What Companies Need to Do

Transcription

1 Today s Opportunity: Using the New SEC and PCAOB Guidance to Make Section 404 Compliance More Cost-Effective What Companies Need to Do June 29, 2007

2 Today s Agenda What s new? What hasn t changed? Eight key decision points The new rules of the game 2

3 So What s New? 3

4 SEC Guidance to Management Two Key Principles On May 23, 2007, the SEC approved Interpretive Guidance, Management s Report on Internal Control Over Financial Reporting The guidance provides guidance to management in the design and conduct of its assessment of internal control over financial reporting (ICFR) The guidance is based upon two broad principles: Management should evaluate whether it has implemented ICFR that adequately addresses whether a material error or misstatement would not be prevented or detected on a timely basis Management s evaluation of ICFR should be based on its assessment of risk, including the risk of control failure 4

5 SEC Guidance to Management Other Actions The SEC also did the following: Adopted amendments to the Exchange Act rules to make it clear that an evaluation complying with the guidance would satisfy Section 404 Adopted amendments to Regulation S-X to require only a single auditor opinion directly on the effectiveness of ICFR Adopted amendments to the Exchange Act Rules and Regulation S-X to define the term, material weakness Proposed an amendment to the Exchange Act Rules and Regulation S-X to define the term, significant deficiency Effective date is June 27,

6 SEC Guidance to Management How the Proposal Changed Key differences from the SEC s original December 2006 proposal: Aligned the SEC s guidance and the PCAOB s AS2 revisions Clarify further how entity-level controls can impact management s evaluation Address use of self-assessment and other ongoing monitoring activities Increase the focus on the risk of fraudulent reporting and management override The SEC also decided NOT to extend further the Section 404 compliance deadline for non-accelerated filers Therefore, smaller companies should stay on course to comply with the current filing requirement In summary, there were no significant changes to the guidance and the SEC achieved its goal of reconciling its guidance with the PCAOB 6

7 PCAOB Auditing Standard No. 5 (AS5) What the Board Did On May 24, 2007, the PCAOB approved Auditing Standard No. 5, An Audit of ICFR Integrated with an Audit of Financial Statements (AS5) The PCAOB did the following: Focused the audit of ICFR on the most important matters Eliminated procedures that are unnecessary to achieve the intended benefits Provided guidance on scaling the audit to fit the size and complexity of the company Simplified the standard Effective date is fiscal years ended on or after November 15, 2007 Auditor may early adopt after SEC approves AS5 If auditor does not early adopt after SEC approval, must use AS5 definition of material weakness 7

8 PCAOB Auditing Standard No. 5 (AS5) How the Proposal Changed Key differences from the PCAOB s original AS5 proposal from December 2006: Aligned AS5 with the SEC s interpretive guidance Differentiated between management s process and the auditor s process Reduced number of prescriptive requirements, thus allowing auditor judgment Provided additional guidance on entity-level controls Clarified the requirement for walkthroughs Integrated the discussion around scaling the audit for company size and complexity Broadened the use of the work of others Eliminated requirement for the auditor to opine on management s process Refocused multilocation scoping process to address the quality of evidence, not quantity (eliminated coverage concept, including the decision tree that was in AS2) Increased focus on prevention and detection of fraudulent financial reporting 8

9 The Overarching Change is to Focus the Process on What Matters FOCUS ON WHAT MATTERS MOST SEVERITY LIKELIHOOD MATERIAL WEAKNESS Material Reasonably Possible (2)(3) SIGNIFICANT DEFICIENCY INSIGNIFICANT DEFICIENCY Important Enough to Escalate Not Necessary to Escalate (1)(4) (1) Less severe than a material weakness, but important enough to merit the attention of those responsible for financial reporting oversight (2) The likelihood is either reasonably possible or probable (3) Replaces more than a remote likelihood (4) Replaces more than inconsequential 9

10 Some Things Haven t Changed 10

11 CFOs Are Still Not Satisfied with SOX Section % of CFOs surveyed by the FEI believe the costs of Section 404 compliance have outweighed the benefits, a decline from 85% last year* * 2007 Financial Executives International Survey 11

12 The Goal has Not Changed: Transparency, Balance and Cost-Effectiveness The objective is a sustainable, costeffective and valueadded compliance process that is: Top-down, not bottomup Risk-based, not inhibited by arbitrary rules leading to unnecessary work 12

13 Value Proposition Is Unchanged Companies are reducing the cost of compliance by 30 to 60%, improve internal controls and improve the quality of key business processes 13

14 Protiviti s SOX Rationalization Methodology Remains Intact Apply Risk- Based Scoping Link Entity Level Controls to Risk Rationalize Controls Scope General IT Controls Implement Self- Assessment Evaluate Effect on Test Plan Leverage Value-Added Opportunities The logical flow of our methodology remains unchanged Some minor tweaks have been made based on the final guidance Executing this methodology has assisted many of our clients in achieving a cost-effective approach to SOX compliance 14

15 Eight Key Decision Points 15

16 Eight Key Section 404 Decision Points THE SECTION 404 COMPLIANCE PROCESS Start Establish methodology to assess the severity of deficiencies Determine auditor s use of work of others Determine multi-location scopes Consider relative ICFR risk to determine extent of testing evidence Decide the documentation standards Select key controls addressing each relevant assertion Identify relevant assertions for each significant financial reporting element Select significant financial reporting elements 16 File Internal Control Report

17 Why these Decision Points Are Important Start File Internal Control Report Agreement between management and auditor on eight decisions leaves open the most natural point of divergence between them the testing of operating effectiveness Since management is an insider and the auditor is not, the two parties do not begin at same point of knowledge when designing tests of operating effectiveness Demarcation between management and auditor with respect to tests of operating effectiveness will be much less if there is convergence on eight decision points A well-documented management assessment maximizes audit costeffectiveness and includes supporting rationale for management s decisions about risk Much of this rationale documentation is a one-time investment 17

18 1. Select Significant Accounts and Disclosures 1. Select significant accounts and disclosures (financial reporting elements) Not all accounts over a materiality threshold are included in scope and handled the same Consider both materiality of the element and the susceptibility of the underlying account balances, transactions or other information to material misstatement The goal is the evaluation of the inherent risk of material misstatement, without considering the effective operation of controls Management needs a well-documented, repeatable risk assessment (i.e., rationale documentation ) Old Approach: Quantitative first, qualitative additive What s New: Quantitative and qualitative together 18

19 2. Identify Relevant Assertions for Each Element Identify the financial reporting assertions relevant to each element After identifying assertions applicable to each element: Rate the applicable assertions according to the same risk factors applied when selecting the priority financial reporting elements Use the risk factors provided by the SEC to perfect the safe harbor Old Approach: Assertions are riskequivalent What s New: Assertions are differentiated based on relative risk 19

20 3. Select Key Controls Addressing Each Assertion Select the key controls that address the critical assertions, considering the effectiveness of their design There are two key areas of emphasis driving this decision point: Entity-level controls is the starting point There are three categories: (1) Important, but indirect effect (2) Monitor the effectiveness of other controls (3) Designed to operate at sufficient level of precision Rationalization of other controls Identify process-level monitoring controls Select other controls that have the greatest impact Old Approach: Bottom-up, starting with process-level controls What s New: Top-down, starting with entity-level controls 20

21 4. Decide the Documentation Standards Decide the documentation standards at different levels of risk From a practical standpoint, the top-down approach is easier to apply when there is a sufficient fact base Accelerated filers have already created most of the documentation they need to apply the top-down approach For newly public companies and non-accelerated filers, an overall understanding is needed of the control environment and the flow of major transactions to enable management to properly source the risk of material error or fraud and determine whether the selected key controls are properly designed to mitigate the risk Old Approach: Start at the process level and work up; tiered documentation requirements based on the assessed risk of misstatement What s New: Start at the entity level and work down; documentation driven by ICFR risk, including risk of control failure 21

22 5. Consider Relative ICFR Risk Levels to Drive Evidence Consider the relative ICFR risk levels when deciding evidence needed to support operational effectiveness The goal is to focus management s evaluation on those risks that could result in material misstatement When determining the evidence required to support a conclusion that controls are operating effectively, consider the risk of control failure The level of ICFR risk drives the persuasiveness of the evidence needed Old Approach: Test all controls, emphasizing coverage and ignoring control failure risk What s New: When determining tests of controls, consider ICFR risk (which includes control failure risk) 22

23 6. Determine Multi-Location Scopes Determine the multi-location scoping considerations The multi-location decision tree from AS2 was not retained in AS5 Now the focus is on the degree of ICFR risk This decision is going to be unstructured the first year Old Approach: Achieve minimum coverage What s New: Consider ICFR risk 23

24 7. Determine Auditor s Use of the Work of Others Dialog with the external auditor to understand how they evaluate the use of the work of others to reduce audit testing AS5 requires auditors to consider whether and how to use the work of others However, auditors must still perform work in higher risk areas The primary criteria continue to be around competence and objectivity Understand and apply the standards driving the auditor s use of the work of others Old Approach: Use work of others within cap and restrictions; confusion over rules written for internal auditors What s New: No cap and some restrictions removed; confusion over using work of others eliminated 24

25 8. Establish Assessment Methodology Material weakness is defined differently The list of indicators of a material weakness is shortened and no longer represents de facto significant deficiencies The definition of significant deficiency is changing Establish the assessment methodology for evaluating the severity of control deficiencies Old Approach: Nine Firm Framework with much attention directed to significant deficiencies What s New: Focused primarily on material weaknesses 25

26 Summary of Eight Key Section 404 Decision Points 1. Select significant accounts and disclosures (financial reporting elements) 2. Identify the financial reporting assertions relevant to each element 3. Select the key controls that address the critical assertions, considering the effectiveness of their design 4. Decide the documentation standards at different levels of risk 5. Consider the relative ICFR risk levels when deciding the evidence needed to support operational effectiveness 6. Determine the multi-location scoping considerations 7. Understand and apply the standards driving the auditor s use of the work of others 8. Establish the assessment methodology for evaluating the severity of control deficiencies 26

27 The New Rules of the Game 27

28 The New SOX Rules 1. Management s approach is no longer auditor-directed 2. It only matters if it could result in a material weakness! 3. The Section 404 compliance process has been turned upside down 4. Management can achieve a safe harbor by following the SEC guidance 5. Think risk throughout the process 6. Entity level controls are a critical component, not an afterthought 7. Management is an insider and that makes a difference 8. There is more flexibility in using the work of others 28

29 In Closing, We Suggest You 29 Read and understand your guidance from the SEC Deploy a robust approach to be sure you ve applied a top-down, risk-based approach Don t do more than what you have to do to comply with Section 404 Focus on risk throughout the Section 404 compliance process Look at how you manage and monitor your business ( How do you know? ) and give yourself credit Strengthen your focus on the risk of fraud Channel cost savings into process and control improvements Be prepared To challenge the status quo To answer questions Audit Committees are asking about the new guidance To proactively engage in a dialog with the external auditor Time is of the essence to impact the 2007 audit cycle

30 Questions? 30

31 At Protiviti, we believe the companies that most effectively understand and manage their risk are the companies that most often succeed. Or as we like to say 31