US Inspection Findings and Internal Control Methodology Changes

Transcription

1 US Inspection Findings and Internal Control Methodology Changes 1

2 Objectives Identify key issues associated with the inspection findings cited in the current Audit Quality Alert (AQA) document. Recognize practices and pitfalls that contribute to inspection findings. Apply actions that contribute to improved inspection results Deloitte Global Services Limited 2

3 Drivers of methodology change 3

4 Drivers of methodology change PCAOB Risk Assessment Standards 2010 and 2011 Inspection findings of the U.S. firm FY12 Audit Quality Imperatives Deloitte Global Services 4

5 2010 and 2011 inspection findings 5

6 Key Point: 2010 PCAOB Inspections Other Issues N = 25 inspections Deloitte Global Services 33% Fair Value + Impairment Determinations 29% Internal Control 10% Other Management Estimates 10% Investments 82% of potential Part 1 comments 6

7 Key Point: PCAOB 4010 Report Key highlights of the report: PCAOB inspectors identified instances where auditors sometimes failed to comply with PCAOB Other Issues auditing standards in connection with audit areas that were significantly affected by the economic crisis, such as: Fair value measurements Impairment of goodwill Indefinite-lived intangible assets and other long-lived assets Allowance for loan losses Off-balance sheet structures Revenue recognition Inventory N = 25 inspections Income taxes Deloitte Global Services 7

8 Key Point: 2011 PCAOB Inspections At this point during the 2011 inspection process we are tracking comments received and potential comments in the following areas: Internal control evaluation and testing Testing Other completeness and accuracy of IPE Issues Addressing valuation of investments Testing management estimates Identifying and addressing GAAP/disclosure issues Others Tests of details; evaluation of audit differences; coordination with member firms N = 25 inspections Deloitte Global Services 8

9 The most significant trend we can highlight at this point in the 2011 inspection is that: Internal Control Is increasingly an area of significant focus and attention Deloitte Global Services 9

10 Other Areas of Focus What other trends can we anticipate from our regulators? Focus on high-risk audit issues posed by the ongoing effects of the economic crisis and any emerging new risk. looking for robust risk assessments and more rigorous procedures to respond to identified risks Supervision of cross-border audits of multi-location companies Deloitte Global Services 10

11 Implementing the changes 11

12 Objectives of Modifications to Policy & Guidance Intended to: More clearly connect risk assessments (including consideration of prior year knowledge) with extent of operating effectiveness testing of relevant controls Better align our methodology with the requirements of PCAOB AS 5 PCAOB s new risk assessment standards (AS 13) AICPA AT Deloitte Global Services 12

13 Key areas of change Sample Sizes when testing controls that address Significant Risks Determining the evidence necessary to support conclusion as to the Operating Effectiveness of a control Deloitte Global Services 13

14 Sample sizes 14

15 Modified Sample Sizes PCAOB Audits and AICPA Integrated Audits Nature of Control Frequency of Performance of the Control Control Addresses a Significant Risk No Deviations Planned Number of Selections Control Does Not Address a Significant Risk No Use of Prior Year Audit Using Evidence Prior Year Audit Evidence (2) No Deviations Planned One Deviation Planned (1) No Deviations Planned Manual Many times per day Manual Daily N/A 7 Manual Weekly 8 5 N/A 2 Manual Monthly 3 2 N/A 1 Manual Quarterly 2 1 N/A 1 Manual Annually 1 1 N/A 1 Automated Test one instance of each automated control. General IT Follow the guidance above for manual and automated aspects of General IT Controls. (1) The sample size is dependent on the expected rate of deviations. When the Control is not performed Many times per day, it may not be appropriate to plan for deviations. (2) These sample sizes may only be used for two consecutive audits. In the third audit, perform more extensive testing using at least the sample sizes from the second column in this table Deloitte Global Services 15

16 Considerations for Using Prior Year Evidence Sample Sizes Based on assessment of lower risk associated with the control, considering The nature and materiality of misstatements that the control is intended to prevent or detect; The inherent risk associated with the related account(s) or assertion(s); Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness; Whether the account has a history of errors; The effectiveness of entity-level controls that the auditor has tested, especially controls that monitor other controls; The nature of the controls and the frequency with which they operate; The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls); The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance; Deloitte Global Services Limited 16

17 Considerations for Using Prior Year Evidence Sample Sizes (Cont d.) Based on lower risk associated with the control, considering (cont.) Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective); The complexity of the control and the significance of the judgments that must be made in connection with its operation; The planned degree of reliance on the control; The nature, timing, and extent of procedures performed in past audits; The results of the previous years' testing of the control; Whether there have been changes in the control or the process in which it operates since the previous audit; and (PCAOB AS 5.47, AS , AS 13.31, AT , AT ) Document consideration of these risk factors in order to conclude as to appropriateness of using lower extent of testing 17

18 Effective Dates and Transition Guidance Revised policies and guidance effective for audits of financial statements for periods beginning on or after December 15, 2010 For engagements for earlier periods, evaluate use of less extensive testing/use of test of one strategy and challenge appropriateness For example, consider: For accounts with increased risk or controls that are complex or require significant judgment, it may be appropriate to consider a more extensive sample size For controls where a less extensive sample size has been used, consider whether documentation adequately describes why the test of one is an appropriate test of operating effectiveness, including our consideration of how the factors in f Deloitte Global affected Services our decision 18

19 Internal Controls

20 Internal Controls reinforcement Evaluate the factors to determine the risk associated with the control and understand the relationship of inherent risk to risk associated with the control. Design tests of operating effectiveness of review type controls. Plan nature, timing and extent of rollforward procedures based on the factors in PCAOB AS 5.56 (AS 13.30) Deloitte Global Services Limited 20

21 HANDOUT 3 Examples of Controls Pulse para editar los formatos del texto del esquema Segundo nivel del esquema Tercer nivel del esquema Cuarto nivel del esquema Example 1 Three-Way Match Quinto nivel del esquema Control Sexto nivel del esquema Example Séptimo 2 Goodwill nivel del Impairment esquema Control Octavo nivel del esquema Noveno What key nivel points del esquemaclick do you want to edit to make Master to text styles describe the control? Deloitte Global Services Limited 21

22 Risk Associated with the Control

23 Factors to consider PCAOB AS 5.47 and PCAOB AS 5.58 (AS 13.31) Factors that related to the risk of material misstatement the control addresses Inherent risk associated with the related account(s) and assertion(s) Nature and materiality of misstatements the control is intended to prevent or detect Changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness Whether the account has a history of errors Factors related to the characteristics of the control activity Complexity of the control and the significance of the judgments that must be made in connection with its operation Effectiveness of ELCs, especially controls that monitor other controls Nature of control and frequency with which it operates Degree to which the control relies on the effectiveness of other controls Competence of personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance Whether the control relies on performance of an individual or is automated. Factors related to past knowledge The nature, timing, and extent of procedures performed in previous audits The results of the previous years' testing of the control Whether there have been changes in the control or the process in which it operates since the previous audit Deloitte Global Services Limited 23

24 Common pitfalls of Risk Associated with the Control Factors Consideration that related of only to the risk in of material misstatement the control addresses Pitfall - Consideration of only the inherent risk factor, not the other factors in PCAOB AS 5.47 and PCAOB AS 5.58(AS 13.31). Factors related to the characteristics of the control activity Pitfall - Lack of appropriate attention to risk associated with the control, in particular the complexity of the control and the significance of the judgments that must be made in connection with its operation (e.g., controls over estimates and significant judgments). Factors related to past knowledge Pitfall - Inappropriate use of low extent of testing and/or insufficient sample sizes, in many cases engagement teams defaulted to a sample of one without considering the factors in PCAOB AS 5.47 and PCAOB AS 5.58(AS 13.31) Deloitte Global Services Limited 24

25 HANDOUT 4 Factors to Consider in Assessing the Risk Pulse Associated para editar los with formatos the del Control texto del esquema Segundo nivel del esquema Includes Tercer all the nivel factors del in esquema PCAOB AS 5.47 and all Cuarto the factors nivel in del PCAOB esquema AS 13.31, except for Quinto those nivel related del to esquema past knowledge. Sexto nivel del esquema Can be used as Séptimo a resource nivel when del esquema considering those factors that could Octavo nivel del esquema drive them to a higher or lower risk Noveno associated nivel with del esquemaclick the control. to edit Master text styles Can be useful when evaluating RAWC for relevant controls on their engagements Deloitte Global Services Limited 25

26 Planning the nature, timing and extent of tests Risk Associated with the Control We design our tests based on the risk associated with the controls; e.g. differentiating between controls that have: A higher risk associated with them A lower risk associated with them Neither a higher or lower risk associated with them Nature As risk associated with the control increases Increase the persuasiveness of the nature of the audit evidence; e.g. utilize a combination of procedure types. Perform procedures ourselves rather than using the work of others Timing As risk associated with the control increases Perform procedures closer to the balance sheet or as of date, or obtain more persuasive evidence of the operation of the control during the rollforward period. Extent As risk associated with the control increases Increase the extent of testing Pitfall Lack of varying the nature, timing and extent of planned tests of controls based on the risk associated with the control Deloitte Global Services Limited 26

27 Illustration: Risks and extent Three-way match control Inherent Risk (ROMM) Low Higher Extent Normal Extent Not of Higher Testing a Extent ( Significant Risk of (when Risk Testing applicable) Risk ) Goodwill Impairment control Risk Associated with the Control (RAWC) Deloitte Global Services Limited 27

28 Risk Associated with the Control: Key takeaways 1. Consider and document the factors in PCAOB AS 5.47 and PCAOB AS 5.58(AS 13.31) for each control selected for testing and our conclusions of the assessment of the risk associated with the controls. Note: It is not necessary to document our consideration of each individual factor for each control, and our documentation of the consideration of the factors may address more than one control.** 2. Base the nature, timing and extent of operating effectiveness tests with the risk associated with the control, including a description of the planned procedures that clearly describes the nature, timing and extent of testing for each control considering (to address the key characteristics) the risk associated with the control. ** Refer to the Appendix to the Internal Control Practice Aid for example documentation of the consideration of the factors in PCAOB AS 5.47 and PCAOB AS 5.58(AS 13.31) Deloitte Global Services Limited 28

29 Knowledge Check #1 You may use low extent of testing in the current year s audit if you tested the control in the prior year(s). A. True B. False Deloitte Global Services Limited 29

30 Testing Operating Effectiveness of Review Type Controls

31 HANDOUT 5 Test Design Effectiveness of Ongoing Pulse para editar los formatos del texto del esquema Monitoring of Controls Segundo nivel del esquema An example we will use while discussing this Tercer nivel del esquema topic: Cuarto nivel del esquema On a quarterly basis management is required to sign a checklist that Quinto among nivel other del things esquema includes a representation by Sexto the nivel signor del that esquema the controls that they are responsible Séptimo for nivel are del designed esquema effectively and that Octavo there are nivel no del significant esquema changes Noveno nivel to controls del esquemaclick during the assessment to edit Master text styles period, e.g., representations that occur within a sub-certification process to identify material changes in ICFR for reporting in quarterly filings with the SEC Deloitte Global Services Limited 31

32 Deloitte Global Services Limited Fair Value of Investments Review Type Control Characteristics of Control (Not all inclusive) Factor Purpose of control Competence/Objectivity Frequency and consistency with which the control is performed Design Consideration The Investment Committee meets to review the Investment Valuation Packet which includes the valuation techniques, assumptions and sources of pricing for securities. The committee evaluates the appropriateness of the fair value methods, the reasonableness of assumptions used, and compliance with the fair value policy, which establishes procedures for determining fair value of securities. CFO, a CPA with 15+ years experience in investment management and security valuation; Controller, a CPA with 15+ years of experience in security valuation; VP of Finance, a CFA with 15+ years of experience in portfolio management and security valuation, Director of Investment Operations, a CPA with 10+ years of experience in security valuation. Quarterly, performed consistently Criteria for investigation and process for follow-up The Investment Committee evaluates the period-end fair value of securities, including the reason for fair value changes (large or small) that appear unusual and discusses the responses provided by management as to the cause of the current-period fluctuations. Concerns regarding the fair value of a security or changes that are not properly corroborated are flagged for follow-up with the Pricing Manager for resolution with the committee prior to recording the adjusting entry. Dependency on other controls or information The control is dependent upon the accuracy and completeness of the data the Pricing Manager uses in the Investment Valuation Packet.

33 Deloitte Global Services Limited Knowledge Check #2 Would inquiry alone of members of the Investment Committee and reading meeting minutes be sufficient to test this control? A. Yes B. No

34 Question What additional procedure(s) may be the most effective approach to test this review control? Deloitte Global Services Limited 34

35 Additional procedures Pulse para editar los formatos del texto del esquema Segundo nivel del esquema Investment Value Packet Tercer nivel del esquema Review the quarterly Investment Value Packet and ascertain if the documentation is in sufficient detail Cuarto nivel del esquema Re-perform Re-perform the review procedures undertaken by the Investment Committee including steps to follow to support the precision Quinto of nivel the del esquema review process. Sexto nivel del esquema Test the controls over Séptimo the accuracy nivel del esquema and completeness Octavo of the Investment nivel del esquema Value Packet. Noveno nivel del esquemaclick to edit Master text styles up on unexplained differences to obtain evidence the control in fact operated as described. Interview Investment Committee members to assess the precision of the review process based on their knowledge and understanding of the fair value methods, assumptions, and results Deloitte Global Services Limited 35

36 Common pitfall for Testing Review Type Controls Pitfall For controls performed by groups in meetings, either not observing the meeting or insufficient documentary evidence of the substance of the meeting and the thought process that took place as a basis for the conclusions reached in the performance of the control. Inspecting evidence that the meeting occurred is generally not sufficient evidence to determine to what extent the other important characteristics operated at the meeting such as evidence of: 1. The purpose of the control (operational focused versus financial reporting focused) 2. The depth of the discussion at an appropriate level of disaggregation and 3. The criteria for investigation and the nature of items questioned including the follow-up process Deloitte Global Services Limited 36

37 Testing Operating Effectiveness of Review Type Controls: Key takeaways Evidence of operating effectiveness is obtained for each of the control characteristics used in our evaluation of the design of the control. Observation of meetings may be an important means of testing the effectiveness of the actual activities undertaken. When observation is not possible, inspection of documentation evidencing that the important characteristics of the control were performed, if available, and/or reperformance of the control often are necessary to obtain sufficient persuasive evidence. Re-performance in these situations means asking probing questions, using the responses to understand the substance of the meeting and the drivers for the meeting outcome, then determining how decisions made as a result of the meeting were subsequently executed Deloitte Global Services Limited 37

38 Rollforward Procedures

39 Deloitte Global Services Limited Plan the nature, timing and extent of Rollforward Procedures: Factors to Consider PCAOB AS 5.56 (AS13.30) The additional evidence that is necessary to update the results of testing from an interim date to the company's year-end depends on the following factors: The specific control tested prior to year end, including the risks associated with the control (which includes the inherent risk associated with the related account/assertions) and the nature of the control, and the results of those tests; The sufficiency of the evidence of effectiveness obtained at an interim date; The length of the remaining period; The possibility that there have been any significant changes in internal control over financial reporting subsequent to the interim date; and The planned degree of reliance on the control Note: In some circumstances, such as when evaluation of the foregoing factors indicates a low risk that the controls are no longer effective during the rollforward period, inquiry alone might be sufficient as a rollforward procedure. [emphasis added] Pitfall The PCAOB AS 5.56(AS 13.30) factors are not explicitly considered and/or documented with respect to each control or that when factors are considered for a group of controls, that there is not a basis for considering the controls collectively

40 Rollforward testing thought process Identify Significant Changes Controls with Lower Risk of Ineffectiveness (PCAOB AS 5.56/AS Factors) Inquiry Risk Assessment Process Monitoring Results of Our Other Auditing Procedures Inquiry Alone May Be Sufficient Controls with Higher Risk of Ineffectiveness (PCAOB AS 5.56 /AS Factors) Perform Sufficient Additional Procedures Perform Sufficient Additional Procedures (Use Work of Others?) All Other Controls Test Ongoing Monitoring Controls Deloitte Global Services Limited 40

41 Knowledge check #3 Let s say you tested the three-way match control example through the end of September and concluded it was operating effectively. Would inquiry alone be sufficient to test that control through the rollforward period and up to the balance sheet date? A. Yes B. No Deloitte Global Services Limited 41

42 Question Would inquiry alone be sufficient to test that same control through the rollforward period and up to the balance sheet date if you tested it through the end of June? A. Yes B. No C. It depends Deloitte Global Services Limited 42

43 HANDOUT 6 Example Review Type Control Pulse para editar los formatos del texto del esquema Segundo nivel del esquema Tercer nivel del esquema Example Fair Value of Investments Cuarto nivel del esquema ABC Company has an investment portfolio of debt and Quinto nivel del esquema equity securities for which fair value policy has been established Sexto by nivel the del Investment esquema Committee. To ensure that Séptimo the fair nivel value del of esquema investments complies established Octavo nivel policy, del esquema the Investment Noveno Committee nivel del esquemaclick holds a quarterly to edit meeting Master to text review styles and approve the Investment Valuation packet prior to close of the quarterly trial balance Deloitte Global Services Limited 43

44 Test Design and Operating Effectiveness of Ongoing Monitoring Controls If we believe the monitoring process is designed and operating effectively after performing the procedures above, we perform the following additional procedures: Evaluate effectiveness of monitoring process via inquiry, observation, inspection of documentation and re-performance. Corroborate operating effectiveness of monitoring controls by selecting a sample of controls subject to monitoring. Sample size is judgment, based on the factors in PCAOB AS 5.56 (AS 13.30) and the number of controls that we are relying on are addressed by the monitoring activity. Select controls across the processes/accounts to be representative of underlying population. Pitfalls Defaulting to a sampling approach and a sample size (e.g., 25), without assessing and establishing the basis for relying on the ongoing monitoring controls, including not selecting sample across the population Deloitte Global Services Limited 44

45 Rollforward procedures: Key takeaways 1. Consider and document the factors in PCAOB AS 5.56(AS 13.30) for each control in determining the nature, timing and extent of our procedures in the rollforward period Note: It is not necessary to document our consideration of each individual factor for each control, and our documentation of the consideration of the factors may address more than one control.** 2. Documentation considerations: Use the Appendix to the Internal Control Practice Aid for example documentation of the consideration of the factors in PCAOB AS 5.56(AS 13.30) Assessment of monitoring controls, including rationale for how the controls selected to corroborate the operating effectiveness of the monitoring controls were chosen ** Use the Appendix to the Internal Control Practice Aid for example documentation of the consideration of the factors in PCAOB AS 5.56(AS 13.30) Deloitte Global Services Limited 45

46 Deloitte Global Services Limited Knowledge Check #4 Which of the following is a factor we consider in determining the nature, timing and extent of our rollforward procedures? A. The specific control tested prior to year end, including the risk associated with the control, the nature of the control and the results of those tests B. The sufficiency of evidence of effectiveness obtained at an interim date C. The length of the remaining period D. The possibility that there have been any significant changes in ICFR subsequent to the interim date E. All of the above

47 Internal Controls summary Evaluate the factors to control the risk associated with the control and understand the relationship of inherent risk to risk associated with the control. Design tests of operating effectiveness of review type controls. Plan nature, timing and extent of rollforward procedures based on the factors in PCAOB AS 5.56 (AS 13.30) Deloitte Global Services Limited 47

48 Conclusion and Takeaways 48

49 Resources: Online, Always Available Deloitte Technical Library Deloitte Policies and Guidance, IPE Frequently Asked Questions Audit Alerts i.e., Audit Quality Alert 10-8, Audit Deficiencies Identified as Part of the 2010 Internal and PCAOB Inspections AERS Audit Essentials Distributed in hard copy in December 2010, and PDF on desktop Practice Aids and FAQs Professional Skepticism Practice Aid Using Professional Judgment Information Produced by the Entity FAQ General IT Control Deficiency Evaluation Deloitte Global Services 49

50 Resources: Always Available Deloitte Global Services 50

51 In conclusion What are your takeaways from this session? Key Points Resources Things to do back on the job Deloitte Global Services 51

52 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and its and their affiliates. None of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing s affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication Deloitte Touche Tohmatsu 52