Powerpoint slides

Slide 1

CAQ WEBCAST

AS 5: Preparing for Integrated Auditsof Non-Accelerated Filers

September 25, 2008

The views expressed by the presenters do not necessarily represent the views, positions, or opinions of the Center for Audit Quality or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client or attorney-client relationship.

Slide 2

CAQ Task Force

• BDO Seidman LLP

• Crowe Horwath LLP

• Deloitte LLP

• Ernst & Young LLP

• Grant Thornton LLP

• KPMG LLP

• McGladrey & Pullen LLP

• PricewaterhouseCoopers LLP

Slide 3

Today’s Objectives

Today’s program is designed to help you better understand:

How to effectively plan an integrated audit to gain efficiency and eliminate redundancy

How to use a top-down risk-based approach to focus on areas of greatest risk

How to communicate with management to obtain effectiveness and efficiency for all parties

Slide 4

Today’s Panelists

Wendy Campbell, CPA Executive

Crowe Horwath LLP

Trent Gazzaway, CPAManaging Partner of Corporate Governance

Grant Thornton LLP

Gregory S. Wilson, CPADeputy Director - Inspections

Public Company Accounting Oversight Board

**********

Cynthia M. FornelliModerator & Executive Director

Center for Audit Quality

Slide 5

Caveat

The views expressed are my own views and do not necessarily reflect the views of the Board, individual Board members, or the staff of the PCAOB.

Slide 6

PCAOB Inspections Overview

Audits of Internal Control Over Financial Reporting (ICFR) – “The Journey”• 2005 inspection year (“Year of Chaos”)

– First year of inspections of audits of ICFR under AS No. 2

• 2006 inspection Year (“Year of Efficiency”)– Focus on May 16, 2005 PCAOB Q&A– PCAOB announces intent to amend AS No. 2 on May

17, 2005

Slide 7


Audits of Internal Control Over Financial Reporting (ICFR) – “The Journey”• 2007 inspection year (“Year of Transition”)

– Proposed ICFR audit standard issued December 19, 2006 to supersede AS No. 2

– Reinforce concepts embraced in proposal– Avoid concepts dropped in proposal

Slide 8


Audits of Internal Control Over Financial Reporting (ICFR) – “The Journey”• 2008 inspection Year (“Year of Learning”)

– AS No. 5 issued June 12, 2007• Board “got the words right”

• Board Objectives– Focus the audit on matters most important to internal

control– Eliminate unnecessary procedures– Scale the audit for smaller companies– Simplify the requirements

Slide 9


Audits of Internal Control Over Financial Reporting (ICFR) – “The Journey”• 2008 inspection Year (“Year of Learning”)

– SEC management guidance issued June 27, 2007– Inspections approach

• Sensitivity to timing

• Integrated audit

• Focus on most important matters in audit of ICFR

• Eliminate unnecessary procedures

• Sensitivity to auditor judgment

Slide 10


Audits of Internal Control Over Financial Reporting (ICFR) – “The Journey”• Auditors and issuers becoming more comfortable

with ICFR audits

• Continuous improvement noted with focus on higher risk areas

• Some hard lessons learned early on

• “Lessons learned” to be discussed today are consistent with several year’s inspection findings

Slide 11

Topics

• Understand and Use Management’s Assessment and Documentation as a Starting Point

• Integrate the Audits

• Establish the Right Team

• Identify Material Risks to Reliable Financial Reporting

• Identify Controls Necessary to Sufficiently Address Identified Risks

• Take a Risk-Based Approach to Testing Identified Controls

Slide 12

Understand and Use Management’s Assessment and Documentation as a Starting Point

#1: Take advantage of company’s ICFR evaluation testing and documentation in year before first integrated audit

– Knowledge share– Foundation for future audits – Established approach– Effect on substantive testing

Slide 13

Understand and Use Management’s Assessment and Documentation as Starting Point

#2: Early and frequent communication/coordination with management yields more effective/efficient audit process

• Support audit efficiency through existing evaluation process

• Provide suggestions and considerations for effective and efficient assessment

Slide 14


#3: Coordinate timing of management's work to enable use by the auditor

• Establish timelines with management

• Hold periodic status meetings

• Update the audit committee on progress

Slide 15


#4: Identify/assess risks and controls that may have pervasive effects on the assessment and effectiveness of ICFR

• Early identification of pervasive deficiencies can eliminate unnecessary testing

• Early identification of effective entity-level controls may eliminate the need to test lower level controls

Slide 16


#5: Consider implications of any unremediated deficiencies

• Discuss management's plans to remediate, if any

• Consider effect on the ICFR audit

• Consider effect on the financial statement audit (i.e. planned control reliance strategy)

Slide 17

Integrate the Audits

#6: Plan audit of ICFR and audit of financial statements as a single integrated audit

• Conduct a single risk assessment

• Where a controls reliance approach is not used, consider the results of substantive tests for risk implications for the audit of ICFR

• Increased efficiency through reduced effort related to substantive testing in the financial statement audit

Slide 18


#7: Consider employing controls reliance approach in first year of required Section 404(b) audit of ICFR

• Assess the effectiveness of controls that affect the controls reliance approach early

• Early coordination and testing provide for effective and efficient implementation of this approach

Slide 19


#8: Perform control tests in conjunction with substantive tests where audit procedures meet objectives of both

• A single test may achieve more than one objective

• Identify areas for dual purpose/concurrent testing:– Management estimates – Account reconciliations– Roll-forward procedures– Sampling

Slide 20


#9: The results of substantive testing should inform the ICFR risk assessment and control effectiveness conclusions

• Evaluate results of substantive tests and their implication on the effectiveness of internal control

• Design the integrated approach to include consideration of substantive testing results

• Results of substantive tests do not, on their own, provide sufficient evidence to conclude that internal control is effective

Slide 21


#10: Coordinate ICFR and substantive tests among those performing the work

• Integrated teams:– Reduce duplicative efforts– Facilitate testing to achieve objectives of the internal

control audit and the financial statement audit

Slide 22

Establish the Right Team

#11: Planning and execution of an integrated audit requires early, close and continuous involvement by experienced engagement team members

• Plan for more partner, manager, and specialist involvement

• Timely review and supervision…in every phase

Slide 23

Establish the Right Team

#12: Involve auditors with ICFR auditing experience or integrated audit training

• Take advantage of the learning curve

• Provide training, including COSO and AS5

• Recognize importance of on-the-job training

Slide 24

Identify Material Risks to Reliable Financial Reporting

#13: Apply a top-down, risk-based approach to identify significant accounts and disclosures and their relevant assertions

• Begin at the financial statement level, not process or control level, then consider disaggregating line items

• Use professional judgment to identify material risks

Slide 25


#14: Tailor the audit approach based on a refined risk assessment

• Carefully design the risk assessment process – Consider “what could go wrong” (in a material sense) – Focus at the assertion level

Slide 26


#15: Achieve AS5 paragraph 34 objectives by performing different combinations of procedures, including walkthroughs

• Walkthroughs are not required by AS5; however they are frequently the most effective method

– Confirm understanding through planning, risk assessment and other activities performed

– Consider prior year results and changes– Develop and ask probing questions

Slide 27


#16: IT applications and their control environment influence the identification of financial reporting risks

• Consider IT-related risks as part of the overall risk assessment

• Gain efficiency through automated controls

• When general IT controls are deemed ineffective, consider whether automated controls can be tested directly

Slide 28

Identify Controls Necessary to Sufficiently Address Identified Risks

#17: Apply a top-down approach to identify controls that sufficiently address identified risks

• Consider:– Entity level controls that are direct and precise and may eliminate

other control testing– Entity level controls that may reduce but not eliminate other

control testing– Automated controls– Manual transaction-level controls– Preventive and detective controls

Slide 29

Take a Risk-Based Approach to Testing Identified Controls

#18: Maximize opportunities for using the work of others

• Assess the competence and objectivity of the persons performing the work– Individuals may include internal audit, 3rd parties, and/or other

company employees– Competence should relate to the control being tested

• Consider risk associated with the control

• Discuss nature, timing and extent of testing with management

Slide 30


#19: Vary the nature, timing, and extent of controls testing based on risk associated with each control

• Make use of existing knowledge (every control does not need to be tested to the same extent each year)

• Flexibility exists in varying timing of control testing

• Statistical sampling not required for all testing

• Benchmarking strategies

Slide 31


#20: Testing controls at an interim date may improve effectiveness and efficiency of integrated audit

• Supports planned control reliance

• Perform substantive testing procedures at an interim date concurrent with control testing

• Consider relevant risks and other factors to determine whether, and to what extent, roll-forward or update testing is necessary

Slide 32


#21: An ineffectively designed control need not be tested for operating effectiveness

• Testing may cease when sufficient evidence indicates a control is not designed effectively or does not operate effectively

• May need to test remediated controls

Slide 33

Available Resources• PCAOB Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statementshttp://www.pcaobus.org/Standards/Standards_and_Related_Rules/Auditing_Standard_No.5.aspx

•PCAOB Staff Guidance for Auditors of Smaller Public Companies - AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS (Pending)http://www.pcaobus.org/Standards/Standards_and_Related_Rules/AS5/Guidance.pdf

•SEC Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 http://www.sec.gov/rules/interp/2007/33-8810.pdf

•COSO Internal Control – Integrated Framework - http://www.coso.org/IC-IntegratedFramework-summary.htm

•COSO Guidance on Monitoring Internal Control Systems (Exposure Draft) http://www.coso.org/guidance.htm •COSO Internal Control Over Financial Reporting – Guidance for Smaller Public Companieshttp://www.coso.org/ICFR-GuidanceforSPCs.htm

Slide 34

Questions & Summary

Slide 35

Join the CAQ today!

Visit www.theCAQ.org/members

or call

1-888-817-3277

Slide 36

Thank you for participating!

Please visit us at

www.theCAQ.orgor call

1-888-817-3277

Documents

Powerpoint slides