Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap

© 2014 Hein & Associates LLP. All rights reserved.

Internal Control Assessment:

Lessons Learned and the Pain Felt - 2014 Recap

Sonya LaVeau, Managing Director of Internal Audit

December 3, 2014


Recap of 2014


Agenda

• PCAOB- Practice Alert 11

– Common Audit Failures

– Level of Precision

– Old vs. New

– Key Report Testing

• Information Provided by Entity “IPE”

– Definition

– Lessons Learned

– Excel Impact

• COSO 2013 Update

• What’s Next?

• Q&A


New PCAOB Auditing Bar

• Caused audit procedure

layering

• More in-depth written

description of estimates and

use of judgment, especially

review controls

• Detailed documentation and

testing of system reports

utilized in performance of

controls.

http://pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf

http://pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf


External Audit Firm: Closing The Books

(Findings)

The Firm failed to sufficiently test controls over the period-end

financial reporting process.

Specifically:

o The Firm selected for testing controls that included the review of

journal entries, but the Firm’s procedures did not include testing the

effectiveness of the issuer’s review. Specifically, its procedures to

test the review aspect of these controls were limited to observing

evidence of review and comparing information in journal entries to

supporting documentation or the general ledger, without evaluating

whether the controls operated at a level of precision that would

prevent or detect material misstatements.


Closing the Books (Cont’d.)

The Firm’s tests of controls over the period-end financial reporting

process were insufficient. Specifically, although the Firm selected

certain review controls for testing this process, the Firm’s procedures

to test the controls were limited to observing signatures as evidence

of review; verifying that certain actions that constituted a part of the

controls had occurred, such as the preparation of monthly

reconciliations and reporting packages; and observing some

notations made by the reviewers. The Firm, however, failed to

perform procedures to determine whether these review controls

operated at a level of precision that would prevent or detect material

misstatements.


Level of Precision in Plain English?

• How detailed is management’s review of journal entries?

• Document your thought process

– Dollar Threshold

– Percentage of Revenue

– Geographic Location

– Line of Business

– Other Risk Factors

– Timing


Good Isn’t Good Enough

Good v. NEW PCAOB Control Language

Older Language (“OK”)

Quarterly, Controller reviews the AR allowance for adequacy and

reasonableness of reserve amounts by initialing and dating the

“AR reserve” analysis.


Audit Controller initials and

Match Total $ = DONE!


Quarterly, Controllerreviews the ARallowance for adequacyand reasonableness ofreserve amounts byinitialing and dating the“AR reserve” analysis.

Good Isn’t Good Enough

Good v. NEW PCAOB Control Language


Better Control Wording


NEW PCAOB control Language


Quarterly, Controller reviews the AR

allowance for adequacy and

reasonableness of reserve amounts

by initialing and dating the “AR

reserve” analysis.

Updated Controller (“Better”)

Quarterly, Controller reviews AR balances

of significant customers with o/s balances

greater than $10k and 5% of AR balance

and those under that threshold by

customer type (e.g. geographical location,

types of orders, etc.), to review the AR

allowance for accuracy and completeness.

Adjustments, if needed are sent via email

to the AR manager, final review of the AR

reserve analysis is initialed and dated by

the Controller which agrees to the final g/l

balance for the period.


Entity Level Example of Precision

• Objective of the review

• Level of aggregation

• Consistency of performance

• Correlation to relevant assertions

• Predictability of expectations

• Criteria for investigation


Evaluating Management Review Controls

Capability to Prevent or Detecting Potential Material

Misstatement – Test of Design

• Control satisfies the corresponding control objective.

• Factors affecting precision of the review, including

objective of review and appropriateness of expectations,

level of aggregation, criteria of investigation for identifying

potentially material misstatement.

• Steps involved investigating expectation deviations.


Evaluating MRC Capability to Prevent

or Detecting Potential Material Misstatement

Test of Design (cont.)

• Persons who perform the control and competence and

authority of the person.

• Frequency of performance of control – review occurs often

enough to prevent or detect misstatements.

• Information used in the review, whether the review uses

system-generated data or reports.


• Steps performed to identify and investigate significant

deficiencies.

• Conclusion reached in the reviewer’s investigation, including

potential misstatements were appropriately investigated and if

corrective action was taken if necessary.

• If control uses system generated information or reports –

reviewer should document their verification of completeness

and accuracy of the data.

Evaluating MRC Designed to Prevent

or Detecting Potential Material

Misstatement – Test of Operating Effectiveness


Assessing Risk

• Components of significant accounts and disclosures can have

different risk:

– Individual revenue categories different risk varying types of

products and services, sales terms, information systems,

including revenue processes, or accounting requirements.

– Individual investment securities or category of securities

have different risk if vary in nature and complexity, level of

market activity, or availability of observable market data.


Other items in Practice Alert 11

• Use of the work of others

• Walkthrough observation

• Evaluating identified control deficiencies


PCAOB standards - use of work of

others

• Extent to which the work of others can be used depends on:

– The associated risk of the control:

• Complexity of the control;

• Significance of judgment made in connection with its

operation; and

• Inherent risk of account or assertion.

– The competence and objectivity of the persons whose

work the auditor plans to use.


Auditor walkthroughs PCAOB

Observations

• In some situations walkthroughs procedures were not

adequate:

– Performed inquiry and observation to confirm no significant

changes;

– Obtaining an understanding through controls testing and

substantive procedures;

– Review of walkthroughs performed by company not under

the direction of the auditing firm.


Evaluating identified control

deficiencies

• AS 5 – Severity of control deficiencies depends on:

– Reasonable possibility that the company’s controls would

fail to prevent or detect a misstatement of an account

balance or disclosure;

– Magnitude of the potential misstatement resulting from the

deficiency or deficiencies.


Evaluating Identified Control

Deficiencies (cont.)

• Severity DOES NOT depend on whether a misstatement

actually occurred, but rather on whether there is reasonable

possibility that the company’s controls will fail to prevent or

detect a misstatement.


Key Reports


Information Produced by Entity

(IPE)

• Different firms = different name

• Typically a report is:

– System generated

– Manually prepared

– Or a combo of both

• Three elements of IPE

– Source Data

– Report Logic

– Report Parameters


Element Descriptions

• Source Data

– Information IPE created from

• Report Logic

– Computer code, algorithms, or formulas for transforming,

extracting or loading the relevant source data and creating

the report.

• Report Parameters

– Allows user to look at only information that is of interest to

them.


Flowchart of the Three Elements

Enter Date

Range

A/R Aging

A/R

Sub-

Ledger

A/R Aging

Report

ParametersReport Logic

Source Data

Key Reports IPE


Following Relates to Completeness

and Accuracy IPE Risk

• Not all data is captured

• Data is input incorrectly

• Report logic is incorrect

• Report logic or source data could be changed inappropriately

or without authorization

• User entered parameters are entered incorrectly


Key Reports

• Completeness – how does the reviewer know the data is

complete?

• Accuracy – how is accuracy ensured (check figures, tie back to

source document, or formula validation)

• Report parameters

• Segregation of Duties – restricted access within the system

• Valuation assumptions – must document rationale for

assumptions used – reviewer agrees and documents


Key Report Questions:

• How would you know a report is inaccurate?

• When process begins to generate inaccurate and/or

incomplete reports, how would you know?

• Given complexity of reporting processes today, how hard is it

to imagine a report could have an error?

• How many reports go through multiple input points (system

and manual) before the final report is produced?

• How easy is it to relate the final report data to the information

originally input into the system?


Documentation in Excel

• Notate use of a threshold for review

– What is sufficient?

• What other considerations are key?

• How to document Management’s review?

• Every reviewer is different

– Depth of review Manager vs. Controller


Conducting Report Testing

Report testing phases:

• Phase I-Recalculation

• Phase II-Accuracy Testing

• Phase III-Completeness Testing


When Electronic Data is Available

Recalculation - When an electronic version of the report (i.e., the

data output from the query that produced the report), automated

tools (e.g., Access, Excel, or ACL), can be used to recalculate

the entire report very quickly. This gives 100% assurance on the

operation of the query analytics.


Accuracy Test of Electronic Data

System Reliance

Accuracy test - focuses on testing whether the query pulled the

appropriate data from the database.

AR Aging Report, can the auditor independently verify that the

data on the report accurately reflects the data in the database?

Population can be tested completely by executing similar queries

against the population and comparing the result to the report

tested.


Completeness Test of Electronic

Data

Completeness Test - Since the step uses the electronic

population and is able to achieve testing of 100% of the

population, the act of testing accuracy also satisfies the

completeness test.


Electronic Data is Not Available

or Cannot be Used

Preferred method - receive the data electronically and execute

full testing using automated means, there are instances when-

due to the complexity of the environment or the state of controls-

the electronic data cannot be considered reliable.



or Cannot be Used (cont.)

Examples of these instances include:

• Reports are generated from multiple or complex queries from

multiple databases.

• Change controls and security controls are deemed ineffective

for the systems that house the data.

• Change controls and security controls are deemed ineffective

for the systems that process the transactions that feed the

database.

• Process controls governing the business processes that feed

the database are deemed ineffective.



or Cannot be Used (cont.)

• Recalculation

– Too large to recalculate everything

– Use risk based / sampling approach

– Key financial totals recalculated

• Accuracy

– Back tracing – report to source documents

• May be required if controls around data input deemedineffective.

• Completeness

– Forward tracing – source data to report


IPE Take Away

• Keep completeness and accuracy in mind when utilizing

spreadsheets.

• Automation without manipulation is preferred.

• Key reports should be inventory, assessed, and tested every 3

to 5 years.

• Document how management gets comfortable with data

integrity.


COSO 2013


Observations from dozens of

accounting fraud investigations:

• Management integrity and tone at the top are obviously critical.

• Think and react critically to internal control environment and

risk assessment.

• Scrutinize results that seem extraordinary ‐ think critically

about economic substance and whether the results match.

• Understand what the real drivers of the business are and what

is important to outside constituents.

• Increase skepticism around period‐end activity.

• Increase skepticism around areas involving high levels of

management discretion and judgment.


COSO Timeline


Common Gaps Identified

• Principle Gaps

– Fail to meet the standard of one or more principles

• Control Attribute Gaps

– Not meeting one or more of the points of focus

• Control Testing Gaps

– New control added – need to test

• Control Evidence Gaps

– Control is present and functioning – need documentation

evidence


Control Environment

Risk Assessment

Control Activities

Information &

Communication

Monitoring Activities

Articulates Principles of Effective

Internal Control

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies


COSO 2013

• Competency / Succession Planning

• Understanding of duties by process / control owners

• Outside Service Providers (OSP) –

– Obtaining SSAE 16 is not enough

• User considerations

• Exceptions


What’s Next


Stay Tuned

• March 26 – SEC roundtable Cyber Security – Q&A

• July 30 – SEC charges CEO and former CFO hiding Internal

Control Deficiencies and violating SOX requirements

• Nov 18 and 19 – AICPA O&G conference SEC Rep. stating

now precedence has been set


Stay Tuned (cont.)

• Nov 20 and 21 - PCAOB Standing Advisory Group conducting

outreach / analyzing information regarding auditor’s approach

to detecting material misstatement of F/S due to fraud

• SEC action on AS #18 - Related Party

• Revenue Recognition – Effective 1/1/17

-Inventory of revenue contracts


Internal Control Mantra


Citations

• Protiviti

– PCAOB Flash Report, PCAOB Issues Practice Alert Related toAuditing Revenue, September 16, 2014

• Protiviti

– Testing the Reporting Process-Validating Critical Information

• The D&O Diary

– SEC File Enforcement Action Over Internal Controls Reporting: ASign of Things to Come? Kevin M. LaCroix, August 4, 2014

• Norman Marks

– Norman Marks on Governance, Risk Management, and Audit,May 3, 2014


Questions


Sonya LaVeau

Managing Director of Internal Audit

Hein & Associates LLP

[email protected]

303-226-7034

mailto:[email protected]