Auditing Internal Control Over Financial Reporting

• Overview
  • Course Objectives
  • The Workbook
• Chapter 1 - Fundamentals
  • Learning Objectives
    • Sarbanes-Oxley Section 404 Requirements
    • Observations About the Requirements
  • Roles and Responsibilities: Management
    • Management's Report on ICFR
    • Effective Dates
  • Definition of Internal Control and the COSO Framework
    • Definition of Internal Control over Financial Reporting (ICFR)
    • Observations About the Rule
    • The COSO Framework
    • More on COSO
  • SEC Guidance for Management
    • Observations About the SEC Guidance
    • Management's Quarterly Reports and Certifications on ICFR
    • Observations About the Requirements
  • Roles and Responsibilities: Auditor
    • The Objectives of an Audit of Internal Control
    • Integrating the ICFR and Financial Statement Audits
    • Leveraging the Results of Tests of Controls in the Financial Statement Audit
    • Leveraging the Results of Substantive Tests in the ICFR Audit 4
    • Observations About the Requirements
    • How an Adverse Opinion on Internal Control Affects the
    • Opinion on the Financial Statements
    • Auditor Independence: Seeking Help and Advice
  • Appendix PCAOB Auditing Standard No. 5
  • Review Questions Chapter 1 Fundamentals
  • Suggested Solutions and Feedback to Review Questions
• Chapter 2 - Planning the Audit
  • Learning Objectives
  • Planning the Audit of ICFR
  • The Role of Risk Assessment
  • Addressing the Risk of Fraud
  • Scaling the Audit
  • The Auditor's Use of Others' Work in the ICFR Audit
    • Competence of the Internal Auditors
    • Objectivity of the Internal Auditors
    • Assessing Competence and Objectivity
    • Materiality
  • Review Questions Chapter 2 Planning the Audit
  • Suggested Solutions and Feedback to Review Questions
• Chapter 3 - Using a "Top-Down" Approach for Determining the Scope of the Audit
  • Start at the Top
    • Entity-level Controls
  • Identify Entity-level Controls
    • Anti-Fraud Programs and Controls
    • Controls Over the Period-End Financial Reporting Process
    • Controls Over the Selection and Application of Accounting Policies
    • Role of General Information Technology (General IT) Controls
  • Identify Significant Accounts and Disclosures
    • Risk Assessment Factors - Significant Accounts and Disclosures
  • Identify Relevant Assertions
  • Likely Sources of Financial Statement Misstatement
  • Selecting Controls to Test
  • Importance of Control Objectives
  • Multiple Locations Scoping Decisions
  • Appendix Managements Anti-Fraud Programs and Controls: Guidance to Help Prevent, Deter, and Detect Fraud
  • Introduction
    • Creating a Culture of Honesty and High Ethics
    • Setting the Tone at the Top
    • Creating a Positive Workplace Environment
    • Hiring and Promoting Appropriate Employees
    • Training
    • Confirmation
    • Discipline
    • Mitigating Fraud Risks
    • Implementing and Monitoring Appropriate Internal Controls and Other Measures
  • Developing an Appropriate Oversight Process
    • Management
    • Audit Committee or Board of Directors
    • Internal Auditors
    • Independent Auditors
  • Review Questions Chapter 3 The Top-Down Approach
  • Suggested Solutions and Feedback to Review Questions
• Chapter 4 - Testing Controls
  • Learning Objectives
  • Testing Design Effectiveness
  • Testing Operating Effectiveness
    • Control-Related Risks
  • Link the Risk Associated with Key Controls to the Evidence Needed
  • Nature of Evidence
  • Timing Issues
  • Extent of Testing and Roll-Forward Procedures
  • Subsequent Year's ICFR Audits
    • The Company's Use of a Service Organization
  • Review Questions Chapter 4 Testing Controls
  • Suggested Solutions and Feedback to Review Questions
• Chapter 5 - Evaluating Control Deficiencies 5-1
  • Important Terms
  • Material Weakness
  • Significant Deficiency
  • Judging the Magnitude of Misstatement
  • Compensating Controls
  • "The Prudent Official Test"
  • Indicators of Material Weakness in ICFR
    • Observations About the Requirements
  • Review Questions Chapter 5 Evaluating Control Deficiencies
  • Suggested Solutions and Feedback to Review Questions
• Chapter 6 - Wrapping Up the ICFR Audit
  • Learning Objectives
  • Formatting an Opinion
  • Management's Written Representations
  • Communicating Certain Matters
    • Material Weaknesses in ICFR
    • Significant Deficiencies in ICFR
    • Control Deficiencies
  • Report on the Effectiveness of ICFR
  • Material Weaknesses in ICFR
  • Effect of Material Weaknesses in ICFR on Financial Statement Audit
  • Subsequent Events
  • Review Questions Chapter 6 Wrapping Up the ICFR Audit
  • Suggested Solutions and Feedback to Review Questions
  • Reference Materials
  • Management Override of Internal Controls: The Achilles' Heal of Fraud Prevention (separate booklet)
  • An Audit of Internal Control that is Integrated with an Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies
• Glossary
• Index
• Examination for Self-Study Credit

732482

Overview

…Certainly investors, both domestic and foreign, have always appreciated the protections offered by SOX 404. Now, they will still have the protections offered by SOX 404, but they will also benefit by getting these protections in a more efficient and cost effective manner. As I have repeatedly emphasized, the rigorous disclosure regime in the United States, which includes the recent protections offered by the Sarbanes-Oxley Act, is a great protector of capital.

Roel C. Campos, Commissioner
US Securities and Exchange Commission (SEC)

The Sarbanes-Oxley Act of 2002 directs the Public Company Accounting Oversight Board (PCAOB) to establish auditing and related attestation, quality control, ethics, and independence standards to be used by registered public accounting firms in the preparation and issuance of audit reports as required by the Act or the rules of the Securities and Exchange Commission (SEC). Thus, PCAOB rules apply to registered public accounting firms.

Legislators created the Sarbanes-Oxley Act (the Act) in response to a series of business failures, including Enron in 2001. Failures in internal control, particularly over financial reporting, were among the chief concerns addressed by the Act, and in particular, Section 404 of the Act, which appears below:

SEC. 404.MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

(a)RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

(1)state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2)contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b)INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board.

In response to the Act in June 2004, PCAOB Auditing Standard No. 2, An Audit Of Internal Control Over Financial Reporting Performed in Conjunction With An Audit Of Financial Statements, was adopted. This standard required auditors to conduct two audits of their publicly traded clients: the traditional audit of financial statements and a new audit of internal control. These two audits were intended to be tightly integrated, with the same firm performing both audits, using the results of each to plan, perform, and report on the engagement.

During the initial years of implementation, the PCAOB noted that many firms were not applying AS2 as the PCAOB intended it to be applied. In addition, issuers complained that their compliance costs were much higher than expected. For these reasons, in December 2006, the PCAOB proposed Auditing Standard No. 5, An Audit Of Internal Control Over Financial Reporting That Is Integrated With An Audit Of Financial Statements (AS5), which was intended to supersede AS2. On July 25, 2007, the SEC approved AS5, which now provides the definitive guidance for independent auditors when they perform audits of internal control over financial reporting (ICFR).

In July of 2003, as directed by Section 404, the SEC adopted rules requiring issuers to include in their annual reports a report of management’s assessment of the company’s ICFR.

Initially, the SEC’s rules included guidance on the form and content of management’s report, but provided very general guidance on the procedures that management should follow to assess ICFR. In response for calls for additional guidance and concerns regarding the manner in which companies were applying Section 404, in December 2006, the SEC issued Management’s Report on Internal Control Over Financial Reporting [Release Nos. 33-8762; 34-54976; File No. S7-24-06]. The PCAOB and the SEC worked in sync to adopt revisions to their respective rules and guidance.

The SEC issued the interpretive guidance (“the SEC Guidance”), which became effective June 27, 2007, to assist management in performing its assessment of ICFR in an efficient and effective manner. Simultaneous with issuance of the SEC Guidance, the SEC amended Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934 (the Exchange Act). These rules address management’s requirements to perform an annual assessment of ICFR. The amended Exchange Act indicates that applying the Guidance is one way that a company’s management may satisfy the requirement, that is, management does not have to adopt the Guidance.
This course is designed for auditors. It describes all of the key requirements of AS5 and provides implementation and application guidance.

• Distinguish between the responsibilities of the auditor and management relating to the annual audit of internal control.
•  Learn how management and the auditor may (and may not) work together to carry out their respective responsibilities.
•  Articulate the performance requirements under AS5:
•  Planning the audit
•  Using a Top-Down Approach to determine the scope of the audit
•  Evaluating the design effectiveness of controls
•  Evaluating the operating effectiveness of controls
•  Evaluating identified deficiencies in ICFR
•  Wrapping up the audit

This workbook contains many excerpts taken directly from AS5. However, it does not include the complete auditing standard. Thus, the workbook is not a substitute for reading the actual standard. Prior to implementing AS5 on engagements, and possibly in conjunction with taking this course, auditors should obtain and read the actual, authoritative text and related implementation guidance. When reading AS5, auditors should note that all appendices are an integral part of AS5 and carry the same authoritative weight as the actual rule itself. To download a copy of AS5, visit: http://www.pcaobus.com/Rules/Rules_of_the_Board/Auditing_Standard_5.pdf

Auditors should also familiarize themselves with the SEC Guidance. The SEC Guidance is available at: http://www.sec.gov/rules/interp/2007/33-8810.pdf. Auditors whose clients will adopt the Guidance will want to familiarize themselves with it.

This course uses the terms “internal control over financial reporting,” “ICFR,” and “internal control” all are intended to have the same meaning as the term, internal control over financial reporting that is used in AS5 (discussed in Chapter 1).

When reading this workbook, please note the following:

• Some of the chapters in the workbook include appendixes that appear immediately after the chapter. Reading this material is an integral part of the course, and it may be included in the exam for CPE credit.
•  
• Toward the end of the workbook is a section titled Reference Materials. The materials in this section are included merely for the reader’s information and convenience. The detailed guidance in these reference materials will not be included on the exam for CPE credit.
  

Chapter 1 - Fundamentals

At the end of this chapter you should be able to:

·    Articulate the basic requirements of Section 404 of the Sarbanes-Oxley Act.

·    Describe the SEC and the COSO definitions of internal control over financial reporting (ICFR).

·    Describe the auditor’s objective in an audit of ICFR and how the ICFR audit relates to the audit of the financial statements.

·    Explain management’s responsibilities in the audit of ICFR.

·    Identify key considerations in the auditor-management relationship.

Section 404 of the Sarbanes-Oxley Act of 2002 (the Act) requires:

·    Company management to issue a report on internal control that:

1    States its responsibility for establishing and maintaining adequate ICFR; and

2    Contains an assessment, as of year-end, of the effectiveness of the company’s ICFR.

·    The company’s external auditors to audit and report on management’s assessment as to the effectiveness of the company’s ICFR.

·    Note that management’s assessment of ICFR effectiveness is “as of” year-end, which is different from an assessment of effectiveness throughout the period. The “as of” reporting requirements have a significant effect on how an audit of ICFR is performed. For example, auditors will probably perform some tests in advance of year-end. But to report on the effectiveness of internal control “as of” year-end, the auditor will be required to perform procedures to obtain evidence that the conclusions reached at an interim date remain valid at the reporting date.

·    It is common for companies with international operations to have a lag in reporting the financial results of certain foreign subsidiaries for financial reporting purposes. For example, a company may consolidate the operations of a foreign subsidiary with a November 30 year-end, rather than the December 31 year-end of the parent company. This difference in period-ends under these circumstances is considered acceptable for the evaluation of internal control (see SEC staff Q+A, Question 12 ).

Management’s report on ICFR effectiveness is contained in the company’s Form 10-K, which is filed annually with the SEC. Under the SEC rules, the company’s report must include:

(a)  Management’s Annual Report on Internal Control Over Financial Reporting. Management must provide a report on the company’s ICFR that contains:

(1)  A statement of management’s responsibilities for establishing and maintaining adequate ICFR,

(2)  A statement identifying the framework used by management to evaluate the effectiveness of the company’s ICFR,

(3)  Management’s assessment of the effectiveness of the company’s ICFR as of the end of the most recent fiscal year, including a statement as to whether or not ICFR is effective. This discussion must include disclosure of any material weakness in the company’s ICFR identified by management. Management is not permitted to conclude that the registrant’s ICFR is effective if there are one or more material weaknesses in the company’s ICFR, and

(4)  A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the registrant’s ICFR.

(b)  Audit Report of the Registered Public Accounting Firm. Provide the registered public accounting firm’s audit report on management’s assessment of the company’s ICFR.

The SEC rules regarding the preparation and issuance of audit reports apply to issuers. The term ‘‘issuer’’ means an issuer (as defined in section 3 of the Securities Exchange Act of 1934), the securities of which are registered under section 12 of that Act, or that is required to file reports under section 15(d), or that files or has filed a registration statement that has not yet become effective under the Securities Act of 1933 and that it has not withdrawn. Thus, SEC rules apply to all entities that are deemed to be issuers under the securities laws.

“Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” SEC Frequently Asked Questions (revised October 6, 2004). Note: pending possible revision by the SEC staff to conform to the SEC Guidance.

See Regulation S-K, Item 308 (17 CFR §229.308).