The SEC has recently approved the PCAOB’s Auditing Standard #5 for Independent Auditors opining on internal controls for financial reporting (ICFR) for SEC reporting companies. Enclosed is a synopsis of the Standard taken directly from the PCAOB, along with Taylor White’s interpretation.
Internal control over financial reporting
Internal control over financial reporting is a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. It includes those policies and procedures that
- Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements”
"Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective.”
Taylor White Interpretation
The process companies are undertaking to be compliant with this provision should be focused on financial reporting internal controls and not process or activity level controls. Many consultants and independent auditors have spent unnecessary time on process level controls because they did not recognize the distinction between the two types of control processes. Financial reporting controls have always been the focus of Taylor White Sarbanes Oxley engagements.
Role of Risk Assessment
10. Risk assessment underlies the entire audit process described by this standard, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control.
11. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal control over financial reporting and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. The auditor should focus more of his or her attention on the areas of highest risk. On the other hand it is not necessary to test controls which, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.
Taylor White Interpretation
In remaining focused on financial reporting controls it is not necessary to identify or test every process control, but rather only those that satisfy management’s financial statement assertions related to:
- Existence or occurrence
- Valuation or allocation
- Rights and obligations
- Presentation and disclosure
Taylor White’s control identification process begins with first identifying financial statement assertions and then identifying the key controls that satisfy those assertions.
Addressing the Risk of Fraud
The auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls. Controls that might address these risks include:
Taylor White Interpretation
- Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries;
- Controls over journal entries and adjustments made in the period-end financial reporting process;
- Controls over related party transactions;
- Controls related to significant management estimates; and
- Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.
In identifying financial statement accounts having a higher likelihood of containing a material misstatement or inadequate disclosure, the focus should be on processes that have a high degree of subjectivity, involve related parties, or are subject to adjustment for valuation. The controls that might mitigate these risks reside in entity level controls for Board or Audit Committee oversight, monitoring activities, supervision of the financial close process and the Board’s efforts to adequately and correctly compensate upper management.
Using the Work of Others
16. The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, applies in an integrated audit of the financial statements and internal control over financial reporting.
17. For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements.
18. The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The auditor should apply paragraphs .09 through .11 of AU sec. 322 to assess the competence and objectivity of internal auditors. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use.
19. The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases.
Taylor White Interpretation
It is up to each company’s audit committee to evaluate to what degree external auditors are willing to use the work of others. When the external auditors are evaluating the objectivity and competence of the personnel performing the work, the keys will be independence and whether or not those personnel work for and report to the audit committee as opposed to management. Critical areas in which they may use the work of others are: risk assessment and critical business process identification; identification of sufficient financial reporting controls; walk-throughs (provided the auditor supervises the walk-through process); selection of the type of testing, and the actual testing. The more work of others the auditor can accept, the risk associated with controls decreases which should lower the cost of the audit.
Using a Top-Down Approach
21. The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.
Identifying Entity-Level Controls
22. The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. The auditor's evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on other controls.
23. Entity-level controls vary in nature and precision
- Some entity-level controls, such as certain control environment controls, have an important, but indirect, effect on the likelihood that a misstatement will be detected or prevented on a timely basis. These controls might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls.
- Some entity-level controls monitor the effectiveness of other controls. Such controls might be designed to identify possible breakdowns in lower level controls, but not at a level of precision that would, by themselves, sufficiently address the assessed risk that misstatements to a relevant assertion will be prevented or detected on a timely basis. These controls, when operating effectively, might allow the auditor to reduce the testing of other controls.
- Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk.
- Controls related to the control environment;
- Controls over management override;
- The company’s risk assessment process;
- Centralized processing and controls, including shared service environments;
- Controls to monitor results of operations;
- Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
- Controls over the period-end financial reporting process; and
- Policies that address significant business control and risk management practices
25. Because of its importance to effective internal control over financial reporting, the auditor must evaluate the control environment at the company. As part of evaluating the control environment, the auditor should assess:
Period-End Financial Reporting Process
- Whether management's philosophy and operating style promote effective internal control over financial reporting;
- Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
- Whether the Board or audit committee understands and exercises oversight and responsibility over financial reporting and internal control
26. Because of its importance to financial reporting and to the auditor's opinions on internal control over financial reporting and the financial statements, the auditor must evaluate the period-end financial reporting process. The period-end financial reporting process includes the following:
Taylor White Interpretation
- Procedures used to enter transaction totals into the general ledger;
- Procedures related to the selection and application of accounting policies;
- Procedures used to initiate, authorize, record, and process journal entries in the general ledger;
- Procedures used to record recurring and nonrecurring adjustments to the annual and quarterly financial statements; and
- Procedures for preparing annual and quarterly financial statements and related disclosures.
- The nature and extent of the oversight of the process by management, the board of directors, and the audit committee.
Taylor White has always, long before the publication of this standard, used the top down, entity level control (ELC) identification method on all of our Sarbanes projects. The key points to make concern some of the processes and procedures we have asked you to implement. Risk Management is an area that is not universally understood, but based upon the above is critical to having effective entity level controls. Taylor White can supply you with an Enterprise Risk Management protocol for smaller public companies, based on the COSO ERM framework, period-end financial reporting process and monitoring controls with a strong audit committee involvement. A strong audit committee chairperson is critical to the success of this entity level control. The monitoring of the financial reporting process by the audit committee is absolutely necessary for this to be a mitigating ELC. Taylor White has supplied, or can, audit committee charters and responsibilities calendars to help you institute this control. In some cases we have helped recruit your audit committee chairperson, or can assist in doing so if needed. Other templates/protocols include closing calendars, checklists and monitoring examples. Strong ELC’s, audit committee and monitoring efforts always lead to less control identification and testing which should lead to lower costs from your external auditors.
Identifying Significant Accounts and Disclosures and Their Relevant Assertions
28. The auditor should identify significant accounts and disclosures and their relevant assertions. Relevant assertions are those financial statement assertions that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated. The financial statement assertions include:
Taylor White Interpretation
- Existence or occurrence
- Valuation or allocation
- Rights and obligations
- Presentation and disclosure
The identification of financial reporting controls has been discussed above by both the PCAOB and Taylor White. This section simply amplifies the importance of knowing the difference between process controls and assertion controls.
Understanding Likely Sources of Misstatement
34. To further understand the likely sources of potential misstatements, and as a part of selecting the controls to test, the auditor should achieve the following objectives:
- Understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorized, processed, and recorded;
- Verify that the auditor has identified the points within the company's processes at which a misstatement – including a misstatement due to fraud – could arise that, individually or in combination with other misstatements, would be material;
- Identify the controls that management has implemented to address these potential misstatements; and
- Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could result in a material misstatement of the financial statements.
35. Because of the degree of judgment required, the auditor should either perform the procedures that achieve the objectives in paragraph 34 himself or herself or supervise the work of others who provide direct assistance to the auditor, as described in AU sec. 322.”
37. Performing walkthroughs will frequently be the most effective way of achieving the objectives in paragraph 34. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.
Taylor White Interpretation
This section is not mandating the auditors to perform walk-throughs, but they would be hard pressed not to do them. Taylor White has a walk-through process that includes gathering evidential matter to back up the walk-through control evaluation, which can be reviewed by your auditors or re-performed efficiently with their supervision. Again, this should lead to lower costs on their part.
Selecting Controls to Test
39. The auditor should test those controls that are important to the auditor's conclusion about whether the company's controls sufficiently address the assessed risk of misstatement to each relevant assertion.
40. There might be more than one control that addresses the assessed risk of misstatement to a particular relevant assertion; conversely, one control might address the assessed risk of misstatement to more than one relevant assertion. It is neither necessary to test all controls related to a relevant assertion nor necessary to test redundant controls, unless redundancy is itself a control objective.
41. The decision as to whether a control should be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of misstatement to a given relevant assertion rather than on how the control is labeled (e.g., entity-level control, transaction-level control, control activity, monitoring control, preventive control, detective control).”
Taylor White Interpretation
At the risk of being redundant, the selection of financial statement assertion key controls is critical to the success of the project. All process controls do NOT need to be identified, and controls that are selected do NOT need to be tested by themselves. Taylor White has successfully combined synergistic controls into test plans for years, with the acceptance of external auditors.
Testing Design Effectiveness
42. The auditor should test the design effectiveness of controls by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.
Note: a smaller, less complex company might achieve its control objectives in a different manner from a larger, more complex organization. For example, a smaller, less complex company might have fewer employees in the accounting function, limiting opportunities to segregate duties and leading the company to implement alternative controls to achieve its control objectives. In such circumstances, the auditor should evaluate whether those alternative controls are effective.
43. Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.”
Taylor White Interpretation
Having strong entity level controls will mitigate most segregation of duties issues, particularly financial close, monitoring, and audit committee involvement in the reporting process. Again, the walk-through process used by Taylor White can satisfy the design effectiveness requirement. The ELC and risk assessment methodology includes integrating ELC’s into the critical process identification, directly correlating mitigating controls into the test planning and execution.
Testing Operating Effectiveness
44. The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. Note: In some situations, particularly in smaller companies, a company might use a third party to provide assistance with certain financial reporting functions. When assessing the competence of personnel responsible for a company's financial reporting and associated controls, the auditor may take into account the combined competence of company personnel and other parties that assist with functions related to financial reporting.
45. Procedures the auditor performs to test operating effectiveness include a mix of inquiry or appropriate personnel, observation of the company’s operations, inspection of relevant documentation, and re-performance of the control.”
"Note: Although the auditor must obtain evidence about the effectiveness of controls for each relevant assertion, the auditor is not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control. Rather, the auditor's objective is to express an opinion on the company's internal control over financial reporting overall. This allows the auditor to vary the evidence obtained regarding the effectiveness of individual controls selected for testing based on the risk associated with the individual control.”
Taylor White Interpretation
When evaluating ELC’s, one of the areas in our methodology is to evaluate the finance staff competency. This speaks directly to #44 above. The type of test to be performed does not have to be a sample with documentation review. Depending on the risk level, personnel competence and ELC strength, any of the testing types described above can be used as evidential matter. Again the emphasis is not on individual controls, but on the system of internal controls for financial reporting taken as a whole. Depending on the circumstances, Taylor White has integrated different testing methods into control test plans for the same process.
Appendix A contains discussion by the PCAOB on how and why the standard was adopted.
This document contains a synopsis of Appendix A to the PCAOB’s Auditing Standard #5 for Independent Auditors, opining on internal controls for financial reporting (ICFR) for SEC reporting companies. Appendix A contains discussion by the PCAOB of how and why the standard was adopted.
The top-down approach
The proposed standard on auditing internal control was structured around the top-down approach to identifying the most important controls to test. This approach follows the same principles that apply to the financial statement audit – the auditor determines the areas of focus through the identification of significant accounts and disclosures and relevant assertions. Under the proposed standard, the auditor would specifically identify major classes of transactions and significant processes before identifying the controls to test.
In response to comments about the level of detail in the requirements of the proposed standard, the Board has reconsidered whether the final standard should include the identification of major classes of transactions and significant processes as a specifically required step in the top-down approach. As a practical matter, the auditor will generally need to understand the company's processes to appropriately identify the correct controls to test. The Board believes, however, that specific requirements directing the auditor how to obtain that understanding are unnecessary and could contribute to a "checklist approach" to compliance, particularly for auditors who have a long-standing familiarity with the company. Accordingly, the Board has removed the requirements to identify major classes of transactions and significant processes from the final standard. While this should allow auditors to apply more professional judgment as they work through the top-down approach, the end point is the same as in the proposed standard – the requirement to test those controls that address the assessed risk of misstatement to each relevant assertion.
The proposed standard on auditing internal control emphasized entity-level controls because of their importance both to the auditor's ability to appropriately tailor the audit through a top-down approach – specifically by identifying and testing the most important controls – and to effective internal control. Additionally, the proposed standard emphasized that these controls might, depending on the circumstances, allow the auditor to reduce the testing of controls at the process level. Commenters suggested the proposed standard did not provide enough direction on how entity-level controls can significantly reduce testing, and some suggested that controls that operate at the level of precision necessary to do so are uncommon. Many commenters suggested incorporating in the final standard the discussion of direct versus indirect entity-level controls that was included in the SEC's proposed management guidance.
The Board continues to believe entity-level controls, depending on how they are designed and operate, can reduce the testing of other controls related to a relevant assertion. This is either because the entity-level control sufficiently addresses the risk related to the relevant assertion, or because the entity-level controls provide some assurance so that the testing of other controls related to that assertion can be reduced.
In response to comments and in order to clarify these concepts, the Board included in the final standard a discussion of three broad categories of entity-level controls, which vary in nature and precision, along with an explanation of how each category might have a different effect on the performance of tests of other controls. The final standard explains that some controls, such as certain control environment controls, have an important but indirect effect, on the likelihood that a misstatement will be detected or prevented on a timely basis. These controls might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls.
The final standard explains that other entity-level controls may not operate at the level of precision necessary to eliminate the need for testing of other controls, but can reduce the required level of testing of other controls, sometimes substantially. This is because the auditor obtains some of the supporting evidence related to a control from an entity-level control and the remaining necessary evidence from the testing of the control at the process level. Controls that monitor the operation of other controls are the best example of these types of controls. These monitoring controls help provide assurance that the controls that address a particular risk are effective and, therefore, they can provide some evidence about the effectiveness of those lower-level controls, reducing the testing of those controls that would otherwise be necessary.
Lastly, the final standard explains that some entity-level controls might operate at a level of precision that, without the need for other controls, sufficiently addresses the risk of misstatement to a relevant assertion. If a control sufficiently addresses the risk in this manner, the auditor does not need to test other controls related to that risk.
The proposed standard on auditing internal control would have required auditors to perform a walkthrough of each significant process each year. This proposed requirement represented a change from Auditing Standard No. 2, which required a walkthrough of each major class of transactions within a significant process.
Commenters were split on the question of whether the re-calibration from major class of transactions to significant process in the proposed standard would result in a reduction of effort. Some issuers and auditors suggested that walkthroughs are already being performed on significant processes, while other issuers and auditors commented that this proposed requirement would make a difference. A few commenters suggested that a walkthrough of each significant process was insufficient and would negatively affect audit quality, but many others stated that walkthroughs should not be required at all.
In evaluating these comments, the Board focused principally on the objectives it believes are achieved through a properly performed walkthrough. The Board firmly believes those objectives should be met for the auditor to verify that he or she has a sufficient understanding of the points within the processes where misstatements could occur and to properly identify the controls to test. Procedures that fulfill those objectives also play an important role in the evaluation of the effectiveness of the design of the controls. The Board believes that, in some instances, the requirement to perform a walkthrough may have overshadowed the objectives it was meant to achieve. This may have resulted in some walkthroughs being performed to meet the requirement but failing to achieve the intended purpose. The final standard, therefore, focuses specifically on achieving certain important objectives, and the performance requirement is based on fulfilling those objectives as they relate to the understanding of likely sources of misstatement and the selection of controls to test. While a walkthrough will frequently be the best way of attaining these goals, the auditor's focus should be on the objectives, not on the mechanics of the walkthrough. In some cases, other procedures may be equally or more effective means of achieving them.
Use of the work of others in an integrated audit
At the time the Board proposed Auditing Standard No. 5 for public comment, the Board also proposed an auditing standard entitled Considering and Using the Work of Others in an Audit that would have superseded the Board's interim standard AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements ("AU sec. 322"), and replaced the direction on using the work of others in an audit of internal control in Auditing Standard No. 2.
As discussed in the proposing release, the Board had several objectives in proposing this standard. The first was to better integrate the financial statement audit and the audit of internal control by having only one framework for using the work of others in both audits. Additionally, the Board wanted to encourage auditors to use the work of others to a greater extent when the work is performed by sufficiently competent and objective persons. Among other things, under the proposed standard auditors would have been able to use the work of sufficiently competent and objective company personnel – not just internal auditors – and third parties working under the direction of management or the audit committee for purposes of the financial statement audit as well as the audit of internal control.
The Board received numerous comments on the proposed standard on using the work of others. Commenters generally indicated support for a single framework regarding the auditor's use of the work of others in an integrated audit. Some, however, suggested retaining existing AU sec. 322 as the basis for that single framework. They expressed the view that the objective of removing barriers to integration and using the work of others to the fullest extent appropriate could be achieved by retaining AU sec. 322 and going forward with the proposed removal of the "principal evidence" provision. At the same time, some other commenters suggested the proposed standard did not go far enough in encouraging auditors to use the work of others.
After considering these comments, the Board continues to believe that a single framework for the auditor's use of the work of others is preferable to separate frameworks for the audit of internal control and the audit of financial statements. The factors used to determine whether and to what extent it is appropriate to use the work of others should be the same for both audits. At the same time, the Board agreed with those commenters who suggested that better integration of the audits could be achieved without replacing the existing auditing standard. The Board therefore has decided to retain AU sec. 322 for both audits and incorporate language into Auditing Standard No. 5 that establishes these integration concepts rather than adopt the proposed standard on considering and using the work of others. Consistent with the proposal, however, Auditing Standard No. 5 allows the auditor to use the work of others to obtain evidence about the design and operating effectiveness of controls and eliminates the principal evidence provision.
Recognizing that issuers might employ personnel other than internal auditors to perform activities relevant to management's assessment of internal control over financial reporting, the final standard allows the auditor to use the work of company personnel other than internal auditors, as well as third parties working under the direction of management or the audit committee. In line with the overall risk-based approach to the audit of internal control over financial reporting, the extent to which the auditor may use the work of others depends, in part, on the risk associated with the control being tested. As the risk decreases, so does the need for the auditor to perform the work him or herself. The impact of the work of others on the auditor’s work also depends on the relationship between the risk and the competence and objectivity of those who performed the work. As the risk decreases, the necessary level of competence and objectivity decreases as well. Likewise, in higher risk areas (for example, controls that address specific fraud risks), use of the work of others would be limited, if it could be used at all.
Finally, the Board understands that some of the work performed by others for the purposes of management's assessment of internal controls can be relevant to the audit of financial statements. Therefore, in an integrated audit, the final standard allows the auditor to use the work of these sufficiently competent and objective others – not just internal auditors – to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of financial statements. The Board believes this provision will promote better integration of the audit of internal control with the audit of financial statements.