SOX _ Evaluation of Deficiencies

Simplified Approach to the Evaluation of Process-Level Control Deficiencies

Robert Half International, Inc.CPE

Brier Creek Country ClubRaleigh, NC

February 19, 2013

Presented by:

Les A. Chaney, CPA, CIA, CGMAICFR Global Consulting, LLC

Mobile: (919) [email protected]

2

Work/Life Balance

2

3

Today’s Agenda

• Simplified Approach for Evaluating “Process-Level” Control Deficiencies, utilizing:– PCAOB Audit Standard # 5 (approved May 24, 2007,

amended June 12, 2007)

– Superseded PCAOB Audit Standard # 2 (March 2004)

– “A Framework for Evaluating Control Exceptions and Deficiencies” (Dec 2004)

3

44

Today’s Objectives

• Share a simplified approach for evaluating Process-Level Control (PLC) deficiencies, that utilizes past guidance

• Audience discussion other methods being utilized to evaluate PLC deficiencies

55

Management’s Annual Assessment of Internal Controls over Financial Reporting

• Administrationo Roles & Responsibilities

• Guidance o SEC, PCAOB, International SOX (J-SOX, C-SOX)

• Scopingo Legal Entity, Division/Location

• Planningo Budgeting/Resources, Timeline

o Tester Training

o Kickoff Meeting/Webinar for Process Owners

• Documentation Change Control (SOX Sec. 302)

• Tests of Controls

• Evaluation of Deficiencies

• Management’s Assessment of ICFR

Project Success

6

77

The PLC Deficiency Evaluation Process

• Local Materiality Threshold

• Local Upper Limit of Inconsequential Deficiency

• Estimation of Gross Exposure (Potential Magnitude)

• Evaluation of Design Deficiencies

• Evaluation of Operating Effectiveness Deficiencies

88

Local Materiality Threshold

• To begin the PLC deficiency evaluation process, Executive Management must determine the basis of the Local Materiality Threshold.

• Materiality Threshold is defined as the amount which must be exceeded for a deficiency to be deemed to have a “material” impact on the financial statements.

• Some companies use a percentage of budgeted gross sales or a percentage of net income.

– In our example, current year annual budgeted gross sales of $1.25B and a percentage of 1/2% is used to calculate the Local Materiality Threshold of $6.25M.

99

Local Upper Limit of “Inconsequential Deficiency”

• The “local upper limit of inconsequential” deficiency” is defined as the amount by which a deficiency must exceed to be considered more than inconsequential.

• In conjunction with the Materiality Threshold, Executive Management must determine the “Local Upper Limit of Inconsequential Deficiency” by estimating a percentage to be applied to the Local Materiality Threshold.

In our example, Executive Management has determined that 20% of the rounded Local Materiality Threshold of $6M is deemed to be the Local Upper Limit of Inconsequential Deficiency, which calculates to be $1M.

1010

Authoritative Guidance

• Public Company Accounting Oversight Board (PCAOB) Audit Standard (AS) # 2 (superseded by PCAOB AS # 5)

– Paragraph 9: A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial date…such that there is more than remote likelihood that a misstatement of the company’s…financial statements that is more than inconsequential will not be prevented or detected.

• PCAOB AS #5, does not use the terms “inconsequential” or “more than inconsequential” to gauge magnitude.

1111

Estimation of Gross Exposure

• Step one in the deficiency evaluation process for each PLC Design and Operation deficiency is to estimate the Gross Exposure (Potential Magnitude).

• The Gross Exposure is the worst-case estimate of the magnitude of amounts or transactions exposed to the deficiency with regard to interim or annual financial statements.

1212

Estimation of Gross Exposure (continued)

• Practical approach: Determine the general ledger (GL) accounts impacted by the

deficiency

Describe the transactions impacted by the deficiency

Determine the GL balances, or other estimated Gross Amount that could be impacted (e.g. in some cases, the amount of the Local Materiality Threshold may be conservatively used if a particular GL account balance or transaction amount can not be determined)

Estimate the percent of the GL balance or transaction total impacted by the deficiency (e.g. in some cases, 100% is the most conservative, if a % can not be readily estimated).

Finally, the Gross Exposure is calculated as the original amount multiplied times the estimated percentage. This amount is then used to begin the evaluation of the Design or Operating Effectiveness deficiency.

1313


• PCAOB AS # 2, paragraph 135, and PCAOB AS # 5, paragraph 66:

Several factors affect the magnitude of the misstatement that could result from a deficiency or deficiencies in controls. The factors include, but are not limited to, the following:

o The financial statement amounts or total of transactions exposed to the deficiency.

o The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.

14

1515

Evaluation of Design Deficiencies

• Per PCAOB AS # 2, paragraph 8: A deficiency in design exists when

(a) a control necessary to meet the control objective is missing, or

(b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.

16

1717

Evaluation of Operating Effectiveness Deficiencies

• Per PCAOB AS # 2, paragraph 8: A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

• The steps to evaluate Operation deficiencies are the same as the steps to evaluate Design deficiencies, except immediately after step 2, three additional steps are performed:

1. Determine the “Upper Limit Deviation Rate”

2. If the Upper Limit Deviation Rate is < 20%, then calculate the “Adjusted Gross Exposure” = the Gross Exposure.

3. Is the “Adjusted Gross Exposure” > or = Local Upper Limit? If no, then the deficiency is evaluated as “inconsequential”.

18

Documented Process

19

20

Evaluation Process - Automated Spreadsheet

21


“Redundant” Controls (can help reduce / mitigate Gross Exposure) and “Complementary” Controls (can help reduce Gross Exposure, but primarily affects “possibility”.• Questions to resolve: Do they achieve the same control objective? Do they address the same assertions? Have they been successfully tested?

22


23


24

25


26


27


2828


• PCAOB AS # 2, paragraph 133, and PCAOB AS # 5, paragraph 65: Several factors affect the likelihood that a

deficiency…could result in a misstatement. The factors include, but are not limited to:

o The nature of the financial statement accounts, disclosures, and assertions involved

o The susceptibility of the related assets or liability to loss or fraud

o The subjectivity, complexity, or extent of judgment required to determine the amount involved

o The cause and frequency of known or detected exceptions for the operating effectiveness of a control

o The interaction or relationship of the control with other controls

o The interaction of the deficiencies

o The possible future consequences of the deficiency

2929


• “A Framework for Evaluating Control Exceptions and Deficiencies” was published December 20, 2004. The framework was developed by representatives of the following nine firms: BDO Seidman LLP, Crowe Chizek and Company LLC, Deloitte & Touche LLP, Ernst & Young LLP, Grant Thornton LLP, Harbinger PLC, KPMB LLP, McGladrey & Pullen LLP, and PricewaterhouseCoopers LLP.

3030


• PCAOB Audit Standard No. 2 – March 9, 2004: “An audit of internal control over financial reporting performed in conjunction with an audit of financial statements” Paragraph 130. “Evaluating Deficiencies in Internal Control

Over Financial Reporting.

Paragraph 131. The auditor should evaluate the significance of a deficiency …by determining the following:

o The likelihood that a deficiency, or a combination…could result in a misstatement…

o The magnitude of the potential misstatement…

Paragraph 133. Several factors affect the likelihood that a deficiency or combination…could result in a misstatement…

Paragraph 135. Several factors affect the magnitude…

3131


• PCAOB Audit Standard No. 5 – June 12, 2007: “An audit of internal control over financial reporting that is integrated with an audit of financial statements” Paragraph 62. The auditor must evaluate the severity of each

control deficiency... Paragraph 63. The severity of a deficiency depends on:

o Whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement…

o The magnitude of the potential misstatement resulting from the deficiency or deficiencies

Paragraph 65. Risk factors affect whether there is a reasonable possibility… [The factors are the same as AS #2, paragraph 133 factors affecting likelihood. ]

Paragraph 66. Factors affect the magnitude… [Same as AS #2, paragraph 135 factors affecting magnitude]

Paragraph 68. The auditor should evaluate the effect of compensating controls when determining whether a deficiency is a material weakness.

Examples of ICFR engagements

32

• US SOX Control optimization to reduce # of key controls & thus reduce

testingSampling & Testing Methodologies, Standardized step-by-step

test procedures

• International SOX (e.g. J-SOX)

• Preparation for IPO - implement a strong internal control framework as early as possible

• Post IPOSOX Sec 302 & 906 required for 1st periodic filing (10K & 10Q)SOX 404 required for 2nd periodic filing

• US privately-held companies, preparation for external audit (SAS 104-111 guidance for auditors assessing risks and controls in financial statement audits of non-public companies):

• Preparation for Service Organization Controls audits (SOC1, SOC2 & SOC3 reports replace SAS70 reports)

3333

Questions?

Les A. Chaney, CPA, CIA, CGMAICFR Global Consulting, LLC

Mobile: (919) [email protected]

Business

SOX _ Evaluation of Deficiencies