2014 Internal Auditing Update

2014 Internal Auditing Update

Richard Turpen

Auburn University Montgomery

Contact Information

Richard A. TurpenDepartment of AccountingCollege of BusinessAuburn University MontgomeryP.O. Box 244023Montgomery, AL [email protected] Phone334-244-3792 FAX

2

Today’s Topics

New frameworks COSO’s Internal Control GAO’s “Green Book”

New guidance IAASB’s ISA 610 AICPA’s SAS 128

3

The New COSO Framework

Who?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO): Organized in 1985 to sponsor the National

Commission on Fraudulent Financial Reporting. Supported jointly by five organizations:

American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives International (FEI) The Institute of Internal Auditors (IIA) Institute of Management Accounting (IMA)

5

What?

Internal Control—Integrated Framework Developed in response to corporate frauds and

financial scandals of the 1970s. Issued in 1992, becoming the predominant model

for internal control over financial reporting (ICFR) and remaining so for 20 years.

6

Why?

Internal Control—Integrated Framework(the “New Framework” or the “Framework”) Accelerated pace of changes in technology Globalization of markets and operations Increased complexity of business structures More dramatic frauds and financial crises Proliferation of regulations and standards Greater demands for improved governance Widespread use of risk-based oversight

7

Timeframe

Released in spring of 2013 after two and a half years in development.

Issued with an “effective date” of December 15, 2014.

8

Transition

After this date, an issuer will not be able to take the position that the 1992 framework qualifies under SEC criteria as a “suitable framework” for purposes of complying with Section 404 of Sarbanes-Oxley (SOX).

Companies that continue using the old framework after the transition deadline likely will receive negative comments from the SEC and from their external auditors.

9

Structure

Executive Summary Framework Appendices Applications guide with illustrative tools Compendium of approaches and examples

applicable to internal control over financial reporting (ICFR)

10

Overview

11

What’s still the same?

The core definition of internal control is largely unchanged, and its five components remain.

Organizations will continue to establish relevant objectives relating to operations, reporting, and compliance.

As before, these can be set for the entity as a whole or targeted to specific divisions, functions, or operating units.

12

What’s new?

The new framework broadens the reporting objective to include all types: Both financial and non-financial. Both external and internal.

It also incorporates an enhanced discussion of governance, particularly as relates to compliance, and considers the increased relevance of technology and anti-fraud measures.

13

What else is new?

But the most significant change is the explicit articulation of 17 principles that provide the foundation for the five components.

Every principle applies to all three of the objectives.

Supporting each principle are 77 points of focus intended to provide management with design and implementation guidance.

14

The “big picture”

The goal is to apply a top-down, risk-based approach to determine whether an effective system of internal control exists: One that provides reasonable assurance that an

organization’s objectives are met. One that reduces to an acceptable level the risk

that an organization will not achieve its objectives.

15

The “big picture,” cont’d.

To do so requires determining that: Each of the 5 components and 17 principles is

“present and functioning.” All of the 5 components and 17 principles are

“operating together” in an integrated manner.

16

The “big picture,” cont’d.

Thus, there are two determinations: That each component and principle exhibits:

Effective design and implementation (i.e., is “present”). Effective operation (i.e., is “functioning”).

That all components and principles collectively reduce the risk of not achieving an objective to an acceptable level (i.e., are “operating together”).

17

About “operating together” . . .

Evaluating a component (and its principles)requires determining how it is being applied within the overall system of internal control—not about whether it is “present and functioning” on its own.

Management can conclude that components are “operating together” when internal control deficiencies aggregated across components do not result in a “major deficiency.”

18

Major deficiencies

An organization cannot conclude that it has met the requirements for an effective system of internal control if a “major deficiency” exists.

Major deficiencies are internal control deficiencies or combinations of deficiencies that severely reduce the likelihood that the organization can achieve its objectives.

19

Major deficiencies, cont’d.

Because the framework is intended to be universal across borders and regulations,the “major deficiency” concept should not complicate SOX 404 compliance evaluations— a major deficiency under the new COSO framework will most likely be regarded as a “material weakness” under SOX.

20

A closer look

As before, the new framework’s first component is the control environment,“the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.”

It then establishes five principles applicable to this component and a total of twenty points of focus.

21

A closer look, cont’d.

The first principle speaks to an organization’s ethics: “The organization demonstrates a commitment to integrity and ethical values.”

Four points of focus support this principle: “Sets the ‘Tone at the Top.’” “Establishes Standards of Conduct.” “Evaluates Adherence to Standards of Conduct.” “Addresses Deviations in a Timely Manner.”

22


It is important to emphasize that the components and principles are key.

They are the criteria that management must use to assess internal control.

The points of focus may be helpful in that effort, but they are not evaluated separately and they need not all exist for a related principle to be present and functioning.

23


In addition to determining how to use the points of focus, organizations will probably want to give certain of the new principles greater consideration.

Although the concepts they embody are not new, by establishing them as principles, COSO has raised the bar for determining their functionality.

24


Key “new” internal control principles state that the organization: Considers the potential for fraud in assessing risks to

the achievement of objectives (Risk Assessment, #8).

Selects and develops general control activities over technology to support the achievement of objectives (Control Activities, #11).

Obtains or generates and uses relevant, quality information to support the functioning of internal control (Information and Communication, #13).

25


Primary issues to address early in the transition period is the extent to which controls relevant to these principles are: Embedded within business processes. Supported by existing documentation. Included in the scope of assessment.

26

Getting going

Though there is no one-size-fits-all approach, most transition plans should include: Establishing buy-in. Performing gap analysis. Implementing a response.

27

Establishing buy-in

Education and training are key. Initial discussions should include, minimally,

the CAE, CFO, and CAO. Communication with governance members is

vital—it will be important to anticipate the questions and concerns of the audit committee and governing board.

Equally important is to meet with the external auditors early in the process.

28

Performing gap analysis

The core step in the transition process is mapping either controls to principles or principles to controls to identify gaps.

The direction chosen may depend upon the extent of existing documentation: Where ample, mapping to the framework may be

easier and more efficient. In addition, mapping controls to principles may

help avoid rationalization bias.

29

Performing gap analysis, cont’d.

Mapping outcomes will vary: “Worst” case:

Any gaps identified will likely require remediation. Material weaknesses under new COSO probably

represent the same under the former framework. “Best” case:

Mapping may reveal: Redundant controls (mapped from same principle). Unneeded controls (mapped from no principle).

Some controls not previously assessed can now be scoped in.

30


Certain cautions should be kept in mind during the mapping process: It must stay focused on the risks that the

organization has identified. It ought to be viewed as an opportunity to take a

fresh look at controls. It should not become just another checklist

exercise.

31


As a further caution, early communication with the external auditors is essential.

Firms registered with the Public Company Accounting Oversight Board (PCAOB) are likely to be more rigorous in their ICFR audits this year as the result of a highly critical report the PCAOB issued last fall.

32


The report faults auditors for failing to test certain controls sufficiently.

As a result firms are under pressure to go beyond what’s been acceptable in the past.

Key areas of focus will include: More scrutiny of management review. More validation of IT-generated data and reports. More testing of the work performed by internal

auditors.

33


Given the more intensive approach that the auditing firms will bring to bear on this year’s ICFR audits, organizations should make sure to give their external auditors opportunity to comment on the planned gap analysis.

Entities not subject to SOX still should discuss transition to the new framework with their external auditors to understand the firms’ expectations.

34

Implementing a response

Responses to the gap analysis will require establishing priorities and will be driven in part by regulatory requirements (e.g., SOX).

Most organizations will probably find that they need to shore up documentation.

Many will need to develop and implement new assessment strategies.

Still others may discover that they must plan for remediation.

35

Final observations

Ideally, publicly held entities have already completed or soon will complete transition.

Other organizations, including those with non-calendar fiscal years, should have their processes well underway.

36

The Forthcoming “Green Book”

Background

Standards for Internal Control in the Federal Government is the federal government’s equivalent of COSO.

First issued in 1983 and last updated in 1999, these standards are required of federal agencies under the Federal Managers’ Financial Integrity Act (FMFIA).

38

Background, cont’d.

Known as the “Green Book,” these standards serve as the basis for assessing and reporting on controls in the federal government under Office of Management and Budget (OMB) Circular No. A-123, Management’s Responsibility for Internal Control.

They may also be applied by state, local, and quasi-governmental entities, as well as not-for-profit organizations.

39


Moreover, under the OMB’s final guidance for federal awards published last December and effective this year, non-federal entities (NFEs) receiving such awards must establish and maintain effective internal control over such awards, in compliance with the Green Book.

40


The Green Book provides: A framework for management to follow. Criteria for auditors to apply.

Thus, it can be used in conjunction with the Yellow Book, Government Auditing Standards (GAGAS) of the Governmental Accountability Office (GAO), e.g., the cause of an audit “finding” is often an internal control deficiency.

41

Overview

This past fall the GAO released the still outstanding Exposure Draft of an updated Green Book that is expected to be released on September 30, 2014.

It will closely mirror the new COSO framework as adapted to governmental entities.

42

Overview, cont’d.

But given its purpose, the Green Book’s language is less “commercial” than COSO’s.

For example, while COSO makes reference to “board of directors” and “investors,” the Green Book uses “oversight body” and “stakeholders.”

43

Overview, cont’d.

Nevertheless, the Green Book’s definitions and concepts are substantially the same as those of the new COSO framework.

In addition, at the highest levels, the new Green Book uses the same terminology: Objectives Components Principles

44

Overview, cont’d.

However, it uses the term “attributes” instead of COSO’s “points of focus” and combines many of the latter:

45

COSO Green Book

Control Environment 20 13

Risk Assessment 17 10

Control Activities 16 11

Information and Communication 14 7

Monitoring 10 6

Requirements

Like COSO, the Green Book defines an effective internal control system as one providing reasonable assurance that the organization will achieve its objectives.

Therefore, to be effective: Each of the components, principles, and

relevant attributes must be effectively designed, implemented, and operating.

The components must operate together in an integrated manner.

46

Requirements, cont’d.

However, the Green Book notes that there may be situations in which management has determined that a principle or attribute is not relevant in order for the entity to achieve its objectives and address related risks.

47


In such cases, management must document the rationale of how, in the absence of that principle or attribute, the associated component could be designed, implemented, and operated effectively.

48


In addition, the Green Book contains further specific documentation requirements, described in certain of the attributes.

These include, for example, the results of: Monitoring activities conducted on an ongoing

basis. Separate evaluations performed to identify

internal control issues. Corrective actions taken to remediate internal

control deficiencies.

49


These documentation requirements apply to any entity that elects to use the Green Book.

More broadly, management of NFEs that choose to use the Green Book must follow all of its applicable requirements.

50

ISA 610

Background

Globally, the International Auditing and Assurance Standards Board (IAASB) is recognized as the authoritative voice of the auditing profession.

Last year it issued a new International Standard on Auditing—ISA 610 (Revised 2013), Using the Work of Internal Auditors.

52


The new standard “raises the bar” for external auditors when making decisions about how, if at all, to use the work of internal auditors on a financial statement audit.

Unlike U.S. auditing standards, previous guidance was ambiguous about the use of internal auditors under the supervision of the external auditor (i.e., “direct assistance”).

53

Highlights

The new standard eliminates that ambiguity by providing explicit guidance for making “direct assistance” decisions.

It also adds a further condition that must hold in order for the external auditor to use work previously performed by internal auditors working in their (internal audit) capacity.

54

Highlights, cont’d.

A subsequently issued U.S. auditing standard is, in the main, consistent with ISA 610’s requirements.

It is, however, somewhat less restrictive with respect to the “direct assistance” decision, primarily because of cultural and regulatory differences that exist in certain jurisdictions outside the U.S.

55

SAS 128

Background

In spring of this year, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issued its long delayed “clarified” Statement on Auditing Standards No. 128, Using the Work of Internal Auditors (SAS 128).

SAS 128 is largely converged with the requirements of ISA 610.

57


Its release signifies the completion of the Auditing Standards Board’s “Clarity Project,” at least as relates to its auditing standards.

Issuance was delayed pending the IAASB’s finalization of the revised ISA 610 so that SAS 128 could, to the extent deemed appropriate, incorporate the international standard’s requirements and language.

58

Highlights

Like its IAASB counterpart, SAS 128 prohibits the external auditor’s use of the internal audit function (i.e., of the work performed by the internal auditors) unless that function meets certain restrictive criteria.

Two of the three conditions already existed prior to the release of SAS 128, specifically, a positive judgment about the internal auditors’ competence and objectivity.

59


The third and new requirement is that the internal audit function use a “systematic and disciplined approach, including quality control.”

Though not specified in SAS 128, compliance with the International Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditing (The IIA) would presumably satisfy this condition.

60


The IIA’s Standards reflect a “systematic and disciplined approach.”

In addition, Attribute Standard 1300, Quality Assurance and Improvement Program, explicitly addresses “quality control” within the internal audit function.

61


Thus, unless the external auditor can conclude that the internal audit function follows a “systematic and disciplined approach,” internal auditors’ work cannot be used as external audit evidence.

However, the external auditor may stillbe able to use the internal auditors in a “direct assistance” capacity, but extensive testing of their work is required.

62


SAS 128 is effective for audits of financial statements for periods ending on or after December 15, 2014.

63

Postscript

Other Developments

Another framework Another standard

65

NIST’s Cybersecurity

Last year, pursuant to concern for national and economic security, President Obama issued an Executive Order directing the National Institute of Standards and Technology (NIST) to develop a voluntary framework for reducing cyber risks to critical infrastructure.

Earlier this year, NIST issued in response Framework for Improving Critical Infrastructure Cybersecurity.

66

NIST’s Cybersecurity, cont’d.

The framework was developed with broad industry input and represents, in effect, a summary of best practices.

It is a risk-based approach to managing cybersecurity risk composed of three parts, each reinforcing the connection between business drivers and cybersecurity activities.

67


All organizations should recognize that, if an entity’s cybersecurity practices are ever questioned during a regulatory investigation and litigation, the baseline for what’s considered commercially reasonable is likely to become the NIST Framework.

68


At a minimum, critical infrastructure companies as identified by the Department of Homeland Security should be prepared to document and demonstrate that their cybersecurity practices are consistent with those promoted through the framework.

69


These include the following industries: Banking and finance Communications Defense companies Energy and utilities Emergency services Food and agriculture Healthcare Transportation systems

70


The framework is likely to become the basis for what’s regarded commercially reasonable for securing an organization’s infrastructure.

Even if they don’t follow it completely, organizations should at least understand where they are deficient and why.

71


Although the framework is voluntary, it will probably become the de-facto standard of care that organizations will be judged against if a breach occurs.

Therefore, minimally, they need to have someone in charge of security and a plan that’s current, including an incidence response strategy.

Internal auditor involvement is essential.

72

ASU 2014-09

In May the Financial Accounting Standards Board (FASB) finally released its long-awaited revenue recognition standard.

The “crown jewel” in its convergence efforts with the International Accounting Standards Board (IASB), the new standard is sweeping in its scope and likely effects.

73

ASU 2014-09, cont‘d.

“Revenue from Contracts with Customers” applies to all industries and transactions.

It eliminates current GAAP’s transaction- and industry-specific revenue recognition guidance and replaces it with a principle-based approach.

74


All nongovernmental entities, including nonprofits (and FASB-based components) are within its scope.

75


The AICPA observes:

“This standard has the potential to affect every entity’s day-to-day accounting and, possibly, the way business is executed through contracts with customers.”

76


This impact is due in large part to how the standard defines a “contract.”

It is not limited to written documents—it is any “agreement between two or more parties that creates enforceable rights and obligations.”

Thus, the standard emphasizes that contracts “can be written, oral, or implied by an entity’s customary business practices.”

77


Currently GAAP’s revenue recognition principles provide two criteria—to be recognized, the revenue must be both: Realized or Realizable Earned

78


In practice, SEC guidance has equated these to four conditions: Persuasive evidence of an arrangement exists. Delivery has occurred/Services have been rendered. Prices are fixed or determinable. Collectibility is reasonably assured.

79


These criteria have been replaced with a “core principle,” i.e., that “an entity shall recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.”

80


To achieve that principle, an entity must apply five steps: Identify the contract with a customer. Identify the separate performance obligations. Determine the transaction price. Allocate the transaction price to the separate

performance obligations in the contract. Recognize revenue when (or as) the entity

satisfies a performance obligation.

81


The standard includes some examples to assist with the transition.

Given the challenges of implementation, the FASB has established a longer than usual timeframe.

82


For public companies, the effective date will be annual reporting periods beginning after December 15, 2016.

For nonpublic entities, the effective date will be annual reporting periods beginning after December 15, 2017.

83


The new standard offers two complex methods of implementation.

Organizations will need to modify existing systems or create new ones to meet the comparative year reporting requirements (as well as to capture the data needed under the extensive new disclosure rules).

84


The potential for misstatement is enormous and will require careful transition planning and internal control modifications.

Internal auditor involvement will be critical.

85

Postscript to Postscript

The bad news

The demands that internal auditors are facing and will continue to face over the next few years are tremendous.

87

The good news

The demands that internal auditors are facing and will continue to face over the next few years are tremendous:

Full employment for internal auditors!

88

Thank You!

[end]

90

Documents

2014 Internal Auditing Update