Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

Size: px
Start display at page:

Download "Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015"

Transcription

1 Navigating the PCAOB s and SEC s internal control expectations A discussion June 2015

2 Setting the scene ICFR guidance: PCAOB Auditing Standard No. 5 (May 2007) PCAOB staff views: An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, Guidance for Auditors of Smaller Public Companies (January 2009) Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (June 2007) Office of the Chief Accountant, Division of Corporation Finance: Management s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports; Frequently Asked Questions (September 2007) COSO Internal Control Integrated Framework (May 2013) Regulator viewpoints: PCAOB individual firm s inspection findings/reports PCAOB 4010 Report: Observations From 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control Over Financial Reporting (December 2012) PCAOB Staff Practice Alert No. 11: Considerations for Audits of Internal Control Over Financial Reporting (October 2013) Various SEC staff speeches primarily focused on evaluating the severity of deficiencies and disclosures 2 Copyright 2015 Deloitte Development LLC. All rights reserved.

3 PCAOB Inspection Findings re: ICFR Of all integrated audits inspected, percentage in which Inspections staff identified deficiencies in auditing ICFR that resulted in an insufficiently supported audit opinion. Source: PCAOB s Audit Committee Dialogue white paper (May 2015) 3 Copyright 2015 Deloitte Development LLC. All rights reserved.

4 Staff Audit Practice Alert No. 11 Issued to highlight the significant auditing deficiencies that have been cited frequently in the previous three years in PCAOB inspection reports relating to audits of internal control over financial reporting (ICFR): 1. Risk assessment and the audit of internal control 2. Selecting controls to test 3. Testing management review controls 4. IT considerations, including system-generated data and reports 5. Roll-forward of controls tested at an interim date 6. Using the work of others 7. Evaluating identified control deficiencies 4 Copyright 2015 Deloitte Development LLC. All rights reserved.

5 1. Risk assessment and the audit of internal control Failure to test controls for all relevant assertions of the significant accounts and disclosures; e.g.:... the components of a potential significant account or disclosure might be subject to significantly different risks. Failure to gain an understanding of the likely sources of potential misstatements related to significant accounts and disclosures; e.g.:... walkthrough procedures were not adequate to verify the auditor s understanding of the risks in the company s processes and identify and select for testing controls sufficient to address the risk of misstatement for the relevant assertions. Insufficient testing of controls that address risks of material misstatement in multi-location engagements; e.g.: Testing a sample of locations and extrapolating the results of that testing to other locations without performing procedures to evaluate whether the issuers systems and controls were designed and implemented consistently across all of those locations. Exclusion of certain locations from testing without establishing whether there was a reasonable basis to exclude those locations. Placed undue emphasis on testing management review controls and other detective controls. 5 Copyright 2015 Deloitte Development LLC. All rights reserved.

6 2. Selecting controls to test Placing undue emphasis on testing management review controls and other detective controls without considering whether they adequately addressed the assessed risks of material misstatement of the significant account or disclosure. Failure to identify and sufficiently test controls that addressed the risk of material misstatement; e.g.: Revenue: Significant business units or significant revenue categories, significant contract provisions affecting revenue recognition, and significant inputs to percentage-of-completion calculations. Inventory: Pricing of significant inventory components and determination of reserves for excess and obsolete inventory. Fair value of financial instruments: Inputs used to value hard-to-value financial instruments and determinations of the classification of securities within the fair value hierarchy. Valuation of pension plan assets. Infrequent processes and transactions. 6 Copyright 2015 Deloitte Development LLC. All rights reserved.

7 3. Testing management review controls Failure to perform procedures to obtain evidence about how a management review control is designed and operates at a level of precision to prevent or detect misstatements. Factors affecting the precision of the review: Objective of the review: A procedure that functions to prevent or detect misstatements generally is more precise than a procedure that merely identifies and explains differences. Level of aggregation: A control that is performed at a more granular level generally is more precise than one performed at a higher level. Consistency of performance: A control that is performed routinely and consistently generally is more precise than one performed sporadically. Correlation to relevant assertions: A control that is indirectly related to an assertion normally is less likely to prevent or detect misstatements in the assertion than a control that is directly related to an assertion. Predictability of expectations: The precision depends on the ability to develop sufficiently precise expectations to highlight potentially material misstatements. Criteria for investigation: For detective controls, the threshold for investigating deviations or differences from expectations relative to materiality is an indication of a control s precision. Verifying signoff of a review provides little or no evidence in itself about the control s effectiveness. 7 Copyright 2015 Deloitte Development LLC. All rights reserved.

8 3. Testing management review controls (cont d) Design: Generally involves obtaining an understanding of and evaluating the following: Whether the control addresses the relevant risks of material misstatements/assertion The factors affecting precision of the review The steps involved in identifying, investigating, and resolving significant differences from expectations The person(s) who performs the control, including the competence and authority of the person(s) The frequency of performance of the control, i.e., whether the review occurs often enough to prevent or detect misstatements before they have a material effect on the f/s The information used in the review. Operating effectiveness: Evidence necessary to conclude that a control is effective depends upon the risk associated with the control. Testing typically involves, for selected operations of the control, obtaining and evaluating evidence about the following: The steps performed to identify and investigate significant differences; and The conclusions reached in the reviewer s investigation, including whether potential misstatements were appropriately investigated and whether corrective actions were taken as needed. 8 Copyright 2015 Deloitte Development LLC. All rights reserved.

9 4. IT considerations, including system-generated data and reports Failed to sufficiently test controls over the accuracy and completeness of systemgenerated data or reports used in the operation of relevant controls; e.g.: General IT controls that are important to the effective operation of the applications that generated the data or reports. The logic of queries (or parameters) used to extract data from the IT applications used in the reports. Address control deficiencies that were identified with respect to the general IT controls over either the applications that process the data used in the reports or the applications that generated the reports. Perform procedures to test report writers and systems used to produce spreadsheets, queries, or reports. Consider those IT-dependent controls that used customized data or queries that were not subject to the general IT controls the firm tested. 9 Copyright 2015 Deloitte Development LLC. All rights reserved.

10 5. Roll-forward of controls tested at an interim date Failure to perform testing, or used inquiry alone, to update the results of testing of higher risk controls that had been performed prior to year-end; e.g.: An engagement team performed tests of highly subjective controls during the interim period, three to six months prior to year-end. Yet the engagement team s procedures to update the results of its testing of these controls from the interim date to year-end were limited to general inquiries about whether the operation of any of these controls had changed, despite higher degrees of risks associated with these controls, including, in some cases, high inherent risks or heightened fraud risks. The engagement team s procedures to update the results of its testing of internal control for the six-month period from the interim date to year-end were limited to inquiry, including for higher-risk controls and controls affected by a change in management review and approval responsibilities. 10 Copyright 2015 Deloitte Development LLC. All rights reserved.

11 6. Using the work of others Failed to establish a sufficient basis for using the work of others. For example, the extent to which the auditor used the work of internal audit in a higher risk area involving significant judgments, such as aspects of revenue and the valuation of complex, hard-to-value investment securities, was inappropriate in accordance with PCAOB AS 5, paragraph 19 (which states, paraphrased, that as the risk increases, the need for the auditor to perform his or her own work on the control increases). Failed to evaluate the design of internal audit s control testing procedures, including the scoping and the identification of important controls. For example, the auditor used the work of internal audit to test controls over revenue. The engagement team did not reperform any of the tests of controls performed by the issuer s internal audit group. In addition, there was no documentation of the nature, timing, and extent of the control testing performed by internal audit (as required by PCAOB AU 322, paragraphs 24 through 26). 11 Copyright 2015 Deloitte Development LLC. All rights reserved.

12 7. Evaluating identified control deficiencies Failure to sufficiently evaluate the severity of the control deficiencies identified, e.g.: Insufficient evaluation of whether audit adjustments and exceptions identified from substantive procedures were indicators of the existence of control deficiencies. Failure to consider all of the relevant risk factors that should have affected the determination of whether there was a reasonable possibility that a deficiency, or a combination of deficiencies, could result in a material misstatement. Failure to consider all of the relevant factors that should have affected the determination of the magnitude of potential misstatements. Insufficient evaluation of compensating controls, including identifying and testing those controls and determining whether they operated at a level of precision that would prevent or detect a misstatement that could be material. 12 Copyright 2015 Deloitte Development LLC. All rights reserved.

13 7. Evaluating identified control deficiencies Where are the material weaknesses? I continue to question whether all material weaknesses are being properly identified. It is surprisingly rare to see management identify a material weakness in the absence of a material misstatement. This could be either because the deficiencies are not being identified in the first instance or otherwise because the severity of deficiencies is not being evaluated appropriately.... [I]t may be useful for management to dust off the SEC s 2007 interpretive guidance and compare management s ICFR evaluation process to the SEC guidance to see if improvements are in order. Brian Croteau, Deputy Chief Accountant, Office of the Chief Accountant, Remarks Before the 2013 AICPA National Conference on Current SEC and PCAOB Developments Audit Policy and Current Auditing and Internal Control Matters, December 9, The other area of internal controls that we wonder about is: when we see a material weakness, it s usually around the time a restatement is announced, but why aren t there more material weaknesses when there s not a restatement announced? You would expect there to be more material weaknesses prior to a restatement, but a controls error always seems to be found at just about the same time. Paul A. Beswick, Former SEC Chief Accountant, May 1, I continue to question whether material weaknesses are being properly identified, evaluated, and disclosed. Brian Croteau, Deputy Chief Accountant, Office of the Chief Accountant, Remarks Before the 2014 AICPA National Conference on Current SEC and PCAOB Developments, December 8, Copyright 2015 Deloitte Development LLC. All rights reserved.

14 Appendix

15 ICFR: Areas of focus ICFR hot topics Control Environment Cited in material weakness disclosures Areas/ contributing factors to material fraud Related 2013 COSO Framework principles Ethics program 1, 2 Delegation of authority 3 Competence and training of accounting personnel 4 Establishing accountability and expectations for ICFR through performance and compensation systems Risk Assessment 5 Appropriateness of and support for accounting policies and procedures 6 Detailed risk assessment for each relevant account and disclosure, and linking the risk assessment to related control activities Fraud risk assessment, including management override, financial statement manipulation, misappropriation of assets, and corruption Revising the risk assessment and controls for one-time or infrequent transactions or events, such as: Significant changes in process, technology, or people Business combinations 7, 10, 11, 12 8, 10, 11, 12 9, 10, 11, Copyright 2015 Deloitte Development LLC. All rights reserved.

16 ICFR: Areas of focus (cont d) ICFR hot topics Control Activities Cited in material weakness disclosures Areas/ contributing factors to material fraud Establishing expectations through internal control policies and procedures 12 Journal entries 10 Segregation of duties such as IT system access issues and incompatible duties Account balance and disclosure specific controls, such as: Revenue Inventory (including cycle count and/or physical inventory programs) Taxes Footnotes and cash flow statement Account reconciliations Precision and evidence of management review controls, such as: Reserves, including inventory obsolescence, and bad debts Impairment, including projections Fair value of investments Pension liabilities Application of GAAP Involving and/or overseeing specialists Component financial results/data 10, 11 10,12 Related 2013 COSO Framework principles 10, 12, 16 Use of outsourced service providers 10, 12, 16 IT security and program change controls Copyright 2015 Deloitte Development LLC. All rights reserved.

17 ICFR: Areas of focus (cont d) ICFR hot topics Cited in material weakness disclosures Information and Communication Areas/ contributing factors to material fraud Related 2013 COSO Framework principles Quality of data, including reports used by controls 13 Whistleblower programs 14, 15 Monitoring Activities Monitoring approach linked to the risk assessment, including consideration of business units/locations Effectiveness and competence of the monitoring function, such as the internal audit function Substance of the entity s periodic certification program 14, 15, 16 Evaluation of deficiencies to determine the root cause Copyright 2015 Deloitte Development LLC. All rights reserved.

18 Data on Material Weaknesses Accounting documentation, policy and/or procedures Material and/or numerous auditor /YE adjustments Restatement Accounting personnel resources, competency/training Account Reconciliation Non-routine Segregation of duties/design of controls Disclosure controls IT Accounting personnel / competency Accounting documentation, policy and/or procedures Material and/or numerous auditor /YE adjustments Information technology, software, security & access issue Inadequate disclosure controls (timely, accuracy, completeness) Segregation of duties/ design of controls (personnel) Non-routine transaction control issues Untimely or inadequate account reconciliations Restatement or nonreliance of company filings Journal entry control issues Treasury control issues Insufficient or non-existent internal audit function Ineffective, non-existent or understaffed audit committee Ethical or compliance issues with personnel Restatement of previous 404 disclosures Senior management competency, tone, reliability issues Ineffective regulatory compliance issues Based on data from Audit Analytics for the period from November 15, 2013, through October 15, 2014, including 10-K filings for the calendar year ended December 31, Copyright 2015 Deloitte Development LLC. All rights reserved.

19 Data on material fraud issues Proportion of financial statement fraud schemes represented by each alleged fraud scheme in AAERs from 2000 through 2008 Manipulation of A/R 3% Asset misappropriation 3% Bribery and kickbacks 4% Manipulation of Reserves 7% Manipulation of assets 7% Manipulation of liabilities 8% Investments 2% Goodwill 2% Aiding and abetting 2% Revenue recognition 38% Revenue recognition Manipulation of expense Improper disclosures Manipulation of liabilities Manipulation of assets Manipulation of reserves Bribery and kickbacks Asset misappropriation Manipulation of A/R Investments Goodwill Aiding and abetting Improper disclosures 12% Manipulation of expense 12% Source: Deloitte Forensic Center, Ten Things About Financial Statement Fraud Third Edition, Copyright 2015 Deloitte Development LLC. All rights reserved.

20 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a detailed description of DTTL and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2015 Deloitte Development LLC. All rights reserved. 36 USC Member of Deloitte Touche Tohmatsu Limited