Upload
lamhuong
View
215
Download
1
Embed Size (px)
Citation preview
PCAOB Forum on Auditing in the Small Business Environment
Bill GradisonBoard Member
October 20, 2005Boston, Massachusetts
2
Today’s Presenters
Mary Sjoquist, Special Counsel to Board Member GradisonPaul Bijou, Deputy Director, Inspections; NYBella Rivshin, Assistant Chief Auditor; DCKayla Gillan, Board Member; DC
3
PCAOB Staff
Alan Feldman, Manager of Inspections; NYTed Shapiro; Assoc. Director of Inspections; NYMary Moore Hamrick, Director of Government Relations; DCJoanne Hindman O’Rourke, Special Advisor; DC
Michael Shore, Public Affairs; DCGreg Killen, Human Resources; DCDebra Bradley, Human Resources; NY Julie Mills, Executive Assistant; DCMargaret Totten, Executive Assistant; DC
5
Caveat
Although much of the information that will be provided to you has been made public by the Board via Releases and the like, there
also will be views expressed that are those of the speaker alone, and do not
necessarily reflect the views of the Board, its members or staff. Therefore, unless it is
clear that the Board has authorized the statement, you should not attribute it to the
Board or staff.
6
PCAOB Mission
The Board’s mandate is to “protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports” of public companies.
The Board has a unique regulatory structureOperates as a private, non-profit corporation – NOT
a governmental organizationSEC has oversight authority over the Board
9
Registration
Registration SystemFoundation for the Oversight Board’s jurisdiction
No firm may participate in the audit of any US-traded company w/o being registered with the PCAOB
US domiciled firms: October 22, 2003Non-US firms: July 19, 2004
First time that all firms’ data will be compiled in one location
All clients, associated auditors, foreign affiliatesQuality control proceduresCertain pending criminal or civil proceedings
10
Registered Firms as of October 6, 2005
Total registered—1557U.S. registered firms—938Foreign registered firms—619Firms with 100 or more public company clients—10U.S. Firms with more than 1 but 5 or fewer public company clients—approximately 560
11
Inspections
Inspections assess a firm’s compliance with the Act, the Board’s and the SEC’s rules and with professional standards.Regular inspections must take place annually for firms that audit 100 or more U.S. public companies.All other firms must be inspected once every 3 years.
12
Inspections
In 2003, the Board conducted limited inspections of the Big Four accounting firms.In 2004, the 8 U.S. firms auditing more than 100 U.S. public companies were inspected and also 90 smaller firms.In 2005, we expect to complete the inspections of 8 large U.S. firms and one large Canadian firm and more than 250 smaller firmsThe public portion of the 2003 reports and those reports that have been issued to date on 2004 and 2005 inspections of smaller accounting firms are available on the Board’s website at www.pcaobus.org.
13
Inspection Reports
The reports contain both public and nonpublic portions. Nonpublic portions address quality control issues and may discuss criticisms of, and potential defects in, the firm’s quality control systems.Firms have 12 months to correct any such defects or face public disclosure of the Board’s findings.The entire report is provided to the SEC and appropriate state regulators.Possible violations of securities laws are referred to the appropriate authorities.
14
Investigation and Enforcement
The Board may investigate possible violations of the Sarbanes-Oxley Act, the Board’s rules, the securities laws related to audit reports and professional standards.
Previously (except in the case of SEC actions) controlled by the profession.Limited to investigating possible violations by registered accounting firms and associated persons.Also look at the accuracy of audit client financial statements and may refer potential violations by issuers which come to our attention to others with appropriate jurisdiction.Prompted by inspections, referrals from other regulatory agencies, public announcements or filings or tips.
15
Professional Standards
Previously controlled by the profession Now, exclusive authority of PCAOB (subject to SEC approval)Includes: auditing and related attestation standards, quality control, ethics and independenceExcludes: accounting standardsApril 16, 2003, PCAOB adopted AICPA standards as its interim standards
PCAOB uses an open processSimilar to normal regulatory rule-making processStanding Advisory Group (“SAG”)Roundtables on selected issuesAd hoc task forces
16
Professional Standards (cont)
Some standards were mandated or implied by SOXStandards Adopted by the Board
AS # 1 – Reference to PCAOB StandardsAS # 2 – Internal Control (Sec. 404 (b))
Applicable July 15, 2006 for FPRAS # 3 – Audit DocumentationAS # 4 --Reporting on Whether a Previously Reported Material Weakness Continues to Exist—Pending SEC approval
Rules Related to Auditing StandardsMust versus ShouldIndependence Rules—Pending SEC approval
17
Future Standard-Setting
Communications with Audit CommitteesEngagement Quality ReviewAuditing related party transactionsAssessing audit riskAuditing fair value measurements and disclosuresQuality controlConfirmation process
Paul BijouPaul BijouDeputy Director, InspectionsDeputy Director, Inspections
October 20, 2005October 20, 2005
PCAOB Inspection ProcessWhat Can be Expected Before, During
and After the Inspection Process
19
A Few Highlights…..2003
January 6 Doors open in DC HeadquartersJune 26 First Inspectors begin 2003 “Limited Inspections”
2004May 3 “Regular” Inspections commence
- Large Firms > 100 Issuer clients- Small Firms
July 19 Foreign registration applications are due (as of March 2, 2005 approximately 552 registration applications have been approved by the Board)
August 26 Reports on 2003 Limited Inspections issued
2005March 8 International inspections commenceMay 2 Inspections commence (small and large firms)
20
PCAOB Offices
Washington, DCWashington, DCNew York, NYNew York, NYAtlanta, GAAtlanta, GADallas, TexasDallas, TexasSan Mateo, CASan Mateo, CAOrange County, CAOrange County, CADenver, CO Denver, CO Chicago, IL Chicago, IL
21
Mission of Northeast Region Inspection Office
Integrate into National PCAOB mission of inspecting the Large Firms (> 100 Issuer clients)
Inspect the Small Firms in the Northeast Region
Support Small Firm Inspection Process in other PCAOB Offices
Support other PCAOB initiatives
22
- Northeast Region -Small Firms Registered
Number of Firms by State
Connecticut 5Maine 2Massachusetts 13New Hampshire 2New Jersey 33New York 87Rhode Island 2Vermont 1
Total 145
23
Inspection Process
– Initial contact with firm– Inspection commencement date determined– Formal letter issued with document request– One week prior to start date
Engagements selected for review
– Quality control assessment and engagement reviews– Comment forms prepared, reviewed by firm, and responded to– Draft report prepared by Inspection Staff– Draft report is reviewed by Board of PCAOB– Board makes draft report available to firm– Firm has 30 days to respond to draft report– Board issues final report to firm and the SEC
24
Document Request (Not all inclusive)
Firm demographic information
List of individuals who manage the firm and their biographies.
Firm’s quality control policies and procedures, including current year’s internal inspection and/or peer review results.
Firm’s policies covering independence, including policies regarding non-audit services, fee arrangements and business ventures, alliances, and arrangements with issuer audit clients.
25
Document Request (Continued)
List of concurring reviewers outside of the firm.
Engagement partner and concurring reviewer for each issuer client.
List of former issuer audit clients that "changed auditors" from your firm.
List of issuer audit clients that restated their financial statements.
26
Quality Control Assessment
Tone at the topIndependenceQuality control (internal programs and peer review results)Concurring partner reviews Client acceptance and retentionTrainingAudit methodologyWork of other auditorsAlternative practice structure
27
Engagement Reviews
Meet with engagement partner
Review of audit workpapers
Comment forms issued, reviewed by the firm, and responded to
28
Issues Identified in All Types of Issuers
Audit of fair valuesRelated party issuesProhibited loansRevenue recognitionAuditing of expensesIndependenceGoing concern/development stage designationControl of issuer use of reportsUnderstanding of contractual arrangements/substance of transactionsPrincipal auditor
Bella RivshinAssistant Chief Auditor
October 20, 2005Boston, Massachusetts
Auditing Internal Control Over Financial Reporting
31
The Internal Control Standard
PCAOB Auditing Standard No. 2 – An Audit of Internal Control Over Financial
Reporting Performed in Conjunction with An Audit of Financial Statement
32
Effective Dates
Effective for audits of public companies with fiscal years ending on or after November 15, 2004 for accelerated filers
Effective for audits of foreign private issuers with fiscal years ending on or after July 15, 2006
Effective for audits of non-accelerated public companies with fiscal years ending on or after July 15, 2007
33
What We Will Cover● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues● Brief Overview of AS4 ● Reference Sources● Questions & Answers (throughout)
34
Summary of §404 Reporting to Date
Total §404 Reports as of August 31st
§404 Reporting by Industry
Material Weaknesses Reported
By Accounting Area
By Internal Control Issue
35
Summary of §404 Reporting(as of August 31, 2005)
100%3,230
0.01Issuers receiving a disclaimer of opinion
13.8444Issuers with ineffective internal control over financial reporting
86.2%2,785Issuers receiving unqualified opinion on internal control
PercentageNumber
Source: Audit Analytics
36
§404 Reporting Results by Industry(as of August 31, 2005)
Source: Audit Analytics
Information Technology Consumer Discretionary Financials Industrials Health Care Materials Energy Telecommunication Services Utilities Consumer Staples
15% 17%
27%
19%
22%
Based on 444 issuers reporting ineffective control over financial reporting
37
Material Weaknesses by Accounting Area
Source: Audit Analytics
Based on 444 issuers reporting ineffective control over financial reporting
0%
2%
4%
6%
8%
10%
12%12%
Tax
12%
Revenue
9%
Inventory
9%
Liabilities
7%
Leases
6%
Depreciation
38
Material Weaknesses by I/C Issue
Based on 444 issuers reporting ineffective control over financial reporting
Source: Audit Analytics
30%
18%
14% 14%
7% 7%
0%
5%
10%
15%
20%
25%
30%
Documentation
Adjustments
Restatement
Personnel
Reconcilations
Segregation
39
April 13 – SEC roundtable held to discuss implementation issuesThe majority of participants felt the principles are sound
60 experts testified – issuers, auditors and investors
215 letters received by the SEC
May 16 – PCAOB & SEC issued additional guidanceJune 8 & 9 – PCAOB Standing Advisory Group (SAG) discussion on implementation issuesJuly 26 – PCAOB adopted new Auditing Standard No. 4 on Reporting on Whether a Previously Reported Material Weakness Continues to Exist (Discussed briefly at end of session)September 21 – SEC amends the effective date for non-accelerated filers to July 15, 2007
Update on Recent Activities
40
PCAOB Policy Statement – Issued May 16, 2005
Integrate audits of internal control with audits of financial statementsExercise judgment to tailor audit plans to the risks facing individual clients
Small companies do not need the same types of controls or the same audit process as do large multi-nationals The PCAOB inspections will be consistent with this policy statement, and will not second-guess good faith exercises of audit judgment
Use a top-down approach that begins with company-level controlsUse the flexibility of the standard to use the work of others as providedEngage in direct and timely communication with audit clients
41
PCAOB Staff Q&A on AS No. 2 –Issued May 16, 2005
Top-down approach (Q&A 38)Risk-based approach (Q&A 39-40)Scope and extent of testing (Q&A 41-53)
Nature, timing, and extent of testingAuditor’s work vs. management’sReliance on prior year’s workBenchmarking – IT related
Using the work of others (Q&A 54)Auditor’s quarterly responsibilities (Q&A 55)
42
SEC Staff Statement on ICFR –Issued May 16, 2005
Purpose of ICFRReasonable assurance, risk-based, and scope of testing and assessmentEvaluating internal control deficienciesDisclosures about material weaknessesInformation technology issuesCommunications with auditorsIssues related to small business and foreign private issuers.
43
June SAG Meeting – Next Steps
AS2: need more experience (including non-accelerated filer experiences) before determining whether to re-open the standard
Unless the SEC’s Advisory Committee on Smaller Public Companies recommends otherwise
Guidance: weigh the costs that might be required to revise AS2 systems only recently developed, against the benefits that additional clarification might provide
44
Small Business Issues
Relative Cost of ImplementationAS2 Application in the Small Business EnvironmentSmall Business Initiatives Underway
45
Smaller companies typically do not have the same level of controlsTime and personnel pressures from both management and the auditor One-size-fits-all audit approaches are not appropriate“Small companies do not need the same types of controls or the same audit process as do large multi-nationals”1
1– Dan Goelzer, PCAOB Board Member, April 29, 2005
Relative Cost of Implementation
46
No small business exemption in statute or auditing standardCurrent standard relies on COSO frameworkEnd result: one-size does not fit all. Auditors must exercise judgment: ● Less complex business = internal controls that are less complex ● May require less documentation● Amount of auditor’s work is affected by quality of management’s
assessment as well as the quality and quantity of company documentation.
● Specific internal control issues at smaller public companies● Segregation of duties● Expertise/experience of accounting personnel● Independence of board● Expertise of audit committee members● Tone at the top and/or entrepreneurial style of management
AS2 Application in the Small Business Environment
Small Business Initiatives Underway
COSO Small Business Advisory GroupSEC Advisory Committee on Smaller Public Companies
48
COSO Small Business Advisory Group
January 2005 – COSO launches new guidance initiative for small public companies - Implementing the COSO Control Framework in Smaller Companies
Will coordinate with the SEC Advisory Committee on Smaller Public Companies
Guidance will demonstrate how small companies can most efficiently and effectively implement the COSO frameworkKey features
Approximately 25 essential principles for effective internal control over financial reportingGuidance for addressing common issues for smaller public companies, such as segregation of dutiesMany examples
Exposure draft in Fall 2005 (see www.coso.org)
49
SEC Advisory Committee on Smaller Public Companies
December 2004 – SEC Advisory Committee on Smaller Public Companies formed to assess current regulatory system for smaller companiesCommittee discussing numerous issues beyond Section 404Solicited responses to 29 Questions related to SOXAugust 18 - SEC Advisory Committee on Smaller Public Companies submitted two resolutions to the SEC
Recommended to amend the effective date for non-accelerated filers to July 15, 2007
Recommended that smaller public companies not be subject to further acceleration of due dates for annual and quarterly reports
Last meeting held on October 14 in New York (www.sec.gov)
50
Agenda Recap● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues ● Brief Overview of AS4● Reference Sources● Questions & Answers (throughout)
51
Overview of AS2 Requirements1. Planning the audit (¶39)
2. Evaluating the management’s assessment (¶40-46)
3. Obtaining an understanding of I/C (¶47-87)
4. Evaluating the effectiveness of both the design and operation of I/C (¶88-126)
5. Forming an opinion on effectiveness of I/C (¶127-141)
6. Reporting the results (¶162-199)
7. Required communications (¶142-144 & 207-214)
52
PCAOB Staff Q&A on AS No. 2 –Issued May 16, 2005
Top-down approach (Q&A 38)Risk-based approach (Q&A 39-40)Scope and extent of testing (Q&A 41-53)
Nature, timing, and extent of testingAuditor’s work vs. management’sReliance on prior year’s workBenchmarking – IT related
53
Top-down Approach (Q&A 38)Auditor performs procedures to understand ICFR and identify controls to test in sequential mannerFocus early on matters, such as company-level controls (CLC), that can affect later scoping decisionsEliminate from consideration, accounts with remote likelihood of material misstatementIdentify, understand, and evaluate design effectiveness of CLC
54
Top-down Approach (Q&A 38)Identify significant accounts at financial statement or disclosure levelIdentify assertions relevant to each significant accountIdentify significant processes and major classes of transactionsIdentify points where error or fraud could occurIdentify controls that prevent or detect error or fraudLink controls with significant accounts and assertions
55
Risk-based Approach (Q&A 39-40)
Significant accounts Use risk factors in paragraph 65 to eliminate from consideration accounts with remote likelihood of containing material misstatementRelevant assertions Assertions that do not present meaningful risk of material misstatement are not relevant and should not be testedUsing work of others As risk factors decrease in significance, need for auditor to perform own work decreases
56
Scope and Extent of Testing (Q&A 43)
As risk associated with control decreases:Nature – persuasiveness of evidence needed decreases
Inquiry, observation, inspection of documents, and re-performance of control are types of audit proceduresWalkthroughs are a combination of the procedures and can serve as tests of design and operating effectiveness
Timing – testing can be done farther from as-of dateExtent – extensiveness of testing should decrease
57
Scope and Extent of Testing (Q&A 45)
Benchmarking automated application controls:
Auditor may conclude that automated application control continues to be effective, without repeating the prior year testing of the application if:
General controls over program changes, access to programs, and computer operations are effective and continue to be tested ANDThe auditor verifies that the automated application control has not changed since s/he or she last tested the application control
Should consider related files, tables, data, and parameters on the consistent and effective functioning of the automated application control
58
Scope and Extent of Testing (Q&A 47)
When evaluating management’s assessment, the auditor should consider that:
Management has a broader array of procedures to achieve reasonable assurance for its assessment of internal controls over financial reporting
For example, management might be able to determine that controls operate effectively through its ongoing monitoring activities
59
Scope and Extent of Testing (Q&A 48)
While AS2 states that the auditor should not use management “self-assessment” of controls as part of their evidence, the auditor should consider that:The term “self-assessment” may be used by some to have a broader meaning that includes different types of procedures performed by various parties
AS2 assumes a narrower meaning of self-assessment as testing done by the same personnel who are responsible for performing the control.Auditors cannot use an assessment made by the same personnel who are responsible for performing the control
Auditors can use management’s self-assessment of controls in certain circumstances
60
Scope and Extent of Testing (Q&A 49)
When evaluating management’s assessment, the auditor should consider that:
The extent of management’s testing does not have to be as extensive as the auditors
Nature and timing of management’s tests are determined independently of the auditor’s scope of testing
The procedures management performs might be different than the auditor’s procedures
Management has a broader array of procedures available
61
Scope and Extent of Testing (Q&A 50-51)
In structuring tests throughout the year the auditor should consider that:
The lower the overall risk associated with a given control, the less extensive the auditor’s updating procedures need to beThe more persuasive the evidence obtained at an interim date, the less extensive the updating procedures need to beThe updating procedures should be less extensive if the updating period of time is shorter.The more stable the control environment the less extensive the updating procedures need to be
63
Agenda Recap● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues● Brief Overview of AS4● Reference Sources● Questions & Answers (throughout)
64
Implementation Issues—Discussion of Seven Key Issues
1. Audits of companies with ineffective internal control
2. Using COSO Criteria3. Management documentation and tests of
controls4. Auditor’s use of the work of others5. Evaluating deficiencies in internal control6. Reporting on internal control7. Integrating audits of internal control and
audits of financial statements
65
1. Audits of Companies with Ineffective Internal Control
Why perform an audit of internal control on a company whose internal control is obviously ineffective?
● Section 404 of the Act● SEC’s implementing rules● Auditing Standard No. 2
● Requires the auditor to obtain sufficient competent evidence about the design and operating effectiveness of controls over all relevantfinancial statement assertions related to all significant accounts and disclosures in the financial statements.
● States that the auditor must plan and perform the audit to obtain reasonable assurance that all deficiencies that, individually or in the aggregate, could be material weaknesses are identified.
● Benefits of reporting to investors
66
2. Using COSO Criteria
COSO Internal Control-Integrated FrameworkApplies to organizations of all sizesSpecial considerations for small to mid-sized entities
67
The COSO Framework
"Internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process."
– Committee of Sponsoring Organization of the Treadway Commission; 1987
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
68
COSO Small Business Considerations
Control environmentSegregation of dutiesInformation technology controlsDocumentation
69
3. Management Documentation and Tests of Controls
● Small businesses: less formal policies and procedures (fewer documented controls).
● Tests of controls● Inquiry and observation should be
supplemented with other evidence.● Inspection of documents used or generated
by a control.●Reperformance of controls.●Consider effects of other evidence.
70
4. Auditor’s Use of the Work of Others
Examples from Auditing Standard No. 2● Internal auditors providing assistance under
the direction of the independent auditors.
● Internal auditors or third parties independently testing management’s assessment activities.
● Internal auditors, other company personnel, or third parties participating in management’s assessment activities.
71
Auditor’s Use of the Work of Others
● Subject to the guidelines:● An auditor may use the work of others to
reduce the extent of work he/she would otherwise perform.
● The auditor has flexibility in determining the extent to which the work of others will be used.
72
Guidelines for Using the Work of Others
Boundaries● Principal evidence: The auditor’s own work must
provide the principal evidence for the auditor’s opinion.
● Control environment: Auditor should not use the work of others to reduce the auditor’s work on controls in the control environment, including controls that are established to prevent and detect fraud that is at least reasonably possible to result in material misstatement of the financial statements.
● Walkthroughs: Auditor should perform his or her own walkthroughs of major transaction classes.
73
Guidelines for Using the Work of Others
Required procedures● In determining the extent to which the auditor
may use the work of others, he/she should:
● Evaluate the nature of the related controls
● Evaluate the competence and objectivity of the other party
● Evaluate the materiality, risk, & subjectivity of the item being tested
● Test some of the work performed by the other party.
74
Auditor’s Use of the Work of Others
Consider staff guidance in the following Staff Q&As
NOs. 20-22, 36, and 54
75
5. Evaluating Deficiencies: Control Deficiency Defined
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis(paragraph 8)
76
Internal Control Deficiency
Evaluate significance of deficiency based on –
Likelihood that deficiency, or combination, could result in a misstatementMagnitude of potential misstatement resulting from the deficiency, or combination of deficiencies
77
Evaluating Internal Control Deficiencies
Incorporation of familiar concepts:● FASB Statement No. 5 on likelihood
● Remote (chance of occurring is slight)● Reasonably possible● Probable
● SAB No. 99 on magnitude or materiality● Consideration of quantitative and qualitative
factors● Aggregation of multiple misstatements● Concept of “clearly immaterial””
78
Evaluating Internal Control Deficiencies
A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met
MaterialANDMore than remote
Material weakness
More than inconsequential
ANDMore than remote
Significant deficiency
InconsequentialORRemoteControl deficiency
Potential Magnitude of Misstatement
Likelihood of Misstatement
Classification of Deficiency
79
Strong Indicators of Material Weaknesses
● Restatements to correct a misstatement.● Auditor identification of a material
misstatement. ● Fraud by senior management (any
amount). ● Significant deficiencies remain
uncorrected after a reasonable period. ● Ineffective control environment.
—Auditing Standard No. 2, Paragraph 140
80
Strong Indicators of Material Weaknesses
● Ineffective oversight by audit committee (or equivalent).
● Ineffective regulatory compliance function where violations could materially affect the reliability of financial reporting (complex, regulated entities).
● Ineffective internal audit or risk assessment function (large or highly complex organizations).
—Auditing Standard No. 2, Paragraph 140
81
Significant Deficiencies
Deficiencies in the following areas ordinarily are at least significant deficiencies:
● Controls over the selection and application of accounting policies in conformity with GAAP.
● Antifraud programs and controls.● Controls over non-routine and non-systematic
transactions. ● Controls over the period-end financial reporting
process, including controls over procedures used to–● Enter transaction totals into the general ledger.● Initiate, authorize, record, and process journal entries into the
general ledger.● Record recurring and nonrecurring adjustments to the
financial statements.
—Auditing Standard No. 2, Paragraph 139
82
Evaluating Internal Control Deficiencies
Consider staff guidance in the following Staff Q&As
NOs. 11-15, 28, and 32-35Implementation tools
83
6. Auditor’s Report on Internal Control
● Report on management’s assessment
● Report on the effectiveness of internal control
84
Example Reporting Scenarios
Auditor’s opinion on
AdverseUnqualifiedInternal control not effective
Material weakness identified by management and auditor
UnqualifiedUnqualifiedInternal control effective
No material weakness identified
Effectiveness of ICOFR
Management’s assessment
Management’s reportSituation
85
Example Reporting Scenarios
Issue adverse opinions on both management’s assessment and internal control.
Company has one or more material weaknesses, but management’s assessment indicates internal control is effective
• Communicate to management and the audit committee.
• Disclaim opinions.• Consider possible additional
auditor responsibilities
Management fails to fulfill its responsibilities regarding the internal control assessment
Auditor’s ReportSituation
86
Example Reporting Scenarios
• Communicate to management and the audit committee.
• Disclaim opinions, and disclose material weakness.
• Consider possible additional auditor responsibilities
Same as above, except that management has not sufficiently attempted to fulfill its responsibilities.
• Treat as a material weakness and report accordingly.
• Probably conclude that management has fulfilled their responsibilities, so audit opinion can be rendered.
Material accounts processed by a service organization (under contract since 2001). Management has attempted to fulfill its assessment responsibilities relative to the service organization but without success.
Auditor’s Report…Situation
87
7. Integrating Audits of Internal Control into Audits of Financial Statements
● The auditor should perform substantive procedures for all relevant assertions related to all significant accounts and disclosures.
● For any identified control deficiencies, the auditor should evaluate the effect on the nature, timing, and extent of substantive procedures.
● The auditor’s procedures must include reconciling the financial statements to the accounting records.
● The auditor should examine material adjustments made by the company during the course of preparing the financial statements.
88
● Regarding substantive analytical procedures:● The auditor should either (1) test the design and
operating effectiveness of controls over financial information used, or (2) perform other procedures to support the completeness and accuracy of the underlying information
● The auditor should also evaluate the risk of management override of controls.
● For significant risks of material misstatement, substantive analytical procedures alone are unlikely to be sufficient.
7. Integrating Audits of Internal Control into Audits of Financial Statements (cont)
89
Agenda Recap● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues● Brief Overview of AS4● Reference Sources● Questions & Answers (throughout)
90
AS#4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist
Adopted by PCAOB July 26, 2005 Effective as of date of SEC approval (currently under consideration)
Objective is to express an opinion on whether a previously reported material weakness continues to exist as of a specified date.Engagement is optional. Management can make cost-effectiveness judgmentCould be performed any time during yearConsistent with AS#2
91
Auditing Standard No. 4
Conditions for auditor:Auditor has audited the company's financial statements and internal control over financial reporting (ICFR) in accordance with AS #2 as of the date of company's most recent annual assessment of ICFR, orAuditor has been engaged to perform an audit of the financial statements and internal control over financial reporting in accordance with AS #2 in the current year and has a sufficient basis for performing engagement
92
Auditing Standard No. 4
Conditions for management:Management accepts responsibility for effectiveness of ICFRManagement evaluates the effectiveness of specific control(s) that it believes addresses the MW using the same control criteria and control objective(s) as used in most recent annual assessment of ICFR
Management asserts that the specific control(s) identified is effective in achieving the control objective
Management supports its assertion with sufficient evidence, including documentation
Management presents a written report that will accompany the auditor's report that contains elements described in paragraph 48 of this standard
93
Auditing Standard No. 4
If the auditor determines that the previously reported material weakness continues to exist, s/he is not required to issue a report
If the auditor does not issue a report, s/he must communicate, in writing, to audit committee his conclusion that the material weakness continues to exist
If the auditor identifies a material weakness that has not been previously communicated to the audit committee, auditor must communicate that material weakness, in writing, to audit committee
94
Reference Sources
www.pcaobus.orgAuditing Standard No. 2Staff Questions and AnswersPCAOB Conforming Amendments
97
Overview of AS2 Requirements1. Planning the audit (¶39)
2. Evaluating the management’s assessment (¶40-46)
3. Obtaining an understanding of I/C (¶47-87)
4. Evaluating the effectiveness of both the design and operation of I/C (¶88-126)
5. Forming an opinion on effectiveness of I/C (¶127-141)
6. Reporting the results (¶162-199)
7. Required communications (¶142-144 & 207-214) (Note: The following 11 slides relate to these seven steps; presentation will not cover these in depth.)
98
1) Planning the Audit (¶39)
The audit of internal control must be properly planned and supervisedIn the planning phase the auditor should consider:
Prior knowledge of the company’s system of internal controlIndustry knowledge with respect to financial reporting practices, economic conditions, laws and regulations and technological changes.Company knowledge with respect to its organization, operating characteristics, capital structure and distribution methodsRecent changes in operations or in internal controlsPreliminary judgments about materiality, risk, etc.The number of significant business locations or units
99
2) Evaluating Management’s Assessment (¶40-46)
Auditor determines basis on which management reaches its conclusion on control effectiveness
Such as the COSO framework, which includes (1) control environment;(2) risk assessment; (3) control activities; (4) information & communication; and (5) monitoring
Uses this knowledge and understanding of management’s assessment process in planning his/her audit work
More reliable management’s assessment, the less costly the auditor’s work needs to be
Review of management’s documentation of the system is a major component of evaluating the work
100
3) Obtaining an Understanding of I/C (¶47-87)
Auditor must gain an understanding of the design of the controls and operating effectiveness
Inquiry of company personnel and review of management’s assessment process
Two aspects of understanding the design and operation of controls:
Walkthroughs for major classes of transactions
The role of the audit committee
101
Walkthroughs
The auditor should perform one “walkthrough” for each major class of transactions
Walkthrough traces the transaction from its origination all the way through its inclusion into the financial statements.
Walkthroughs confirm the auditor’s understanding of:The flow of the transactionDesign of the controls surrounding the transaction (including all five components of the COSO framework)Completeness of the transactionEffectiveness of the controls surrounding the transactionThe fact that the controls are in place
102
The Role of the Audit Committee
Audit committee is an important element of the COSO framework addressing two of the five components
Control environment and monitoring
The auditor should consider:Independence of the audit committee members
Clarity of audit committee’s charter
Understanding of responsibilities
Involvement and interaction with all parties
Quality of questions and understanding of responses
103
4) Evaluating the Effectiveness of Both the Design and Operation of I/C (¶88-126)
Testing is the heart of the auditControls that are identified as addressing key assertions in thefinancial statements for all significant accounts should be testedIncludes interviews, observations, document reviews, and reperformanceTesting should vary from year to year
But the auditor must obtain evidence for all relevant assertionsfor all significant accounts every year
Reliance on the “work of others” (covered in more depth later)Extent of reliance depends on both competence and objectivityDepends on materiality, risk and subjectivity of accountWork must be tested by the auditorNature of control is important to considerPrincipal evidence must be obtained by the auditor
104
5) Forming an Opinion on Effectiveness of Internal Control (¶127-141)
The auditor must form an opinion on the effectiveness of controls and whether deficiencies exist
All deficiencies should be reported in writing to management
All significant deficiencies must be reported in writing to management and the audit committee
The existence of a material weakness requires the issuance of an adverse opinion on internal control
Auditor will also report on whether s/he or she agrees with management’s assessment of internal control
105
6) Reporting the Results (¶162-199)
The auditor must include two opinions:1. Opinion on management’s assessment
If a material weakness is found, management’s report cannot conclude that internal control is effectiveIf management and the auditor disagree on whether there is a material weakness, the auditor would render an adverse opinion on management’s assessmentThe auditor’s opinion is on management’s assessment – not on management’s process for assessing.
106
6) Reporting the ResultsThe auditor must include two opinions:2. Opinion on the effectiveness of internal control over
financial reportingThe auditor is permitted to express an unqualified opinion on effectiveness only if enough testing was done and no material weaknesses were foundIf management did not fulfill their responsibilities regarding their assessment, the auditor must disclaim an opinionExistence of a material weakness requires an adverse opinion
107
7a) Communication—Management’s communication requirements ¶142–144
Written representation acknowledging management’s responsibilityStatement that an assessment has been performedStatement of management’s conclusionStatement that all deficiencies have been disclosed to the auditorDescription of any material fraud or fraud involving senior management
108
7b) Communication—Auditor’s communication requirements ¶207–214
Must communicate in writing all significant deficiencies and material weaknesses to bothmanagement and the audit committeeIf significant deficiencies or material weaknesses exist because of ineffective oversight over financial reporting by the audit committee, the communication (in writing) must be to the board of directorsAll deficiencies must be reported to management and should be reported in writing
110
Objectives
Brief refresher regarding existing rules and lawsSynopsis of New PCAOB Ethics And Independence Rules Concerning Independence, Tax Services, And Contingent Fees (Release No. 2004-15)
Adopted July 26, 2005Currently under SEC consideration
111
Core PrinciplesCore Principles
Facts & Facts & CircumstancesCircumstances
Per SePer SeProhibitionsProhibitions
Client Client CommunicationsCommunications
Auditor Independence: Overview
112
Client Client CommunicationsCommunications
Per SePer SeProhibitionsProhibitions
Facts & Facts & CircumstancesCircumstances
Congress & Congress & CourtsCourts
SECSEC PCAOBPCAOB
Auditor Independence: Core Principles
113
Congress & CourtsCongress & Courts• ’33 and ’34 Acts
• Industry-specific laws regarding public companies
• U.S. v. Arthur Young
SECSEC• 2000 General Guidance (effective 2/5/01):
• Mutual or conflicting interest?• Audit own work?• Act as management or employee of client?• Advocate for client?
• “Independence is a state of mind”
Core Principles: Existing Guidance
114
Core PrinciplesCore Principles
Facts & Facts & CircumstancesCircumstances
Per SePer SeProhibitionsProhibitions
Client Client CommunicationsCommunications
Auditor Independence: Facts & Circumstances
115
• An accountant will not be deemed to be independent if:
• the accountant is not capable of exercising objective and impartial judgment on all issues encompassed within the engagement, or
• a reasonable investor with knowledge of all relevant facts and circumstances would conclude that the accountant is not so capable
• Look at all relevant circumstances and relationships between the accountant and the audit client
Auditor Independence: Facts & Circumstances
116
Core PrinciplesCore Principles
Facts & Facts & CircumstancesCircumstances
Client Client CommunicationsCommunications
Auditor Independence: Per Se Prohibitions
Other Other ProhibitionsProhibitions
Prohibited Prohibited NonNon--Audit Audit ServicesServices
117
Client Client CommunicationsCommunications
Facts & Facts & CircumstancesCircumstances
Core PrinciplesCore Principles
Other Other ProhibitionsProhibitions
ExistingExisting
Prohibited Services
New PCAOB New PCAOB RuleRule
118
Existing Prohibited Non-Audit Services
Bookkeeping or other services related to the accounting records or financial statements of the audit clientFinancial information system design and implementationAppraisal or valuation services, fairness opinions, or contribution-in-kind reportsActuarial services
Internal audit outsourcing servicesManagement functionsHuman resourcesBroker-dealer, investment adviser, or investment banking servicesLegal servicesExpert services unrelated to the audit
119
Bookkeeping Services
The auditor is prohibited from –Maintaining or preparing the audit client's accounting recordsPreparing the audit client's financial statements that are filed with the SEC or that form the basis of financial statements filed with the SECPreparing or originating source data underlying the audit client's financial statements
120
Management Functions
The auditor is prohibited from acting, temporarily or permanently, as a director, officer, or employee of an audit client, or performing any decision-making, supervisory, or ongoing monitoring function for the audit client
121
Other Independence ProhibitionsFinancial interests in audit clientBusiness relationships with audit clientEmployment relationships with audit clientContingent fee arrangementsAudit client hiring an audit engagement team member within a certain timeframe into a financial reporting oversight role Partner rotation on the audit engagementPartner compensation for selling non-audit services
122
Per SePer SeProhibitionsProhibitions
Facts & Facts & CircumstancesCircumstances
Core PrinciplesCore Principles
Auditor Independence: Client Communications
Existing New PCAOB Rule
123
Audit Committee PreAudit Committee Pre--ApprovalApproval●Registered public accounting firms are required
to obtain pre-approval of all non-audit services (not otherwise prohibited)• For example - tax compliance services, due-
diligence for potential acquisition, services related to a public offering, royalty audits.
Existing Client Communication Requirements
124
July 26, 2005 New Rules
Three distinct topics –Core ethics and independence requirementsSpecific services that impair the auditor's independence
Contingent feesTax transactionsTax services to officers in a financial reporting oversight role
Additional communication requirements with audit committees as they relate to permissible tax services
125
Individuals
Firms, CPAs &AssociationsAcademics
State Boards
InstitutionalInvestorsAttorneys
Companies &AssociationsMisc.
805 Comment Letters
126
●●Rule 3502Rule 3502: Codify ethical responsibility for an associated person not to cause his/her registered firm to violate the Act, Board rules, applicable securities laws, or professional standards
●Based on:• Knowing or reckless behavior• That directly and substantially
contributes to the firm’s violation• Effective: 10 days after SEC approval
New Core Principles
127
●●Rule 3520Rule 3520: A registered firm (and its associated persons) must be independent of its audit client throughout the audit and professional engagement period. Must also satisfy all applicable independence criteria.●Effective: 10 days after SEC approval
New Core Principles
128
New Prohibited Services
Rule 3521 – Contingent FeesRule 3522 – Tax TransactionsRule 3523 – Tax Services for Executives in a Financial Reporting Oversight Role
129
Prohibited Service – Contingent Fees
Rule 3521Rule 3521 – A registered public accounting firm is not independent of its audit client if the firm, or any affiliate of the firm, during the audit and professional engagement period, provides any service or product to the audit client for a contingent fee or a commission, or receives from the audit client, directly or indirectly, a contingent fee or commission.
Effective: For fee agreements that have not been paid in their entirety, converted to an acceptable fee arrangement or unwound, the later of 12/31/05 or 10 days after SEC approval
130
Contingent Fees: Definitions
Any fee established for the sale of a product or the performance of any service pursuant to an arrangement in which no fee will be charged unless a specified finding or result is attained, or in which the amount of the fee is otherwise dependent upon the finding or result of such product or serviceA fee is not a "contingent fee" if the amount is fixed by courts or other public authorities and is not dependent on a finding or result
131
Prohibited Service – Tax Transactions
Rule 3522 Rule 3522 – a registered public accounting firm is not independent from an audit client if the firm provides services related to marketing, planning, or opining in favor of the tax treatment of a transaction this is:• a confidential transaction as defined by the new Rule 3501
(which restates the US Treasury Department Regulations)• based on an aggressive interpretation of applicable tax laws and
regulations• includes listed transactions as defined by US Treasury
Department regulationsEffective for services not completed by the audit firm by the later of 12/31/05 or 10 days after SEC approval
132
Prohibited Service – Tax Services to Officers
Rule 3523Rule 3523 – A registered public accounting firm is not independent of its audit client if the firm, or any affiliate of the firm, during the audit and professional engagement period, provides any tax service to an executive in a financial reporting oversight role at the audit client
Financial Reporting Oversight Role means a role in which a person is in a position to or does exercise influence over the contents of the financial statements or anyone who prepares them
Includes executives in a FROR at material affiliatesExcludes directors (when their oversight role is solely because of their membership on the board or audit committee)Restriction includes expatriate tax services to these types of executives
Effective: will not apply to tax services being provided pursuant to an engagement in process (i.e., engagement documents complete) at the time the SEC approves the rules, provided that such services are completed on or before the later of June 30, 2006 or ten days after the date that the SEC approves the rules.
133
New Client Communications Rule
Rule 3524 – In connection with seeking audit committee pre-approval to perform for an audit client any permissible tax service, a registered public accounting firm shall –
provide to the audit committee certain information, including a written description of the engagement, its fee, and potential effects on the auditor’s independencediscuss these issues with the audit committee, anddocument the substance of the discussion
Effective: tax services not pre-approved before the later of 12/21/05 or 10 days after SEC approval.
In situations in which the tax services were pre-approved by policy or procedures, then applies to services provided on or after April 1, 2006.
Paul BijouPaul BijouDeputy Director, InspectionsDeputy Director, Inspections
October 20, 2005October 20, 2005
PCAOB Inspection Reports
136
Inspection Reports
Draft inspection reports are issued once fieldwork is complete and after the inspection team’s findings and related inspection report have been reviewed
Comment forms provide the foundation of the inspection report Firms have 30 days to respond to our draft inspection reports
137
Inspection Reports
The small firm inspection report usually has four sections
Part I is publicPart I provides overview of firm size, legal structure and summary of inspection results
All or portions of Part IV may be publicPart IV includes a copy of the firm’s response to the draft report, if received
138
Inspection Reports
The small firm inspection report has four sections (continued)
Parts II and III are nonpublicPart II details the inspection findings and quality control issues Part III discusses (1) a firm’s responsibility to address the criticisms and potential defects described in Part II of the report and (2) if the firm fails to address these criticisms and potential defects to the Board’s satisfaction within a 12 month period, then the Board will make Part II publicly available.
139
Inspection Report
Final Inspection Report After the 30-day response period expires and the report is approved by the Board, the final inspection report will be issued
The final inspection report is provided to the firm, the SEC and the appropriate state regulatorsThe public portions of inspection reports are posted on the PCAOB website, including the public part of firm responses.
142
Auditing Standard No. 3 – Audit Documentation
Effective for audits of financial statements with fiscal years ending on or after November 15, 2004A deficiency in audit documentation is a departure from the standards of the PCAOB
143
Auditing Standard No. 3 – Audit Documentation
For relevant financial statement assertions, auditors must document
procedures performed, evidence obtained, and conclusions reached (par. 6).
144
Experienced Auditor
Documentation must have sufficient clarity and completeness so that an experienced auditor, having no previous connection with the engagement, must be able to understand the work performed, evidence obtained and conclusions
An experienced auditor has a reasonable understanding of audit activities and has studied the company’s industry as well as the A&A issues relevant to the industry. (Par. 6)
145
Engagement Completion Document
All significant findings or issues to be documented in an engagement completion document (par. 13)
146
Engagement Completion Document
Examples of significant findings or issuesinclude:
Significant matters involving selection, application, and consistency of GAAPAudit adjustmentsDisagreements among engagement team membersSignificant difficulty in applying auditing proceduresAny matters that could result in modification of auditor’s report
147
Audit Documentation
If there is insufficient documentation in the w/ps, auditor must demonstrateprocedures performed, evidence obtained, and conclusions reached (par. 9)
Auditor must have persuasive other evidenceOral evidence, alone, is not sufficient and may be used only to clarify other written evidence
148
Deficiency in Audit Documentation
What if procedures, evidence, and conclusions are not adequately documented in the w/ps on a timely basis? (par. A59)
Primary source of evidence should be documented when procedures performedDocumentation added well after completion of audit usually of lesser qualityAgain, any oral explanation can clarify other written evidence and should consider the credibility of person giving oral explanation
149
Deficiency in Audit Documentation(continued)
If there is a failure to perform and document, auditor to comply with AU sec. 390 (par. 9)
Any documents added, due to performance of additional procedures, must indicate the date they were added, the name of the person who prepared them, and the reason for adding them (par. 16)Previous audit documentation cannot be discarded
150
Multi-Location Audits
The office of the firm issuing the auditor’s report must ensure all audit documentation prepared and retained (par. 18)
151
Multi-Location Audits (continued)
Certain documentation related to the work performed by other auditors must be obtained prior to the report release date. Such documentation includes:
Engagement completion documentSchedule of audit adjustmentsSignificant deficiencies/material weaknessesMatters to be communicated to the audit committee
152
Definitions of Dates
Two new dates defined in this standard –
Report release date – the date the auditor grants permission to use the auditor’s report in connection with the issuance of the F/S (par. 14)Documentation completion date – 45 days after the report release date (par. 15)
153
45-Day Period to Assemble Work Papers
During this period auditor can:Discard superseded drafts of memoranda; financial statements; and other documentsDiscard duplicates of documentsCorrect minor edits in the work papers
154
Keeping Current with PCAOB Standards Activities
www.pcaobus.orgInterim StandardsProposed and final standardsStaff Q&AStanding Advisory Group (SAG)Live and archived webcasts