(The news featured below is a selection from the news covered in SEC Today, which is distributed to subscribers of SEC Today.)

Steps for a Top-Down, Risk-Based Approach to Internal Controls Over Financial Accounting

Compliance Week recently presented a webcast, sponsored by Paisley, an independent vendor of software for governance, risk and compliance, on implementing a top-down, risk-based approach to internal controls over financial reporting. The webcast featured a slide presentation by Bruce McCuaig, chief risk officer, and Mike Rost, vice president of marketing, at Paisley. McCuaig said the PCAOB's proposed Auditing Standard No. 5 is consistent and compatible with the SEC's proposed guidance for management, both of which are risk-based and control-focused. McCuaig said the proposals represent a significant shift from Auditing Standard No. 2.

McCuaig noted that the SEC's and PCAOB's proposals have not satisfied everyone. The Consumer Federation of America has criticized the proposals, he said, and CFA represents the people that the proposals are designed to protect. Some see the revisions as providing more flexibility, while others see them as ambiguous.

McCuaig said that SEC Chairman Christopher Cox has pledged to adopt the guidance for management by May 23. The PCAOB is expected to adopt its final standard in the near future. McCuaig said to look for a better alignment between the proposals, improved scalability for smaller companies, a better use of audit risk assessments in determining the procedures to perform and broader principles on using the work of others.

McCuaig said that while the proposals are pending, doing nothing makes no sense. Most companies will want to move cautiously ahead in anticipation of the final provisions. A top-down, risk-based approach requires rigorous planning, he said. He recommended an approach broadly based on AS5 and believes costs can be driven down. He predicted a better dialogue between issuers and their auditors and improved internal controls over financial reporting.

McCuaig reviewed what he described as essentials for a top-down, risk-based approach, starting with the hard controls. First, identify and assess company level controls, document and test the controls, and identify and remediate any gaps. Harden the control environment, he said, which can be based on the COSO guidance and widely available survey tools.

Organizations must assess the risk of fraud. This assessment may include the use risk scenarios from other companies, a review of statistics on restatements or a review of data on reported deficiencies. McCuaig recommended that companies look at the headlines and ask whether certain events could happen to them.

Period-end financial reporting is extremely risky, according to McCuaig. A significant percentage of reported deficiencies have been related to period-end processes. Auditors should focus at the corporate level and on all significant entities, he said. Assess the period-end process, the recurring and non-recurring adjustments, consider closing journal entries and balance transactions to the general ledger.

McCuaig referred to the PCAOB's recent report on the second year of compliance with AS2 which found that auditors tend to determine significant accounts solely on qualitative factors. The PCAOB urged consideration of both qualitative and quantitative factors, he noted, such as susceptibility, volume/complexity circumstances and control implications. Assess specific risks and specific factors with respect to the significant accounts.

McCuaig said that management should be involved in identifying relevant assertions and recommended that they be minimized. Focus on what could go wrong, he said. According to a white paper prepared by Paisley, assertions are one of the most significant cost drivers. Assertions must present a reasonable possibility of material misstatements.

When considering major business locations, McCuaig said not to use dollars as the major criterion. Consider such factors as the quality of internal controls, susceptibility to fraud, the size and value of the business unit, number of employees and historical business performance.

In identifying major classes of transactions, McCuaig said auditors must understand how transactions are initiated, authorized, processed and recorded. They should identify the risk points and the controls that have been implemented to address potential misstatements. Rate the process critically and monitor process performance, he said.

Keep an eye on the impact of information technology on internal control over financial reporting, McCuaig said. IT has not been a key factor in producing deficiencies, so review the IT general controls and test the minimum that is deemed necessary.

The remaining steps outlined in the white paper address the selection of controls to test, the testing of control design and operating effectiveness, maximizing reliance on ICFR work, evaluating and remediating any deficiencies, and providing management's opinion on ICFR effectiveness.

AS5 turns AS2 on its head, according to McCuaig. He said it requires different methodology and skills. The goal is to drive down costs and drive up efficiency. AS2 drove us down the wrong path, he said, but AS5 should bring us back.