(The news featured
below is a selection from the news covered in SEC Today, which is distributed to
subscribers of SEC
Today.)
Steps for a Top-Down, Risk-Based Approach to Internal Controls Over
Financial Accounting
Compliance Week recently presented a webcast, sponsored by
Paisley, an independent vendor of software for governance, risk and compliance,
on implementing a top-down, risk-based approach to internal controls over
financial reporting. The webcast featured a slide presentation by Bruce McCuaig,
chief risk officer, and Mike Rost, vice president of marketing, at Paisley.
McCuaig said the PCAOB's proposed Auditing Standard No. 5 is consistent and
compatible with the SEC's proposed guidance for management, both of which are
risk-based and control-focused. McCuaig said the proposals represent a
significant shift from Auditing Standard No. 2.
McCuaig noted that the SEC's and PCAOB's proposals have not
satisfied everyone. The Consumer Federation of America has criticized the
proposals, he said, and CFA represents the people that the proposals are
designed to protect. Some see the revisions as providing more flexibility, while
others see them as ambiguous.
McCuaig said that SEC Chairman Christopher Cox has pledged
to adopt the guidance for management by May 23. The PCAOB is expected to adopt
its final standard in the near future. McCuaig said to look for a better
alignment between the proposals, improved scalability for smaller companies, a
better use of audit risk assessments in determining the procedures to perform
and broader principles on using the work of others.
McCuaig said that while the proposals are pending, doing
nothing makes no sense. Most companies will want to move cautiously ahead in
anticipation of the final provisions. A top-down, risk-based approach requires
rigorous planning, he said. He recommended an approach broadly based on AS5 and
believes costs can be driven down. He predicted a better dialogue between
issuers and their auditors and improved internal controls over financial
reporting.
McCuaig reviewed what he described as essentials for a
top-down, risk-based approach, starting with the hard controls. First, identify
and assess company level controls, document and test the controls, and identify
and remediate any gaps. Harden the control environment, he said, which can be
based on the COSO guidance and widely available survey tools.
Organizations must assess the risk of fraud. This
assessment may include the use risk scenarios from other companies, a review of
statistics on restatements or a review of data on reported deficiencies. McCuaig
recommended that companies look at the headlines and ask whether certain events
could happen to them.
Period-end financial reporting is extremely risky,
according to McCuaig. A significant percentage of reported deficiencies have
been related to period-end processes. Auditors should focus at the corporate
level and on all significant entities, he said. Assess the period-end process,
the recurring and non-recurring adjustments, consider closing journal entries
and balance transactions to the general ledger.
McCuaig referred to the PCAOB's recent report on the second
year of compliance with AS2 which found that auditors tend to determine
significant accounts solely on qualitative factors. The PCAOB urged
consideration of both qualitative and quantitative factors, he noted, such as
susceptibility, volume/complexity circumstances and control implications. Assess
specific risks and specific factors with respect to the significant accounts.
McCuaig said that management should be involved in
identifying relevant assertions and recommended that they be minimized. Focus on
what could go wrong, he said. According to a white paper prepared by Paisley,
assertions are one of the most significant cost drivers. Assertions must present
a reasonable possibility of material misstatements.
When considering major business locations, McCuaig said not
to use dollars as the major criterion. Consider such factors as the quality of
internal controls, susceptibility to fraud, the size and value of the business
unit, number of employees and historical business performance.
In identifying major classes of transactions, McCuaig said
auditors must understand how transactions are initiated, authorized, processed
and recorded. They should identify the risk points and the controls that have
been implemented to address potential misstatements. Rate the process critically
and monitor process performance, he said.
Keep an eye on the impact of information technology on
internal control over financial reporting, McCuaig said. IT has not been a key
factor in producing deficiencies, so review the IT general controls and test the
minimum that is deemed necessary.
The remaining steps outlined in the white paper address the
selection of controls to test, the testing of control design and operating
effectiveness, maximizing reliance on ICFR work, evaluating and remediating any
deficiencies, and providing management's opinion on ICFR effectiveness.
AS5 turns AS2 on its head, according to McCuaig. He said it
requires different methodology and skills. The goal is to drive down costs and
drive up efficiency. AS2 drove us down the wrong path, he said, but AS5 should
bring us back.
Jacquelyn Lumb
|