluatin prcess and dcumentatin is different, it is imprtant as a starting pint fr the auditr t identify thse aspects f management s prcess and dcumentatin that may be used during the audit. Fr example: In sme cases, management s dcumentatin may require very little, if any, supplementatin by the auditr. In ther cases, management s dcumentatin may represent a viable starting pint but may nt cntain all the infrmatin the auditr believes is needed t cmply with auditing standards. If management pts nt t enhance its dcumentatin, it is suggested that auditrs cnsider supplementing management s dcumentatin as ppsed t defaulting t prepare their wn, separate dcumentatin. A lessn learned in bth the integrated audits f accelerated filers and the pilt engagements was t make the decisin early in the audit prcess regarding whether r nt management s dcumentatin may be utilized efficiently by the auditr. If management s dcumentatin wuld nt make the audit prcess mre efficient, then d nt expend time and resurces (bth the auditr s and management s) trying t have management enhance their dcumentatin. Suggestins: Start by understanding management s prcess and dcumentatin in its latest evaluatin f internal cntrls. Begin this phase as early as pssible t prvide sufficient time t allw fr changes in apprach by management r the auditr. Auditrs are encuraged t prvide management with insights, suggestins and cnsideratins based n the auditr s experience. Such discussins might include hw management may cnduct its assessment mre effectively and efficiently and als may prvide management with a better understanding f hw the auditr can utilize management s wrk in accrdance with PCAOB standards. It is entirely management s decisin, hwever, whether t change its prcedures r dcumentatin. The auditr cannt design r test the internal cntrl system fr management as part f management s assessment prcess. Fr the fllwing aspects f the auditr s apprach, cnsider the extent that management s evaluatin prcess and dcumentatin represents a gd starting pint t supprt the auditr s requirements under AS 5: Risk assessment prcess, including the risk f fraud (refer t Sectin 4) th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 13

17 Scping f lcatins r business units, identificatin f the significant accunts/disclsures and relevant assertins, and linking t the underlying prcesses, applicatin systems and cmputing envirnments (refer t Sectin 4). Dcumentatin f the relevant flws f transactins. Identificatin f cntrls that are imprtant t the auditr s cnclusin abut whether the cmpany s cntrls sufficiently address the assessed risk f misstatement ( i.e., cntrls that are imprtant t the audit) and the descriptin and details f the identified relevant cntrl activities, including the identificatin f entity-level cntrls 10 (refer t Sectin 5). Nature, timing, and extent f testing and related dcumentary evidence f perating effectiveness (refer t Sectin 6). Updating interim cnclusins t the as-f date (refer t Sectin 6). Accumulating, tracking and evaluating deficiencies. Lessn Learned #3 Crdinate with management regarding the timing f its wrk t enable the auditr t utilize management s wrk t the extent permitted by PCAOB standards. Backgrund: In sme cases, management perfrmed ICFR testing and cmpleted dcumentatin t late in the year fr the auditr t be able t efficiently use management s dcumentatin and testing. Experience with the pilt engagements has shwn that in thse cases where management was able t cmplete its evaluatin prcess and dcumentatin sufficiently in advance f the auditr, the 10 Refer t ftnte 21 n page 10 f the SEC Guidance Regarding Management s Reprt n Internal Cntrl Over Financial Reprting Under Sectin 13(a) r 15(d) f the Securities Exchange Act f 1934 fr a discussin f the term th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 14

18 engagement teams believed they were mre effective and efficient than thse engagements where management and the auditr were bth perfrming their prcedures cncurrently; fr example, typically in the furth quarter r after year-end. Suggestins: Discuss with management its timeline fr the varius phases f management s evaluatin. This will enable the external auditr t plan their prcedures t utilize management s testing and dcumentatin as efficiently as pssible. Fr example, crdinatin may ccur: When management plans t prepare r update (i) its scping/risk assessment dcumentatin, (ii) any prcess descriptins that may be helpful t the auditr and (iii) the dcumentatin f the design f ICFR (the relevant risks and descriptin f the cntrl activities that mitigate thse risks). When management plans t btain and evaluate its evidence f the perating effectiveness f the relevant cntrl activities, including the cnsideratin f any nging mnitring cntrls that perate thrughut the year. Fr example, if recnciliatin cntrls in a given area are deemed t be imprtant t ICFR, an effective internal cntrl mnitring prcess by management (such as a supervisr effectively reviewing the recnciliatin and determining whether it was prepared prperly) might prvide adequate supprt as t whether the recnciliatin cntrls are perating effectively. If s, management and the auditr might cnsider testing thse mnitring prcedures at an interim date and perfrming any necessary rll-frward prcedures. Nte: Be sure t include in the discussins the cnsideratin f any relevant activities and cntrls perfrmed by service rganizatins and the rle and timing f any third parties assisting management with its assessment. 11 If management hlds peridic status meetings with representatives respnsible fr the cmpany s evaluatin (including the prject team leader, internal audit, third party cnsultants, and IT persnnel) the external auditr culd request t attend thse meetings. Such meetings are an effective means t enhancing crdinatin, and may include discussing testing plans, status f wrk, findings t date, planned timing f remediatin f deficiencies and planned testing fr remediated items. If management des nt hld peridic status meetings fr the purpses f its evaluatin, explre with 11 Auditrs may wish t stress with management the imprtance f addressing cntrl weaknesses and user cnsideratins cited in service auditr reprts prepared in accrdance with Statement n Auditing Standards N. 70, Service Organizatins, as amended th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 15

19 management the pssibility f having such meetings fr the benefit f crdinating management s evaluatin prcess with the wrk perfrmed fr the audit. In crdinatin with management, als regularly update the audit cmmittee n the prgress f the audit and any issues identified t date. Lessn Learned #4 Early in the prcess identify and assess thse risks and cntrls that may have a pervasive impact n the assessment and effectiveness f ICFR. Backgrund: Auditrs have fund that certain aspects f ICFR can have a pervasive effect n the cmpany s internal cntrl system such that the ineffectiveness f thse aspects f the cntrl system can impair the effectiveness f underlying, lwer level cntrls and can result in the need t reassess the auditr s apprach t the financial statement audit. One example may be inapprpriate segregatin f duties (e.g., there is a lack f segregatin f duties within the financial clsing and reprting functin and higher level mitigating cntrls such as senir management review are nt in place r effective), which culd render the underlying lwer level cntrls in ne r mre prcesses ineffective in preventing r detecting material misstatements f the financial statements. Early identificatin f pervasive deficiencies can eliminate unnecessary testing f the affected lwer level cntrls. Auditrs have fund that certain effective entity-level cntrls may reduce r eliminate the need t test lwer level cntrls (refer t Sectin 5). Suggestins: Crdinate with management early in the prcess t identify thse areas where ineffective cntrls may have a pervasive impact n ther cntrls. Carefully cnsider hw the existence f such issues may affect the integrated audit plan fr the underlying prcess level cntrls and fr the financial statement audit. Areas t fcus n first may include the entity-level cmpnents; e.g. the cntrl envirnment, risk assessment, mnitring and infrmatin/cmmunicatin (including general cmputer cntrls) and the financial reprting and clsing prcess th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 16

20 Als specifically cnsider thse risks and characteristics that may typically have pervasive effects n effective internal cntrl in smaller cmpanies such as segregatin f duties, management verride, financial reprting cmpetencies, and effectiveness f the bard f directrs and audit cmmittee (Refer t the PCAOB s Staff Guidance n Auditing Internal Cntrl in Smaller Public Cmpanies and COSO Internal Cntrl ver Financial Reprting Guidance fr Smaller Public Cmpanies fr cnsideratins specific t smaller, less-cmplex cmpanies). Lessn Learned #5 Cnsider the implicatins f any unremediated deficiencies. Backgrund: The extent t which management has already identified ptential cntrl deficiencies, cnsidered their severity and priritized them, and develped and executed plans t address them can affect the timing and extent f the auditr s prcedures. This includes, but is nt limited t: Timing deferral f testing until after the deficiencies have been remediated t avid the cst f re-testing thse areas affected by the deficiencies. Extent the determinatin f the extent f testing necessary t cnclude that a cntrl is deficient and the implicatins t the extent f evidence fr ther cntrls impacted by the deficiency (See Chapter 8 f the PCAOB s Staff Guidance n Auditing Internal Cntrl in Smaller Public Cmpanies) and whether a cntrl reliance apprach, which culd reduce the scpe f substantive testing, cntinues t be apprpriate (refer t the Appendix f AS 5). In additin t deficiencies identified by management, the auditr als cnsiders the impact f any unremediated deficiencies identified in cnnectin with the mst recent financial statement audit and quarterly reviews, including the implicatins f any misstatements identified. Management and auditrs have identified deficiencies as a result f their testing where sme f thse deficiencies were nt significant t the auditr s pinin n the verall effectiveness f ICFR, yet sme auditrs felt cmpelled t retest the cntrls when remediated by management. In the pilt engagements, engagement teams first cnsidered their findings frm the prir year audit and quarterly reviews in the current year, including any identified deficiencies. Fr example, in ne th Street NW, Suite 800N, Washingtn, DC 20005, (202) Affiliated with the American Institute f CPAs 17