Control Finding & Reporting Deficiencies

Transcription

1 Control Finding & Reporting Deficiencies Case Studies Sept. 17, 2014 Presented by: Sonia Luna

2 Agenda COSO Transition Analysis (Do s & Don ts) Point of Focus (POF): Why they matter PCAOB Alert#11 Common Audit Failures Level Of Precision Old Vs. New Key Report Testing Case Study (Control Findings) Control Environment Group Discussion Next Steps COSO Transition Map Compliance Analysis Questions 2

3 The Cube Still the Same only better, more clear and more relevant. LAYOUT 3

4 Principles: What holds a principle UP! 4

5 Polling Question Have you started COSO transition and what %age are you at? Where am I? %age A Running to Finish Line 75% B Getting There 50% C Formulating a Plan 25% D Not Started 0% 5

6 Visualizing Your COSO Transition 6

7 Case Study # 1 (Volume #3 pg.65-66) Company Background: Private Co., retail furniture company (family owned) $200MM Rev and exclusively in Western US Sales Evaluation of Principle #1 7

8 Case Study # 1 Control FINDINGS No formal training program to make employees aware of importance to adherence to standards of conduct. No process to evaluate EEs against the published integrity & ethics policy Processes to ID & Address Deviations are ad hoc 8

9 Case Study # 1 QUESTION: Is this a Control Deficiency, Significant Def., or Major Deficiency? 9

10 Case Study # 1 10

11 Case Study Group Solution What should this private company consider as solutions to this MW?

12 Case Study # 2 (Another Example: volume #4 page #17 18) Approach to Establishes Standards of Conduct Company Background: One-Way street Co. created in 2008 a code of business conduct & ethical standards which was provided to all employees and significant vendors. In 2008, both employees and significant vendors signed an acknowledgement form confirming they read and understood the policy which currently in 2014 is posted on-line via the company sharepoint intrasite available to employees only. Annually One-Way Street requires all employees to take live or web ethics training sessions. One-Way Street regularly provides significant suppliers as part of its SLA (Service Level Agreements) a copy of its Supplier Code of Conduct as either an appendix to or referenced in each agreement with these suppliers. 12

13 Case Study # 2 Control Finding Issues: Group discussion What could go wrong with this approach One-Way Street? What audit evidence would you need to review and/or assess? (Next Slide) 13

14 Case Study # 2 Transition Considerations - Top 3 Audit Evidence Items Item # Evidence Frequency 1 A/C Approval (yes /no)

15 Group Discussion What best practices are working at your organization? 15

16 Case Study # 3: Risk Assessment Group Exercise Task: Identify & analyze significant change and resulting new risks to be considered 16

17 Case Study # 3 Background: ABC Inc. became aware of a hurricane approaching at some of its manufacturing locations that had potential to cause significant supply disruptions. Risk Response: In response, the company immediately established internal working team to assess the risks of such disruption to its manufacturing capabilities, and the risks of its own affected facilities to its overall manufacturing footprint. All significant suppliers were contacted, via phone and , and asked to assess the potential hurricane disruption to their production abilities. Parts that might be delayed for production and shipping was inventoried by the ABC internal working team, and alternative suppliers were identified and contacted. When no alternative suppliers were identified, ABC internal team created a prioritization list of which manufacturing locations should receive the limited number of parts as they became available. 17

18 Case Study # 3 Task (5 8 minutes) Identify three new risks that may impact the financial reporting and the Finance & Accounting Team needs to consider. 18

19 Case Study # 3 Some of the new risk areas to consider could be: 1. Potential penalties contained within various sales contracts 2. Inventory Obsolescence 3. Impact from delays in supply of parts 4. Insurance claims & potential losses 5. Incremental risks from required system & process changes Consider: Audit Evidence Required to Mitigate the Risk. 19

20 What did this Company do right?

21 Group Activity Classroom Room work POF to Approaches Exercise 21

22 Group Activity #2 and #4 Map to the most appropriate Approach(es) Points of Focus: 1. Establishes Oversight Responsibilities 2. Applies Relevant Expertise 3. Operates Independently 4. Provides Oversight for System of IC Approaches: a) Establishing Roles, Responsibilities & Delegation of Authority of the BOD b) Est. Policies and Practices for meetings btwn BOD & mgmt. c) ID & reviewing BOD Candidates d) Reviewing Mgmt s Assertions & Judgments e) Obtain an external view f) Considering Whistle blower info about FS Errors and Irregularities. 22

23 Group Activity #2 and #4 Map to the most appropriate Approach(es) 23

24 Group Activity Control Environment (Pr. #4) Principle # 4: Points of Focus: Organization Demonstrates commitment to attract, develop and retain competent individuals in alignment with objectives. 1. Est. Policies and Practices 2. Evaluates competence and address short comings 3. Attracts, develops & retains individuals 4. Plans & Prepares for Succession 24

25 Group Activity: Control Environment (Pr#4) Points of Focus: 1. Est. Policies and Practices 2. Evaluates competence and address short comings 3. Attracts, develops & retains individuals 4. Plans & Prepares for Succession Approaches: a) Est. required knowledge, skills & expertise b) Linking Competence standards to est. Policies and practices hiring, training and retention decisions c) ID & Delivering on FR related training as needed d) Selecting appropriate O/S service providers e) Evaluating competence and behavior f) Evaluating the Capacity of Finance personnel g) Developing alternate candidates for key financial reporting roles 25

26 Group Activity Plans & Prepares for Succession a) How is succession planning being addressed in your organization? How deep in the organizational chart does COSO want you to evaluate this POF? b) Is this NOT a COSO 2013 Transition item for your organization and WHY? How would you document this conclusion? 26

27 Case Study # 4 Risk Assessment and Control Activities process effectiveness overview: 27

28 Case study # 4 Risk Assessment & Control Activity Company Background: Public financial services company Three divisions A, B and C Objective Category for COSO framework = External Financial Reporting 28

29 Case study # 4 Risk Assessment & Control Activity Overview of Assessment of control effectiveness Management determined it has some revenue recognition control deficiencies and need to reflect the severity of those deficiencies. One of the revenue streams lacked good controls. They noted deficiencies in one of their up and coming divisions DIVISION C but there were NO KNOWN financial statement errors! Root case analysis done with conclusion that management failed to implement control activities over the revenue recognition process at Division C, which became a significant part of their overall revenue and growth for the organization. 29

30 Case studies # 4 Risk Assessment & Control Activity POLLING QUESTION How bad is it? Was this a A)Control Deficiency, B) Significant Deficiency C) Material Weakness D) Not a deficiency 30

31 What Went Wrong with Division C? 1. Who should have sound the alarm? 2. When should it have been 3. What improvements should be implemented to prevent this from happening 4. Who does this get reported to? 31

32 Answers Listed: 1. Alarm: 2. When/Timing: 3. Improvements A. B. 4. Reporting: 32

33 Polling Q: Control Def. Policy (Group) Who has one? When was it last updated? When bad stuff happens how does it get reported? 33

34 Internal Control FINDINGS! New PCAOB Auditing BAR! 34

35 What s Different? Caused audit procedure layering More in-depth written description of estimates and use of judgment, especially review controls Detailed documentation and testing of system reports utilized in performance of controls. 35

36 Common Audit failures Source: PCAOB Audit Alert #11 (Oct. 2013) 36

37 Closing The Books Source: PCAOB Audit Alert #11 (Oct. 2013) 37

38 Closing The Books [Contd.] Source: PCAOB Audit Alert #11 (Oct. 2013) 38

39 Level of precision in Plain English? How detailed is management s review of journal entries? Document your thought process Dollar Threshold Percentage of Revenue Geographic Location Lines of Business Other Risk Factors Timing 39

40 Good isn t good enough good v. NEW PCAOB control Language Older Language ( OK ) Quarterly, Controller reviews the AR allowance for adequacy and reasonableness of reserve amounts by initialing and dating the AR reserve analysis. Audit Controller initials & Match Total $ = DONE! 40

41 NEW PCAOB control Language new standards for control language Older Language ( OK ) Quarterly, Controller reviews the AR allowance for adequacy and reasonableness of reserve amounts by initialing and dating the AR reserve analysis. Updated Control ( Better ) Quarterly, Controller reviews AR balances of significant customers with o/s balances greater than $10K and 5% of AR balance and those under that threshold by customer type (e.g. geographical location, types of orders, etc.), to review the AR allowance for accuracy and completeness. Adjustments, if needed, are sent via to the AR manager, final review of the AR reserve analysis is initialed and dated by the Controller which agrees to the final g/l balance for the period. 41

42 So what happens in testing? BEFORE Review initials DONE! #1 - Initials #2 - AR Threshold Analysis (completeness/accuracy) #3 - AR s w/follow-up interview documentation 42

43 Documentation in Excel Accounts Receivable Aging Monday, March 31, 2014 Last Payment Current Past Due CUSTOMER Date Amount Total Due Loyal Customer December 1, 2013 $10,000 $214,000 $245,000 $288,000 $747,000 New Customer - Russia September 1, 2013 $53,000 $101,000 $130,000 $0 $445,000 $676,000 Trying Things Out Customer January 12, 2014 $76,000 $95,000 $279,000 $131,000 $505,000 Not so new Customer February 1, 2014 $46,000 $284,000 $116,000 $400,000 TOTALS $379,000 $594,000 $491,000 $131,000 $288,000 $445,000 $2,328,000 Allowance Analysis New Customer - Russia $0 $101,000 $130,000 $0 $0 $445,000 $676,000 Trying Things Out Customer $126,250 Grand Total of Allowance to A/R $802,250 Review Signatures Old School Auditing Current G/L Balance $500,000 Adjusting Journal Entry (Inc)/Dec ($302,250) /s/ Susie Smith 4/5/2014 Prepared by: Date /s/ Arnold Jones 4/15/2014 Prepared by: Date 43

44 Documentation in Excel Accounts Receivable Aging Monday, March 31, 2014 Last Payment Current Past Due CUSTOMER Date Amount Total Due Loyal Customer December 1, 2013 $10,000 $0 $214,000 $245,000 $288,000 $747,000 New Customer - Russia September 1, 2013 $53,000 $0 $101,000 $130,000 $0 $0 $445,000 $676,000 Trying Things Out Customer January 12, 2014 $76,000 $95,000 $279,000 $0 $131,000 $0 $0 $505,000 Not so new Customer February 1, 2014 $46,000 $284,000 $0 $116,000 $0 $0 $0 $400,000 TOTALS $379,000 $594,000 $491,000 $131,000 $288,000 $445,000 $2,328,000 Allowance Analysis New Customer - Russia $0 $101,000 $130,000 $0 $0 $445,000 $676,000 Trying Things Out Customer $126,250 Grand Total of Allowance to A/R $802,250 RussiaAllowance supporting documents: 1) AR Client detail report (a) 2) Client Invoice Analysis report by product type (a) 3) Payment history - client detail report (a) 4) communication w/dir. of Rev 5) communication w/dir. of Sales 6) Confirmation of AJE by COO and CEO (specifying Russia) Current G/L Balance $500,000 Adjusting Journal Entry (Inc)/Dec ($302,250) /s/ Susie Smith 4/5/2014 Prepared by: Date /s/ Arnold Jones 4/15/2014 Prepared by: Date (a) - Part of Management Key report testing (page # 27 of PCAOB audit alert #11) 44

45 Remember what key report testing! 45

46 Audit Alert #11 (extract pg#20) 46

47 COSO TRANSITION RESOURCES 47

48 COSO transition Mapping Template avivaspectrum.com/blog 48

49 Next Steps The Process 49

50 Our Control Compliance Analysis ( CCA ) COSO Transition Top Transition Failures (Case Studies) Audit Evidence required Priority Driven by Principles PCAOB, IIA & SEC Guidance Latest PCAOB Internal Control Standards IIA Incorporated Top 7 IC Failures SEC Guidance for Mgmt on Internal Controls 50

51 Control Compliance Analysis Join Our LinkedIn Group COSO Framework Discussion & Webinars Technical Community sharing Ideas,Templates, WEBINARS, Advise and Learn from others implementing new framework. JOIN Today! 51

52 Questions? Sonia Luna- President, CEO Aviva Spectrum

53 Case Study # 2 Suggested Audit Evidence Audit evidence considerations: 1. Code of Conduct ( COC ) 2. Supplier COC 3. Accessibility to COC 4. SLA inventory 5. Definition and confirmation of significant vendors (in Policy/Procedure document) 6. Training $$$$ spent/budgeted 7. Training Policy/Procedures 8. Certificate of Completion (Training) or Attendance Records 9. Legal Policy/Procedure document for suppliers master services agreements (Is legal informed of this requirement and are they executing this per Company policy of Significant Vendors) 53

54 Case Study # 4 - ANSWER Risk Assessment & Control Activity What COSO has to say: A related weakness was noted in Principle #9 Identifies & Analyzes Significant Change, because the company never adopted key controls over this Division C that was growing rapidly and Corporate office assumed it was doing what they expected. The conclusion was a: MATERIAL WEAKNESS for : Principle #10 Selects and Develops Control Activities and Principle #9 ID & Analyzes Significant Change 54